A few months ago, there was an announcement of AzAPI terraform provider, that enables you to manage any Azure resource type using any API version. You may be wondering, why the need for this?
Some times with new resource updates or additions, the terraform AzureRM provider is not up to date or missing a piece of functionality within a particular resource. With this new provider, you can begin deploying using Terraform from day 1 without the need to wait until AzureRM has been updated – awesome!
With the AzAPI announcement, there was two resources released:
In this blog post, I am going to show you can use the Terraform resource azapi_update_resource to update Azure resources that are not yet supported in AzureRM provider!
What can azapi_update_resource update?
From documentation: This resource can manage a subset of any existing Azure resource manager resource’s properties.
I have tested it on a few different setups – some that AzureRM does support & some that doesn’t, all apply fine!
Examples of the syntax usage:
resource "azapi_update_resource" "test" {
type = "Microsoft.Media/mediaservices@2021-06-01"
resource_id = azurerm_media_services_account.example.id
body = jsonencode({
identity = {
"type" = "UserAssigned",
"userAssignedIdentities" = "/subscriptions/04109105-f3ca-44ac-a3a7-66b4936112c3/resourceGroups/tam-media-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tam-identity"
}
})
}
Very easy to use, referencing the body with jsonencode
Lets have a look at how I obtaining the correct values to use within my jsonencode
Building the jsonencode example
In this setup, I want to add managed identity storage authentication to my Media Service
Using export template, I was able to view the json syntax needed
Output:
{
"type": "Microsoft.Media/mediaservices",
"apiVersion": "2021-06-01",
"name": "[parameters('mediaservices_examplemediaacctam_name')]",
"location": "West Europe",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/04109105-f3ca-44ac-a3a7-66b4936112c3/resourceGroups/tam-media-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tam-identity": {}
}
},
"properties": {
"storageAccounts": [
{
"id": "[parameters('storageAccounts_examplestoracctam_externalid')]",
"type": "Primary",
"identity": {
"userAssignedIdentity": "[parameters('userAssignedIdentities_tam_identity_externalid')]",
"useSystemAssignedIdentity": false
}
}
],
"storageAuthentication": "ManagedIdentity",
"encryption": {
"type": "SystemKey"
},
"keyDelivery": {
"accessControl": {
"defaultAction": "Allow",
"ipAllowList": []
}
},
"publicNetworkAccess": "Enabled"
}
},
This now allowed me to build an azapi_update_resource resource
resource "azapi_update_resource" "test" {
type = "Microsoft.Media/mediaservices@2021-06-01"
resource_id = azurerm_media_services_account.example.id
body = jsonencode({
properties = {
storageAuthentication = "ManagedIdentity"
storageAccounts = [
{
id = azurerm_storage_account.example.id
type = "Primary"
identity = {
userAssignedIdentity = azurerm_user_assigned_identity.example.id
useSystemAssignedIdentity = "false"
}
}
]
}
})
}
The beautiful piece, is that you can reference other terraform resource outputs as part of your resource 🙂 , now applying this I was able to set the Managed Identity authentication
Full Terraform setup, can be found on my GitHub here
Final Thoughts..
I think the new addition AzAPI terraform provider is a real game changer in terms of day 1 terraform automation available. There is just so many updates/resources announced near daily, this will be a huge benefit for those who want to deploy these updates/additions right away using Terraform! Rather than a hybrid ARM/Terraform deployment!
Try it out, let me know your thoughts – thanks for viewing!
Thomas Thornton - Microsoft Azure MVP - HashiCorp Ambassador 
1 comment