Question 104754 in Azure Question posted in
The official documentation to get you started can be found here.

Azure Container Apps environment creation fails due to error ManagedEnvironmentResourceGroupDisallowedByPolicy when adding a VNET integration

I’m trying to create an Azure Container Apps Environment through the AzAPI provider on Terraform.

The configuration I’m using is the following:

resource "azapi_resource" "aca_env" {
  type      = "Microsoft.App/managedEnvironments@2022-03-01"
  parent_id = azurerm_resource_group.rg.id
  location  = azurerm_resource_group.rg.location
  name      = var.ACA_ENV_NAME
  body = jsonencode({
    properties = {
      appLogsConfiguration = {
        destination               = "log-analytics"
        logAnalyticsConfiguration = {
          customerId = azurerm_log_analytics_workspace.log.workspace_id
          sharedKey  = azurerm_log_analytics_workspace.log.primary_shared_key
        }
      }
      daprAIConnectionString = azurerm_application_insights.insights.connection_string
      vnetConfiguration = {
        "internal" = true
        "infrastructureSubnetId" = azurerm_subnet.aca_subnet.id
        "dockerBridgeCidr" = var.ACA_ENV_BRIDGE_CIDR
        "platformReservedCidr" = var.ACA_ENV_RESERVED_CIDR
        "platformReservedDnsIP" = var.ACA_ENV_RESERVED_DNS_IP
      }
    }
  })
  depends_on = [
    azurerm_subnet.aca_subnet
  ]
  response_export_values  = ["properties.defaultDomain", "properties.staticIp"]
  ignore_missing_property = true
}

When I try to execute this, I get the following error:

ErrorCode: ManagedEnvironmentResourceGroupDisallowedByPolicy, Message: Fail to create managed environment because resource group creation is disallowed by policy, refer to https://go.microsoft.com/fwlink/?linkid=2198255 for more detail.

My guess is that it’s trying to create a resource group somehow. However, we require certain tags to be present on a resource group, which is probably failing.

The weird part is that even though this error happens, the Azure Container Apps environment is still created. Also, if I remove the VNET configuration, the environment is created without any errors.

The question is, why is it trying to create a resource group? I referenced one already in the parent_id attribute.

Tags:

2

Answers


  1. 0

    This is a known issue tracked here:

    For the moment, the proposed workaround is to add a policy assignment exception for resource group that have the MC_ prefix and _{region} suffix.

    Login or Signup to reply.
  2. 0

    Adding to @Thomas’s answer for reason. This is by design and requires customer action.

    For security or compliance, your subscription administrators might assign policies that limit how resources are deployed. For this case, your policy prevents creating resources like public IP addresses, VMSS under MC_ resource group.

    Refer https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-policy-requestdisallowedbypolicy

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search