CODEWITHSUNDEEP
azureterraformterraform-provider-azureazure-container-apps
Dimitri Mestdagh
Dimitri Mestdagh

Reputation: 44745

Azure Container Apps environment creation fails due to error ManagedEnvironmentResourceGroupDisallowedByPolicy when adding a VNET integration

I'm trying to create an Azure Container Apps Environment through the AzAPI provider on Terraform.

The configuration I'm using is the following:

resource "azapi_resource" "aca_env" {
  type      = "Microsoft.App/managedEnvironments@2022-03-01"
  parent_id = azurerm_resource_group.rg.id
  location  = azurerm_resource_group.rg.location
  name      = var.ACA_ENV_NAME
  body = jsonencode({
    properties = {
      appLogsConfiguration = {
        destination               = "log-analytics"
        logAnalyticsConfiguration = {
          customerId = azurerm_log_analytics_workspace.log.workspace_id
          sharedKey  = azurerm_log_analytics_workspace.log.primary_shared_key
        }
      }
      daprAIConnectionString = azurerm_application_insights.insights.connection_string
      vnetConfiguration = {
        "internal" = true
        "infrastructureSubnetId" = azurerm_subnet.aca_subnet.id
        "dockerBridgeCidr" = var.ACA_ENV_BRIDGE_CIDR
        "platformReservedCidr" = var.ACA_ENV_RESERVED_CIDR
        "platformReservedDnsIP" = var.ACA_ENV_RESERVED_DNS_IP
      }
    }
  })
  depends_on = [
    azurerm_subnet.aca_subnet
  ]
  response_export_values  = ["properties.defaultDomain", "properties.staticIp"]
  ignore_missing_property = true
}

When I try to execute this, I get the following error:

ErrorCode: ManagedEnvironmentResourceGroupDisallowedByPolicy, Message: Fail to create managed environment because resource group creation is disallowed by policy, refer to https://go.microsoft.com/fwlink/?linkid=2198255 for more detail.

My guess is that it's trying to create a resource group somehow. However, we require certain tags to be present on a resource group, which is probably failing.

The weird part is that even though this error happens, the Azure Container Apps environment is still created. Also, if I remove the VNET configuration, the environment is created without any errors.

The question is, why is it trying to create a resource group? I referenced one already in the parent_id attribute.

Upvotes: 2

Views: 4086

Answers (2)

JJ.
JJ.

Reputation: 1149

Adding to @Thomas's answer for reason. This is by design and requires customer action.

For security or compliance, your subscription administrators might assign policies that limit how resources are deployed. For this case, your policy prevents creating resources like public IP addresses, VMSS under MC_ resource group.

Refer https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-policy-requestdisallowedbypolicy

Upvotes: 0

Thomas
Thomas

Reputation: 29736

This is a known issue tracked here:

For the moment, the proposed workaround is to add a policy assignment exception for resource group that have the MC_ prefix and _{region} suffix.

Upvotes: 2

Related Questions