Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing API Management SKU doesn't seem to work #10686

Closed
jeanpaulsmit opened this issue Feb 22, 2021 · 7 comments · Fixed by #10747
Closed

Changing API Management SKU doesn't seem to work #10686

jeanpaulsmit opened this issue Feb 22, 2021 · 7 comments · Fixed by #10747
Labels
bug service/api-management v/1.x (legacy)
Milestone
v2.50.0

Comments

@jeanpaulsmit
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform 0.12.20
AzureRM 1.40

Affected Resource(s)

azurerm_api_management

Terraform Configuration Files

n/a

Expected Behaviour

SKU should be modified and have the updated SKU

Actual Behaviour

Output (after running the apply for the second time)-> see steps to reproduce):

azurerm_api_management.apim: Modifying... [id=/subscriptions/aa-bb-cc/resourceGroups/test-rg/providers/Microsoft.ApiManagement/service/test-apim]
azurerm_api_management.apim: Modifications complete after 2s [id=/subscriptions/aa-bb-cc/resourceGroups/test-rg/providers/Microsoft.ApiManagement/service/test-apim]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Output says it modified the resource, but checking APIM in the portal it seems it didn't change the SKU.
Also, the modification took only 2 seconds, while it takes 30 minutes via the Azure portal.
It seems like no action was taken on the resource.

Steps to Reproduce

First create resource with 'Standard' SKU:
resource "azurerm_api_management" "apim" {
name = "test-apim"
location = "westeurope"
resource_group_name = "test-rg"
publisher_name = "[email protected]"
publisher_email = "[email protected]"

sku_name = "Standard_1"
}

Then update the resource to change the SKU to 'Developer':
resource "azurerm_api_management" "apim" {
name = "test-apim"
location = "westeurope"
resource_group_name = "test-rg"
publisher_name = "[email protected]"
publisher_email = "[email protected]"

sku_name = "Developer_1"
}
@favoretti
Copy link
Contributor

Provider version 1.40 is pretty outdated to be frank. I'm quite positive it will work just fine if you upgrade to 2.x series, ideally to the latest version. Can you please test with a more recent version and re-open this issue or leave a comment here if it is still broken?

@jeanpaulsmit
Copy link
Contributor Author

Hi @favoretti, you're right it's an older version of azurerm, so I tested it with one of the latest versions: TF 0.14.6 and azurerm 2.47.

Actually the result now is much more disturbing: the resource gets destroyed!

From the documentation and from experience, I know changing the tier from Standard to Developer should not destroy the resource at all. Destroying will replace the IP address, which is very inconvenient as it might be white listed in some firewall, or be used in scripts to do IP filtering on backend services.

Steps:

  • Create APIM resource with tier Standard_1
resource "azurerm_resource_group" "rg" {
  name     = "jps-test-apim-rg"
  location = "West Europe"
}

resource "azurerm_api_management" "apim" {
name = "jps-test-apim"
location = "westeurope"
resource_group_name = "jps-test-apim-rg"
publisher_name = "[email protected]"
publisher_email = "[email protected]"

sku_name = "Standard_1"
}
  • Run TF apply
  • Change to Developer_1
resource "azurerm_resource_group" "rg" {
  name     = "jps-test-apim-rg"
  location = "West Europe"
}

resource "azurerm_api_management" "apim" {
name = "jps-test-apim"
location = "westeurope"
resource_group_name = "jps-test-apim-rg"
publisher_name = "[email protected]"
publisher_email = "[email protected]"

sku_name = "Developer_1"
}
  • Run TF apply

Output (see ~ sku_name = "Standard_1" -> "Developer_1" # forces replacement causing destruction):

C:\06-Temp\Terraform\APIM>terraform apply
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/7ab6fb8e-037f-463b-b913-aadf51843526/resourceGroups/jps-test-apim-rg]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_api_management.apim will be created
  + resource "azurerm_api_management" "apim" {
      + developer_portal_url      = (known after apply)
      + gateway_regional_url      = (known after apply)
      + gateway_url               = (known after apply)
      + id                        = (known after apply)
      + location                  = "westeurope"
      + management_api_url        = (known after apply)
      + name                      = "jps-test-apim"
      + notification_sender_email = (known after apply)
      + policy                    = (known after apply)
      + portal_url                = (known after apply)
      + private_ip_addresses      = (known after apply)
      + public_ip_addresses       = (known after apply)
      + publisher_email           = "[email protected]"
      + publisher_name            = "[email protected]"
      + resource_group_name       = "jps-test-apim-rg"
      + scm_url                   = (known after apply)
      + sku_name                  = "Standard_1"
      + virtual_network_type      = "None"

      + protocols {
          + enable_http2 = (known after apply)
        }

      + security {
          + enable_backend_ssl30                                = (known after apply)
          + enable_backend_tls10                                = (known after apply)
          + enable_backend_tls11                                = (known after apply)
          + enable_frontend_ssl30                               = (known after apply)
          + enable_frontend_tls10                               = (known after apply)
          + enable_frontend_tls11                               = (known after apply)
          + enable_triple_des_ciphers                           = (known after apply)
          + tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled = (known after apply)
          + tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled = (known after apply)
          + tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled   = (known after apply)
          + tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled   = (known after apply)
          + tls_rsa_with_aes128_cbc_sha256_ciphers_enabled      = (known after apply)
          + tls_rsa_with_aes128_cbc_sha_ciphers_enabled         = (known after apply)
          + tls_rsa_with_aes128_gcm_sha256_ciphers_enabled      = (known after apply)
          + tls_rsa_with_aes256_cbc_sha256_ciphers_enabled      = (known after apply)
          + tls_rsa_with_aes256_cbc_sha_ciphers_enabled         = (known after apply)
          + triple_des_ciphers_enabled                          = (known after apply)
        }

      + sign_in {
          + enabled = (known after apply)
        }

      + sign_up {
          + enabled = (known after apply)

          + terms_of_service {
              + consent_required = (known after apply)
              + enabled          = (known after apply)
              + text             = (known after apply)
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.


Warning: "skip_credentials_validation": [DEPRECATED] This field is deprecated and will be removed in version 3.0 of the Azure Provider


Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_api_management.apim: Creating...
azurerm_api_management.apim: Still creating... [10s elapsed]
..............................................
azurerm_api_management.apim: Still creating... [31m11s elapsed]
azurerm_api_management.apim: Creation complete after 31m16s [id=/subscriptions/7ab6fb8e-037f-463b-b913-aadf51843526/resourceGroups/jps-test-apim-rg/providers/Microsoft.ApiManagement/service/jps-test-apim]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

C:\06-Temp\Terraform\APIM>terraform apply
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/7ab6fb8e-037f-463b-b913-aadf51843526/resourceGroups/jps-test-apim-rg]
azurerm_api_management.apim: Refreshing state... [id=/subscriptions/7ab6fb8e-037f-463b-b913-aadf51843526/resourceGroups/jps-test-apim-rg/providers/Microsoft.ApiManagement/service/jps-test-apim]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurerm_api_management.apim must be replaced
-/+ resource "azurerm_api_management" "apim" {
      ~ developer_portal_url      = "https://jps-test-apim.developer.azure-api.net" -> (known after apply)
      ~ gateway_regional_url      = "https://jps-test-apim-westeurope-01.regional.azure-api.net" -> (known after apply)
      ~ gateway_url               = "https://jps-test-apim.azure-api.net" -> (known after apply)
      ~ id                        = "/subscriptions/7ab6fb8e-037f-463b-b913-aadf51843526/resourceGroups/jps-test-apim-rg/providers/Microsoft.ApiManagement/service/jps-test-apim" -> (known after apply)
      ~ management_api_url        = "https://jps-test-apim.management.azure-api.net" -> (known after apply)
        name                      = "jps-test-apim"
      ~ notification_sender_email = "[email protected]" -> (known after apply)
      ~ policy                    = [
          - {
              - xml_content = <<-EOT
                    <!--
                        IMPORTANT:
                        - Policy elements can appear only within the <inbound>, <outbound>, <backend> section elements.
                        - Only the <forward-request> policy element can appear within the <backend> section element.
                        - To apply a policy to the incoming request (before it is forwarded to the backend service), place a corresponding policy element within the <inbound> section element.
                        - To apply a policy to the outgoing response (before it is sent back to the caller), place a corresponding policy element within the <outbound> section element.
                        - To add a policy position the cursor at the desired insertion point and click on the round button associated with the policy.
                        - To remove a policy, delete the corresponding policy statement from the policy document.
                        - Policies are applied in the order of their appearance, from the top down.
                    -->
                    <policies>
                        <inbound />
                        <backend>
                                <forward-request />
                        </backend>
                        <outbound />
                    </policies>
                EOT
              - xml_link    = ""
            },
        ] -> (known after apply)
      ~ portal_url                = "https://jps-test-apim.portal.azure-api.net" -> (known after apply)
      ~ private_ip_addresses      = [] -> (known after apply)
      ~ public_ip_addresses       = [
          - "13.95.91.38",
        ] -> (known after apply)
      ~ scm_url                   = "https://jps-test-apim.scm.azure-api.net" -> (known after apply)
      ~ sku_name                  = "Standard_1" -> "Developer_1" # forces replacement
      - tags                      = {} -> null
        # (5 unchanged attributes hidden)

      ~ protocols {
          ~ enable_http2 = false -> (known after apply)
        }

      ~ security {
          ~ enable_backend_ssl30                                = false -> (known after apply)
          ~ enable_backend_tls10                                = false -> (known after apply)
          ~ enable_backend_tls11                                = false -> (known after apply)
          ~ enable_frontend_ssl30                               = false -> (known after apply)
          ~ enable_frontend_tls10                               = false -> (known after apply)
          ~ enable_frontend_tls11                               = false -> (known after apply)
          ~ enable_triple_des_ciphers                           = false -> (known after apply)
          ~ tls_ecdhe_ecdsa_with_aes128_cbc_sha_ciphers_enabled = false -> (known after apply)
          ~ tls_ecdhe_ecdsa_with_aes256_cbc_sha_ciphers_enabled = false -> (known after apply)
          ~ tls_ecdhe_rsa_with_aes128_cbc_sha_ciphers_enabled   = false -> (known after apply)
          ~ tls_ecdhe_rsa_with_aes256_cbc_sha_ciphers_enabled   = false -> (known after apply)
          ~ tls_rsa_with_aes128_cbc_sha256_ciphers_enabled      = false -> (known after apply)
          ~ tls_rsa_with_aes128_cbc_sha_ciphers_enabled         = false -> (known after apply)
          ~ tls_rsa_with_aes128_gcm_sha256_ciphers_enabled      = false -> (known after apply)
          ~ tls_rsa_with_aes256_cbc_sha256_ciphers_enabled      = false -> (known after apply)
          ~ tls_rsa_with_aes256_cbc_sha_ciphers_enabled         = false -> (known after apply)
          ~ triple_des_ciphers_enabled                          = false -> (known after apply)
        }

      ~ sign_in {
          ~ enabled = false -> (known after apply)
        }

      ~ sign_up {
          ~ enabled = false -> (known after apply)

          ~ terms_of_service {
              ~ consent_required = false -> (known after apply)
              ~ enabled          = false -> (known after apply)
              + text             = (known after apply)
            }
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.


Warning: "skip_credentials_validation": [DEPRECATED] This field is deprecated and will be removed in version 3.0 of the Azure Provider


Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_api_management.apim: Destroying... [id=/subscriptions/7ab6fb8e-037f-463b-b913-aadf51843526/resourceGroups/jps-test-apim-rg/providers/Microsoft.ApiManagement/service/jps-test-apim]
azurerm_api_management.apim: Still destroying... [id=/subscriptions/7ab6fb8e-037f-463b-b913-...ft.ApiManagement/service/jps-test-apim, 10s elapsed]
..............................................
azurerm_api_management.apim: Still destroying... [id=/subscriptions/7ab6fb8e-037f-463b-b913-...ft.ApiManagement/service/jps-test-apim, 2m0s elapsed]
azurerm_api_management.apim: Destruction complete after 2m1s
azurerm_api_management.apim: Creating...
azurerm_api_management.apim: Still creating... [10s elapsed]
..............................................
azurerm_api_management.apim: Still creating... [41m10s elapsed]
azurerm_api_management.apim: Creation complete after 41m13s [id=/subscriptions/7ab6fb8e-037f-463b-b913-aadf51843526/resourceGroups/jps-test-apim-rg/providers/Microsoft.ApiManagement/service/jps-test-apim]

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

C:\06-Temp\Terraform\APIM>

@favoretti
Copy link
Contributor

This potentially is correct behavior. I'll test whether SKU can be updated, but I'm afraid API isn't able to do that. In that case the only thing we can do is destroy and re-create.

@jeanpaulsmit
Copy link
Contributor Author

The documentation is quite clear about when a new IP address will be created:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-ip-addresses#changes-to-the-ip-addresses

But I understand you're bound by the APIM management API to do this?
If you cannot update without destroy/create, then that's way different from the portal experience, and it might be a good idea to explicitly mention that in the documentation (althoug the 'apply' does show it, it can easily be missed).

@favoretti
Copy link
Contributor

Yeah, I hear you. I'll modify the resource to not to recreate and run some tests, will keep you posted.

@favoretti favoretti mentioned this issue Feb 26, 2021
Merged
katbyte pushed a commit that referenced this issue Feb 26, 2021
@favoretti
azurerm_api_management: Do not force a new resource on SKU name change (
d1fedf6 
#10747)

Fixes #10686
@katbyte katbyte added this to the v2.50.0 milestone Feb 26, 2021
@ghost
Copy link

ghost commented Mar 5, 2021

This has been released in version 2.50.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.50.0"
}
# ... other configuration ...

@ghost
Copy link

ghost commented Mar 28, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Mar 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug service/api-management v/1.x (legacy)
Projects
None yet
Milestone
v2.50.0
Development

Successfully merging a pull request may close this issue.

azurerm_api_management: Do not force a new resource on SKU name change
4 participants
@favoretti @katbyte @jeanpaulsmit @catriona-m