Azure Container Apps environment creation fails due to error ManagedEnvironmentResourceGroupDisallowedByPolicy when adding a VNET integration

g00glen00b
October 13, 2022
299 views
1 vote
2 Answers

I’m trying to create an Azure Container Apps Environment through the AzAPI provider on Terraform.

The configuration I’m using is the following:

resource "azapi_resource" "aca_env" {
  type      = "Microsoft.App/managedEnvironments@2022-03-01"
  parent_id = azurerm_resource_group.rg.id
  location  = azurerm_resource_group.rg.location
  name      = var.ACA_ENV_NAME
  body = jsonencode({
    properties = {
      appLogsConfiguration = {
        destination               = "log-analytics"
        logAnalyticsConfiguration = {
          customerId = azurerm_log_analytics_workspace.log.workspace_id
          sharedKey  = azurerm_log_analytics_workspace.log.primary_shared_key
        }
      }
      daprAIConnectionString = azurerm_application_insights.insights.connection_string
      vnetConfiguration = {
        "internal" = true
        "infrastructureSubnetId" = azurerm_subnet.aca_subnet.id
        "dockerBridgeCidr" = var.ACA_ENV_BRIDGE_CIDR
        "platformReservedCidr" = var.ACA_ENV_RESERVED_CIDR
        "platformReservedDnsIP" = var.ACA_ENV_RESERVED_DNS_IP
      }
    }
  })
  depends_on = [
    azurerm_subnet.aca_subnet
  ]
  response_export_values  = ["properties.defaultDomain", "properties.staticIp"]
  ignore_missing_property = true
}

When I try to execute this, I get the following error:

ErrorCode: ManagedEnvironmentResourceGroupDisallowedByPolicy, Message: Fail to create managed environment because resource group creation is disallowed by policy, refer to https://go.microsoft.com/fwlink/?linkid=2198255 for more detail.

My guess is that it’s trying to create a resource group somehow. However, we require certain tags to be present on a resource group, which is probably failing.

The weird part is that even though this error happens, the Azure Container Apps environment is still created. Also, if I remove the VNET configuration, the environment is created without any errors.

The question is, why is it trying to create a resource group? I referenced one already in the parent_id attribute.

Answers

- Thomas
- October 13, 2022 at 9:39 pm
- 0 votes
0
This is a known issue tracked here:
- Feature Request: Allow managed resource group created with tag when deploying a Container App in a custom vnet
For the moment, the proposed workaround is to add a policy assignment exception for resource group that have the MC_ prefix and _{region} suffix.
Login or Signup to reply.

- JJ
- October 14, 2022 at 6:36 pm
- 0 votes
0
Adding to @Thomas’s answer for reason. This is by design and requires customer action.

For security or compliance, your subscription administrators might assign policies that limit how resources are deployed. For this case, your policy prevents creating resources like public IP addresses, VMSS under MC_ resource group.

Refer https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-policy-requestdisallowedbypolicy

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.