azapi - not all resources support tags

[hbuckle]

Describe the bug

Support was added in 0.5.1 for tagging azapi resources, but not all resources in ARM support tags (particularly sub-resources), leading to errors at plan time.

To Reproduce

data "azurerm_client_config" "current" {}

data "azurerm_container_app" "example" {
  name                = "example"
  resource_group_name = "example"
}

resource "azapi_resource" "example" {
  type      = "Microsoft.App/containerApps/authConfigs@2024-03-01"
  name      = "current"
  parent_id = data.azurerm_container_app.example.id
  body = {
    properties = {
      globalValidation = {
        redirectToProvider          = "azureactivedirectory"
        unauthenticatedClientAction = "RedirectToLoginPage"
      }
      identityProviders = {
        azureActiveDirectory = {
          enabled           = true
          isAutoProvisioned = false
          registration = {
            clientId                = "example"
            clientSecretSettingName = "microsoft-provider-authentication-secret"
            openIdIssuer            = "https://sts.windows.net/${data.azurerm_client_config.current.tenant_id}/v2.0"
          }
          validation = {
            allowedAudiences = [
              "example",
            ]
            defaultAuthorizationPolicy = {
              allowedApplications = [
                "example",
              ]
            }
          }
        }
      }
      login = {}
      platform = {
        enabled        = true
        runtimeVersion = "~2"
      }
    }
  }
}

terratag -default-to-terraform -rename=false -tags="{\"test\":\"test\"}" -type=terraform -verbose
terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Invalid configuration
│
│ with azapi_resource.example,
│ on main.tf line 8, in resource "azapi_resource" "example":
│ 8: resource "azapi_resource" "example" {
│
│ embedded schema validation failed: the argument "body" is invalid:
│ tags is not expected here. Do you mean properties?

Expected behavior

I'm not sure what the best way to handle this is - we can use the -filter option as a workaround, but there are so many of these sub-resources in ARM I feel like that would become unworkable.
I'm also not sure there is any way to handle this from the terratag side, it seems like the azapi provider is doing some dynamic validation at plan time.

Desktop (please complete the following information):

• OS: Any
• Terraform version: 1.9.8
• Providers/module versions if applicable: azapi 2.0.1

[hbuckle]

For now I've just excluded all azapi resources with the filter option

[TomerHeber]

@hbuckle this is indeed a challenge.

maybe a white list approach.

E.g asking ourselves what type of resources we would like to tag.

type = "Microsoft.App/containerApps/* is a no...
But do you have types that are a "yes" ?

[TomerHeber]

Please confirm that this is what we're looking for:
https://github.com/tfitzmac/resource-capabilities/blob/main/tag-support.csv

[hbuckle]

I haven't seen that list before, I note it hasn't been updated in some time though...

[hbuckle]

@hbuckle this is indeed a challenge.

maybe a white list approach.

E.g asking ourselves what type of resources we would like to tag.

type = "Microsoft.App/containerApps/* is a no... But do you have types that are a "yes" ?

I'm not sure if there is a good way to tell just from the resource type - it isn't really consistent, some sub-resources do support tags and some don't

[TomerHeber]

this is more up-to-date:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support

allow me some time to review and come up with a solution.
using the information above will hopefully suffice.

[hbuckle]

I may take a look at the azapi provider and see if it can be addressed there - as they are allowing the tags property to be set even if the underlying resource doesn't support it.