Azure Container Apps environment creation fails due to error ManagedEnvironmentResourceGroupDisallow-CodePudding

I'm trying to create an Azure Container Apps Environment through the AzAPI provider on Terraform.

The configuration I'm using is the following:

resource "azapi_resource" "aca_env" {
  type      = "Microsoft.App/managedEnvironments@2022-03-01"
  parent_id = azurerm_resource_group.rg.id
  location  = azurerm_resource_group.rg.location
  name      = var.ACA_ENV_NAME
  body = jsonencode({
    properties = {
      appLogsConfiguration = {
        destination               = "log-analytics"
        logAnalyticsConfiguration = {
          customerId = azurerm_log_analytics_workspace.log.workspace_id
          sharedKey  = azurerm_log_analytics_workspace.log.primary_shared_key
        }
      }
      daprAIConnectionString = azurerm_application_insights.insights.connection_string
      vnetConfiguration = {
        "internal" = true
        "infrastructureSubnetId" = azurerm_subnet.aca_subnet.id
        "dockerBridgeCidr" = var.ACA_ENV_BRIDGE_CIDR
        "platformReservedCidr" = var.ACA_ENV_RESERVED_CIDR
        "platformReservedDnsIP" = var.ACA_ENV_RESERVED_DNS_IP
      }
    }
  })
  depends_on = [
    azurerm_subnet.aca_subnet
  ]
  response_export_values  = ["properties.defaultDomain", "properties.staticIp"]
  ignore_missing_property = true
}

When I try to execute this, I get the following error:

ErrorCode: ManagedEnvironmentResourceGroupDisallowedByPolicy, Message: Fail to create managed environment because resource group creation is disallowed by policy, refer to https://go.microsoft.com/fwlink/?linkid=2198255 for more detail.

My guess is that it's trying to create a resource group somehow. However, we require certain tags to be present on a resource group, which is probably failing.

The weird part is that even though this error happens, the Azure Container Apps environment is still created. Also, if I remove the VNET configuration, the environment is created without any errors.

The question is, why is it trying to create a resource group? I referenced one already in the parent_id attribute.

CodePudding user response：

This is a known issue tracked here:

Feature Request: Allow managed resource group created with tag when deploying a Container App in a custom vnet

For the moment, the proposed workaround is to add a policy assignment exception for resource group that have the MC_ prefix and _{region} suffix.