azurerm_api_management in 2.7.0 fails with error "Certificate management for the default domain is not allowed" after update

[kensykora]

As of 2.6.0 we had a config that looked like this:

resource "azurerm_api_management" "api-management" {
  location            = "East US"
  name                = "contoso-apimgmt"
  publisher_email     = "[email protected]"
  publisher_name      = "Contoso"
  resource_group_name = "rg"

  identity {
    type = "SystemAssigned"
  }

  sku_name = "Developer_1"

  tags = local.common_tags

  policy {
    xml_content = <<XML
  <policies>
    <inbound>
        <cors>
            <allowed-origins>
              %{for origin in var.cors_origins~}
                <origin>${origin}</origin>
              %{endfor~}
            </allowed-origins>
            <allowed-methods>
                <method>GET</method>
                <method>POST</method>
                <method>PUT</method>
                <method>DELETE</method>
                <method>OPTIONS</method>
                <method>PATCH</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
        </cors>
    </inbound>
    <backend>
        <forward-request />
    </backend>
    <outbound />
    <on-error />
  </policies>
  XML
  }
}

When running terraform apply to this config after updating to azurerm 2.7.0, we get this error

module.perimeter.azurerm_api_management.api-management: Modifying... [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ApiManagement/service/contoso-apimgmt]
                                                                                                                                                                                      ment/service/contoso-apimgmt]
Error: creating/updating API Management Service "contoso-apimgmt" (Resource Group "rg"): apimanagement.ServiceClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="NotSupported" Message="Certificate management for the default domain 'contoso-apimgmt.azure-api.net' is not allowed."         

Workaround is to downgrade to 2.6.0. After forcing 2.7.0 to use 2.6.0, apply is successful.

terraform {
  required_providers {
    # Locks into AzureRM 2.6.0 to work around this bug: 
    azurerm = "~>2.6.0"
  }
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

PS C:\Users\kensy\Workspace\Infrastructure\environments\dev> terraform -v
Terraform v0.12.24
+ provider.azuread v0.8.0
+ provider.azurerm v2.7.0
+ provider.random v2.2.1

Affected Resource(s)

• azurerm_api_management

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

[yupwei68]

hi @kensykora , thanks for opening this issue. I could not reproduce this error with the code above. Could you try to apply this resource again to see whether this error still runs out?

[markti]

I experienced this exact same issue. I tried to downgrade but I had already transitioned from properties to named values. My APIM is totally unmanageable now. :( very disappointed.

@yupwei68 the error comes when you simply make any change to the policy code.

i had to

• go back to 2.7.0
• remove the entire APIM hierarchy (230 resources)
• remove any named_values (new in 2.7.0)
• downgrade to 2.6.0...

big oof...

[yupwei68]

hi @markti ,thanks for your help. I can reproduce it now. This is a regression bug for azurerm_api_management, and we'll fix it later.

[ghost]

This has been released in version 2.10.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.10.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!