Azure Container Apps environment creation fails due to error ManagedEnvironmentResourceGroupDisallowedByPolicy when adding a VNET integration

Question

I'm trying to create an Azure Container Apps Environment through the AzAPI provider on Terraform.

The configuration I'm using is the following:

resource "azapi_resource" "aca_env" {
  type      = "Microsoft.App/managedEnvironments@2022-03-01"
  parent_id = azurerm_resource_group.rg.id
  location  = azurerm_resource_group.rg.location
  name      = var.ACA_ENV_NAME
  body = jsonencode({
    properties = {
      appLogsConfiguration = {
        destination               = "log-analytics"
        logAnalyticsConfiguration = {
          customerId = azurerm_log_analytics_workspace.log.workspace_id
          sharedKey  = azurerm_log_analytics_workspace.log.primary_shared_key
        }
      }
      daprAIConnectionString = azurerm_application_insights.insights.connection_string
      vnetConfiguration = {
        "internal" = true
        "infrastructureSubnetId" = azurerm_subnet.aca_subnet.id
        "dockerBridgeCidr" = var.ACA_ENV_BRIDGE_CIDR
        "platformReservedCidr" = var.ACA_ENV_RESERVED_CIDR
        "platformReservedDnsIP" = var.ACA_ENV_RESERVED_DNS_IP
      }
    }
  })
  depends_on = [
    azurerm_subnet.aca_subnet
  ]
  response_export_values  = ["properties.defaultDomain", "properties.staticIp"]
  ignore_missing_property = true
}

When I try to execute this, I get the following error:

ErrorCode: ManagedEnvironmentResourceGroupDisallowedByPolicy, Message: Fail to create managed environment because resource group creation is disallowed by policy, refer to https://go.microsoft.com/fwlink/?linkid=2198255 for more detail.

My guess is that it's trying to create a resource group somehow. However, we require certain tags to be present on a resource group, which is probably failing.

The weird part is that even though this error happens, the Azure Container Apps environment is still created. Also, if I remove the VNET configuration, the environment is created without any errors.

The question is, why is it trying to create a resource group? I referenced one already in the parent_id attribute.

This feels specific enough to your environment, and the error is from the Azure API as inferred by the Go bindings back to the provider, so you may need to post this on the provider tracker with an explanation of your environment. — Matthew Schuchard, Oct 13 '22 at 12:42

score 2 · Accepted Answer · answered Oct 13 '22 at 19:39

This is a known issue tracked here:

Feature Request: Allow managed resource group created with tag when deploying a Container App in a custom vnet

For the moment, the proposed workaround is to add a policy assignment exception for resource group that have the MC_ prefix and _{region} suffix.

score 0 · Answer 2 · answered Oct 14 '22 at 16:36

Adding to @Thomas's answer for reason. This is by design and requires customer action.

For security or compliance, your subscription administrators might assign policies that limit how resources are deployed. For this case, your policy prevents creating resources like public IP addresses, VMSS under MC_ resource group.

Refer https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-policy-requestdisallowedbypolicy

Azure Container Apps environment creation fails due to error ManagedEnvironmentResourceGroupDisallowedByPolicy when adding a VNET integration

2 Answers2