azurerm_api_management internal mode with Zones requires a Public IP

[razkha78]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

v1.9.8

AzureRM Provider Version

4.8.0

Affected Resource(s)/Data Source(s)

azurerm_api_management

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=4.8.0" # Use the latest compatible version for your environment
    }
  }
}

# Provider block
provider "azurerm" {
  features {}
  subscription_id = "xxxxxx-xxxx-46bd-af5c-32b51467b9ae"
}

# Resource Group
resource "azurerm_resource_group" "apim_rg" {
  name     = "example-apim-rg-02"
  location = "East US"
}



resource "azurerm_network_security_group" "apimnsg" {
  name                = "apimnsg"
  location            = azurerm_resource_group.apim_rg.location
  resource_group_name = azurerm_resource_group.apim_rg.name

  security_rule {
    name                       = "ClientCommunicationtoAPIM"
    description                = "Client communication to API Management"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Inbound"
    priority                   = 200
    source_address_prefix      = "Internet"
    source_port_range          = "*"
    destination_address_prefix = "VirtualNetwork"
    destination_port_ranges    = ["80", "443"]
  }

  security_rule {
    name                       = "ManagementEndpointForAzurePortalAndPowerShell"
    description                = "Management endpoint for Azure portal and PowerShell"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Inbound"
    priority                   = 210
    source_address_prefix      = "ApiManagement"
    source_port_range          = "*"
    destination_address_prefix = "VirtualNetwork"
    destination_port_range     = "3443"
  }

  security_rule {
    name                       = "AzureInfrastructureLoadBalancer"
    description                = "Azure Infrastructure Load Balancer"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Inbound"
    priority                   = 220
    source_address_prefix      = "AzureLoadBalancer"
    source_port_range          = "*"
    destination_address_prefix = "VirtualNetwork"
    destination_port_range     = "6390"
  }

  security_rule {
    name                       = "AzureTrafficManageRoutingForMultiRegionDeployment"
    description                = "Azure Traffic Manager routing for multi-region deployment"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Inbound"
    priority                   = 230
    source_address_prefix      = "AzureTrafficManager"
    source_port_range          = "*"
    destination_address_prefix = "VirtualNetwork"
    destination_port_range     = "443"
  }

  security_rule {
    name                       = "DependencyOnAzureStorage"
    description                = "Dependency on Azure Storage for core service functionality"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Outbound"
    priority                   = 240
    source_address_prefix      = "VirtualNetwork"
    source_port_range          = "*"
    destination_address_prefix = "Storage"
    destination_port_range     = "443"
  }

  security_rule {
    name                       = "AccessToAzureSQLEndpoints"
    description                = "Access to Azure SQL endpoints for core service functionality"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Outbound"
    priority                   = 250
    source_address_prefix      = "VirtualNetwork"
    source_port_range          = "*"
    destination_address_prefix = "SQL"
    destination_port_range     = "1443"
  }

  security_rule {
    name                       = "AccessToAzureKeyVault"
    description                = "Access to Azure Key Vault for core service functionality"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Outbound"
    priority                   = 260
    source_address_prefix      = "VirtualNetwork"
    source_port_range          = "*"
    destination_address_prefix = "AzureKeyVault"
    destination_port_range     = "443"
  }

  security_rule {
    name                       = "PublishDiagnosticsLogsMetricsEtc"
    description                = "Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights"
    access                     = "Allow"
    protocol                   = "Tcp"
    direction                  = "Outbound"
    priority                   = 270
    source_address_prefix      = "VirtualNetwork"
    source_port_range          = "*"
    destination_address_prefix = "AzureMonitor"
    destination_port_ranges    = ["1886", "443"]
  }
}





# Virtual Network
resource "azurerm_virtual_network" "apim_vnet" {
  name                = "example-vnet-02"
  location            = azurerm_resource_group.apim_rg.location
  resource_group_name = azurerm_resource_group.apim_rg.name
  address_space       = ["10.0.0.0/16"]
}

# Subnet for APIM
resource "azurerm_subnet" "apim_subnet" {
  name                 = "apim-subnet"
  resource_group_name  = azurerm_resource_group.apim_rg.name
  virtual_network_name = azurerm_virtual_network.apim_vnet.name
  address_prefixes     = ["10.0.1.0/24"]
}

# Associate the NSG with the Subnet
resource "azurerm_subnet_network_security_group_association" "example_association" {
  subnet_id                 = azurerm_subnet.apim_subnet.id
  network_security_group_id = azurerm_network_security_group.apimnsg.id
}

# APIM Service in Internal Mode
resource "azurerm_api_management" "apim" {
  name                 = "example-apim-rkhan-02"
  location             = azurerm_resource_group.apim_rg.location
  resource_group_name  = azurerm_resource_group.apim_rg.name
  publisher_name       = "[email protected]"
  publisher_email      = "[email protected]"
  sku_name             = "Premium_1" # Change to "Premium" for production use
  virtual_network_type = "Internal"
  zones                = ["1", "2"]



  virtual_network_configuration {
    subnet_id = azurerm_subnet.apim_subnet.id
  }

  identity {
    type = "SystemAssigned"
  }
}

Debug Output/Panic Output

https://gist.github.com/razkha78/8989ada14eb674cff06fdc24e4194c16

Expected Behaviour

Should be able to deploy an APIM Internal Mode with Zones without Public IP Address, Azure REST API does not require public IP address. Here is the link to the documentation and note

https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#prerequisites

Starting May 2024, a public IP address resource is no longer needed when deploying (injecting) an API Management instance in a VNet in internal mode or migrating the internal VNet configuration to a new subnet.

Actual Behaviour

Terraform deployment failed with following error

"public_ip_addressmust be specified whenzones` are provided"

Steps to Reproduce

terraform init
terraform plan -out my.plan
terraform apply my.plan

Important Factoids

No response

References

This line seems to be the issue.

terraform-provider-azurerm/internal/services/apimanagement/api_management_resource.go

Line 846 in b837a43

return fmt.Errorf("`public_ip_address` must be specified when `zones` are provided")