data/resource: azurerm_management_group - now exports tenant_scoped_id

[BrendanThompson]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

Currently when trying to create a System Topic on a Management Group using the described and validated Management Group ID as per below an error is received:

resource "azurerm_eventgrid_system_topic" "this" {
  name                   = "policy-insights"
  resource_group_name    = "resource-group"
  location               = "Global"
  source_arm_resource_id = "/providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  topic_type             = "Microsoft.PolicyInsights.PolicyStates"
}

This yields the following error:

╷
│ Error: creating/updating System Topic (Subscription: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
│ Resource Group Name: "resource-group"
│ System Topic Name: "policy-insights"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: InvalidRequest: ResourceID is not in the expected format: /providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (Parameter 'GetSourceScope')
│ 
│   with azurerm_eventgrid_system_topic.this,
│   on main.tf line 14, in resource "azurerm_eventgrid_system_topic" "this":
│   14: resource "azurerm_eventgrid_system_topic" "this" {
│ 
╵

This error looks to be coming from the Azure API, which means the current validate.ManagementGroupID function from the github.com/hashicorp/terraform-provider-azurerm/internal/services/managementgroup/validate package is only checking for valid format on the above and not what is expected by the API.

As shown in the following documentation the resource ID format changes specifically for Management Group IDs when creating a System Topic.

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/governance/policy/tutorials/route-state-change-events.md#create-an-event-grid-system-topic

The resolution to this is to create a validator and parser for Management Group IDs based on that format.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_eventgrid_system_topic - support for using a correctly formatted Management Group ID as the source_arm_resource_id [data/resource: azurerm_management_group - now exports tenant_scoped_id #25555]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #24548

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[BrendanThompson]

@katbyte – is there anything further you would like to see on this PR to help progress it?

[mbfrahry]

Hey @BrendanThompson, this change looks good and I was able to get it working locally with a /tenants/ id. We should add a test though to make sure that we get this coverage in our acceptance test suite. And I'm wondering if we should add a /tenants/ id to the azurerm_management_group resource so people don't have to build that id out themselves.

What're your thoughts there?

[BrendanThompson]

@mbfrahry — thanks for reviewing, appreciate it! I actually love your idea with having the ID in the data source, would we want it in both the data source and the resource? I think so personally.

When it comes to testing, roger that let me look into it and get back to you ASAP.

[BrendanThompson]

@mbfrahry — added in the tests and everything else. Hopefully they should pass this time.

[BrendanThompson]

I was thinking perhaps tenant_management_group_id might be a better attribute name, what are your thoughts?

[tombuildsstuff]

Left a few comments inline but otherwise 👍

[BrendanThompson]

@tombuildsstuff – awesome thanks so much mate. Agree with everything that you've said and have made the required changes.

[katbyte]

Thanks @BrendanThompson - LGTM 🚜

[BrendanThompson]

Thanks so much @mbfrahry , @tombuildsstuff , & @katbyte !

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.