Using the Terraform resource azapi_update_resource to update Azure resources that are not yet supported in AzureRM provider

A few months ago, there was an announcement of AzAPI terraform provider, that enables you to manage any Azure resource type using any API version. You may be wondering, why the need for this?

Some times with new resource updates or additions, the terraform AzureRM provider is not up to date or missing a piece of functionality within a particular resource. With this new provider, you can begin deploying using Terraform from day 1 without the need to wait until AzureRM has been updated – awesome!

With the AzAPI announcement, there was two resources released:

In this blog post, I am going to show you can use the Terraform resource azapi_update_resource to update Azure resources that are not yet supported in AzureRM provider!

What can azapi_update_resource update?

From documentation: This resource can manage a subset of any existing Azure resource manager resource’s properties.

I have tested it on a few different setups – some that AzureRM does support & some that doesn’t, all apply fine!

Examples of the syntax usage:

resource "azapi_update_resource" "test" {
  type        = "Microsoft.Media/mediaservices@2021-06-01"
  resource_id = azurerm_media_services_account.example.id

  body = jsonencode({
    identity = {
      "type" = "UserAssigned",
      "userAssignedIdentities" = "/subscriptions/04109105-f3ca-44ac-a3a7-66b4936112c3/resourceGroups/tam-media-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tam-identity"
    }
  })
}

Very easy to use, referencing the body with jsonencode

Lets have a look at how I obtaining the correct values to use within my jsonencode

Building the jsonencode example

In this setup, I want to add managed identity storage authentication to my Media Service

How do I know the json syntax? There are various ways, including documentation – for this, I manually done the change to grab the correct json syntax 🙂

Using export template, I was able to view the json syntax needed

Output:

    {
            "type": "Microsoft.Media/mediaservices",
            "apiVersion": "2021-06-01",
            "name": "[parameters('mediaservices_examplemediaacctam_name')]",
            "location": "West Europe",
            "identity": {
                "type": "UserAssigned",
                "userAssignedIdentities": {
                    "/subscriptions/04109105-f3ca-44ac-a3a7-66b4936112c3/resourceGroups/tam-media-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tam-identity": {}
                }
            },
            "properties": {
                "storageAccounts": [
                    {
                        "id": "[parameters('storageAccounts_examplestoracctam_externalid')]",
                        "type": "Primary",
                        "identity": {
                            "userAssignedIdentity": "[parameters('userAssignedIdentities_tam_identity_externalid')]",
                            "useSystemAssignedIdentity": false
                        }
                    }
                ],
                "storageAuthentication": "ManagedIdentity",
                "encryption": {
                    "type": "SystemKey"
                },
                "keyDelivery": {
                    "accessControl": {
                        "defaultAction": "Allow",
                        "ipAllowList": []
                    }
                },
                "publicNetworkAccess": "Enabled"
            }
        },

This now allowed me to build an azapi_update_resource resource

resource "azapi_update_resource" "test" {
  type        = "Microsoft.Media/mediaservices@2021-06-01"
  resource_id = azurerm_media_services_account.example.id

  body = jsonencode({
    properties = {
      storageAuthentication = "ManagedIdentity"
      storageAccounts = [
        {
          id   = azurerm_storage_account.example.id
          
          type = "Primary"
          identity = {
            userAssignedIdentity      = azurerm_user_assigned_identity.example.id
            useSystemAssignedIdentity = "false"
          }
        }
      ]
    }
  })
}

The beautiful piece, is that you can reference other terraform resource outputs as part of your resource 🙂 , now applying this I was able to set the Managed Identity authentication

Full Terraform setup, can be found on my GitHub here

Final Thoughts..

I think the new addition AzAPI terraform provider is a real game changer in terms of day 1 terraform automation available. There is just so many updates/resources announced near daily, this will be a huge benefit for those who want to deploy these updates/additions right away using Terraform! Rather than a hybrid ARM/Terraform deployment!

Try it out, let me know your thoughts – thanks for viewing!

1 comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s