Adding resources to dynamic scope

Varma 1,170

I know it might be out of scope but need your inputs on this.

how to add dynamic scope to existing maintenance configuration.

I have created maintenance configuration using terraform. here is the code for maintenance configuration:

provider "azurerm" {
  features {}
}
terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
      version = "=0.4.0"
    }
  }
}
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}
# resource "azurerm_maintenance_configuration" "example" {
#   name                = "example-mc"
#   resource_group_name = azurerm_resource_group.example.name
#   location            = azurerm_resource_group.example.location
#   scope               = "InGuestPatch"
#   tags = {
#     Env = "prod"
#   }
  
# }
resource "azapi_resource" "vm_maintenance" {
  type      = "Microsoft.Maintenance/maintenanceConfigurations@2021-09-01-preview"
  name      = "vm-mc"
  parent_id = "/subscriptions/XXXX/resourceGroups/example-resources"
  location  = azurerm_resource_group.example.location
  body = jsonencode({
    properties = {
      visibility          = "Custom"
      namespace           = "Microsoft.Maintenance"
      maintenanceScope    = "InGuestPatch"
      extensionProperties = {
        "InGuestPatchMode" = "User"
      }
      maintenanceWindow = {
        startDateTime      = formatdate("YYYY-MM-DD 17:30", timestamp())
        expirationDateTime = null
        duration           = "PT3H30M"
        timeZone           = "Eastern Standard Time"
        recurEvery         = "120Hour"
      }
      installPatches = {
        linuxParameters = {
          classificationsToInclude  = ["Critical", "Security", "Other"]
          packageNameMasksToExclude = null
          packageNameMasksToInclude = null
        }
        windowsParameters = {
          classificationsToInclude = ["Critical", "Security" , "UpdateRollup", "FeaturePack" , "ServicePack", "Definition" ,"Tools", "Updates"  ]
          kbNumbersToExclude       = null
          kbNumbersToInclude       = null 
        }
        rebootSetting = "RebootIfRequired"
      }
    }
  })
}
resource "azapi_resource" "vm_maintenance_assignment" {
  type      = "Microsoft.Maintenance/configurationAssignments@2021-09-01-preview"
  name      = "vm--mca"
  parent_id = "/subscriptions/XXX/resourceGroups/example-resources/providers/Microsoft.Compute/virtualMachines/test1"
  location  = "East US 2"
  body = jsonencode({
    properties = {
      maintenanceConfigurationId = azapi_resource.vm_maintenance.id
    }
  })
}

and I am trying to follow to add a dynamic scope to above mainteance configuration but where to begin and how to provide input values

https://learn.microsoft.com/en-us/azure/templates/microsoft.maintenance/configurationassignments?pivots=deployment-language-terraform

1 answer

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-26T08:22:52.5866667+00:00
Hi,

The answer to this question is no different than the one for this one Error: Bicep deployment of maintenance configuration + dynamic scope for Update Manager just the language differs but when using AzAPI the properties part is the same or similar. Most important is that dynamic scope is basically Microsoft.Maintenance/configurationAssignments resource but deployed at subscription scope. Direct assignments are the same resource but they are scoped to the VM/Arc server where dynamic scope is a resource that is deployed at subscription scope. When at that scope it has different properties:

maintenanceConfigurationId - the value is the resource ID of the maintenance configuration.

resourceId - the value is the subscription resource ID where the dynamic scope is deployed.

filter - The value is if you want to provide any filter to your dynamic scope like specific locations, OS types, resource groups, resource types or tags.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Varma 1,170 Reputation points

2024-04-26T08:51:15.97+00:00

Hi Stansislav,

What should be given at parent ID?

Please provide steps to get parent id, resource id and maintenance configuration id from portal, because i am still getting error

Looking Forword to get response from you

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-26T09:52:17.75+00:00

Try with parent id the subscription ID. As I have mentioned this is subscription scope resource, not resource group one. Also do not add things like "string". If you do not add valid values just do not add anything and have it as empty array,

Varma 1,170 Reputation points

2024-04-27T11:02:23.36+00:00

Hi Sanislav,

whatever region I have provided in the below highlighted section it is not taking at all for dynamic resource block. as below highlighted. could you please suggest on this what region to be given?

Looking Forword for your response, thank you.

Error: creating/updating "Resource: (ResourceId "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5//providers/Microsoft.Maintenance/configurationAssignments/dynamicscope" / Api Version "2023-04-01")": PUT https://management.azure.com/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5//providers/Microsoft.Maintenance/configurationAssignments/dynamicscope

│ --------------------------------------------------------------------------------

│ RESPONSE 400: 400 Bad Request

│ ERROR CODE UNAVAILABLE

│ --------------------------------------------------------------------------------

│ {

│ "Error": {

│ "Code": "InvalidResourceLocation",

│ "Message": "Region not supported centralus, Resource: /subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5"

│ }

│ }

│ --------------------------------------------------------------------------------

│

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-27T12:17:28.5066667+00:00

Location is not needed if I remember.

Varma 1,170 Reputation points

2024-04-27T12:57:48.0766667+00:00

HI Sanislav,

I some how get rid of bad reques scope error, now i am seeing parent id error expected message as below even though i have given subscription id as per you suggestion and also tried with resource group id as well, nothing working and give error as below

╷

│ Error: parent_id is invalid, expect id of Microsoft.Maintenance/configurationAssignments

│

│ with azapi_resource.symbolicname,

│ on main.tf line 91, in resource "azapi_resource" "symbolicname":

│ 91: resource "azapi_resource" "symbolicname" {

Varma 1,170 Reputation points

2024-04-27T13:47:49.1033333+00:00

Hi Sanislav,

I have edited the above comment, could you please suggest on that. looking forword for your response, thank you.

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-28T15:52:15.23+00:00

Why have you changed the type to Microsoft.Maintenance/configurationAssignments/dynamicscope@2023-04-01. Where did you get that resource type from? There is no such resource type. The resource type is documented on the link that you have provided in your question. Additionally if the subscription ID does not work for parent_id may be there is no parent_id property at all. As I have mentioned before this is subscription scope resource, not a resource that you put in resource group. I do not know the details of AzAPI usage but seeing the example to create resource group, which is also subscription scope resource without parent_id that is my conclusion.

Varma 1,170 Reputation points

2024-04-29T07:35:34.85+00:00

Hi Stanislav,

I have resource group and then I have maintence configuration so now I want to add dynamic scope for that resource group ( it has 1 vm) now please tell me what are details I should provide in below template?

resource "azapi_resource" "symbolicname" { type = "Microsoft.Maintenance/configurationAssignments@2023-04-01" schema_validation_enabled = false name = "dynamicscope" parent_id = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/" body = jsonencode({ properties = { filter = { osTypes = [ "Windows" ] resourceGroups = [ "DS" ] resourceTypes = [ "Microsoft.Compute/virtualMachines" ] tagSettings = { filterOperator = "" tags = {} } } maintenanceConfigurationId = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourcegroups/rga/providers/microsoft.maintenance/maintenanceconfigurations/mca" resourceId = "93048f2d-2d0f-44cc-b12c-4df25a3c5ff5" } })

Error:

│ Error: creating/updating "Resource: (ResourceId "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5//providers/Microsoft.Maintenance/configurationAssignments/dynamicscope" / Api Version "2023-04-01")": PUT https://management.azure.com/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5//providers/Microsoft.Maintenance/configurationAssignments/dynamicscope

│ --------------------------------------------------------------------------------

│ RESPONSE 400: 400 Bad Request

│ ERROR CODE UNAVAILABLE

│ --------------------------------------------------------------------------------

│ {

│ "Error": {

│ "Code": "BadRequest",

│ "Message": "Invalid scope"

│ }

│ }

│ --------------------------------------------------------------------------------

│

│

│ with azapi_resource.symbolicname,

│ on main.tf line 113, in resource "azapi_resource" "symbolicname":

│ 113: resource "azapi_resource" "symbolicname" {

│

what details I am giving wrong?

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-30T05:25:12.4033333+00:00

Hi,

Several times I have mentioned that dynamic scope as a resource is subscription scope resource. I am not sure how to explain it in another way.

Varma 1,170 Reputation points

2024-04-30T06:11:02.0266667+00:00

Hi Stanislav,

I understood. it is a subscription level resource.

But when we create manually from azure portal, you will have option to select subscription and then filter through resource group, tags, resource type etc.

my question here is where i should give subscription id, what I am doing wrong?

I have ready maintenance configuration is in place. and I have VM in rg

now could you please tell me where to give subscription , resource group details in above dynamic scope template?

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-30T07:41:35.06+00:00

I am copying my previous response:

"Additionally if the subscription ID does not work for parent_id may be there is no parent_id property at all. As I have mentioned before this is subscription scope resource, not a resource that you put in resource group. I do not know the details of AzAPI usage but seeing the example to create resource group, which is also subscription scope resource without parent_id that is my conclusion."

On the filtering part the filters are clearly explained:

osTypes - Windows or Linux or both

resourceGroups - resource group names

resourceTypes - Microsoft.Compute/virtualMachines or Microsoft.HybridCompute/machines or both tagSettings - filter on tags with values.

From the original response:

" maintenanceConfigurationId - the value is the resource ID of the maintenance configuration. resourceId - the value is the subscription resource ID where the dynamic scope is deployed."

Varma 1,170 Reputation points

2024-04-30T08:40:30.3733333+00:00

HI Stanislav,

Here is my observation:

Case1: When I did not give parent iD:

parented--> i commented and i did not give this then below is the error:

PS I:\Terraform1\hashicorp-certified-terraform-associate-on-azure\test> terraform apply --auto-approve

╷

│ Error: Missing required argument

│

│ on main.tf line 113, in resource "azapi_resource" "symbolicname":

│ 113: resource "azapi_resource" "symbolicname" {

│

│ The argument "parent_id" is required, but no definition was found.

Case2: When I gave parent ID which is subscription id:

│ Error: creating/updating "Resource: (ResourceId "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5//providers/Microsoft.Maintenance/configurationAssignments/dynamicscope" / Api Version "2023-04-01")": PUT https://management.azure.com/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5//providers/Microsoft.Maintenance/configurationAssignments/dynamicscope

│ --------------------------------------------------------------------------------

│ RESPONSE 400: 400 Bad Request

│ ERROR CODE UNAVAILABLE

│ --------------------------------------------------------------------------------

│ {

│ "Error": {

│ "Code": "BadRequest",

│ "Message": "Invalid scope"

│

Case 3: when I gave only subscription id as below:

│ ERROR CODE: MissingSubscription

│ --------------------------------------------------------------------------------

│ {

│ "error": {

│ "code": "MissingSubscription",

│ "message": "The request did not have a subscription or a valid tenant level resource provider."

│ }

│ }

│ --------------------------------------------------------------------------------

│

│

│ with azapi_resource.symbolicname,

│ on main.tf line 113, in resource "azapi_resource" "symbolicname":

│ 113: resource "azapi_resource" "symbolicname" {

In call above cases I have been using as below for maintenance id and resource id:

maintenanceConfigurationId = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourcegroups/rga/providers/microsoft.maintenance/maintenanceconfigurations/mca" resourceId = "93048f2d-2d0f-44cc-b12c-4df25a3c5ff5"

Now could you please suggest further. what is missing?

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-30T10:12:30.1+00:00

"resourceId - the value is the subscription resource ID where the dynamic scope is deployed."

Subscription ID (93048f2d-2d0f-44cc-b12c-4df25a3c5ff5) and resource subscription ID (/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5) are two different things.

Try fixing that.

Varma 1,170 Reputation points

2024-04-30T10:55:50.9266667+00:00

Hi Stanislav,

I tried all possible cases providing subscription id in place of parent_id but still ending up with following error. I tried also til resource group. but that line is giving error.

Please suggest further.

╷

│ Error: creating/updating "Resource: (ResourceId "(/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5)/providers/Microsoft.Maintenance/configurationAssignments/dynamicscope" / Api Version "2023-04-01")": PUT https://management.azure.com/(/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5)/providers/Microsoft.Maintenance/configurationAssignments/dynamicscope

│ --------------------------------------------------------------------------------

│ RESPONSE 404: 404 Not Found

│ ERROR CODE: MissingSubscription

│ --------------------------------------------------------------------------------

│ {

│ "error": {

│ "code": "MissingSubscription",

│ "message": "The request did not have a subscription or a valid tenant level resource provider."

│ }

│ }

│ --------------------------------------------------------------------------------

│

│

│ with azapi_resource.symbolicname,

│ on main.tf line 113, in resource "azapi_resource" "symbolicname":

│ 113: resource "azapi_resource" "symbolicname" {

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-30T13:05:09.64+00:00

As mentioned several times now the resourceId property must contain the subscription resource id. even on the last screenshot that value is not correct.

Varma 1,170 Reputation points

2024-04-30T14:02:33+00:00

HI Stanislav,

in that case, can you give me what is that subscription resource id? and can you please paste here so that I will use same.

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-30T14:18:10.7133333+00:00

I already gave you that in the previous replies:

"Subscription ID (93048f2d-2d0f-44cc-b12c-4df25a3c5ff5) and resource subscription ID (/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5) are two different things."

Not sure how to explain it better. A subscription resource ID is not GUID only, it is a path like any other resource ID. It is like /subscription/<subscription ID> where <subscription ID> is the ID of the subscription. Mockup example:

/subscription/11aa93b0-ec03-4ebc-9856-157db0ffaf58

Varma 1,170 Reputation points

2024-04-30T14:41:05.97+00:00

Hi Stanislav,

I have tried as per your suggestion. Please see below

Case 1 : with out bracket

│ ERROR CODE: MissingSubscription

│ --------------------------------------------------------------------------------

│ {

│ "error": {

│ "code": "MissingSubscription",

│ "message": "The request did not have a subscription or a valid tenant level resource provider."

│ }

│ }

│ --------------------------------------------------------------------------------

│

│

│ with azapi_resource.symbolicname,

│ on main.tf line 113, in resource "azapi_resource" "symbolicname":

│ 113: resource "azapi_resource" "symbolicname" {

│

and case 2: with bracket:

│ ERROR CODE: MissingSubscription

│ --------------------------------------------------------------------------------

│ {

│ "error": {

│ "code": "MissingSubscription",

│ "message": "The request did not have a subscription or a valid tenant level resource provider."

│ }

│ }

│ --------------------------------------------------------------------------------

│

│

│ with azapi_resource.symbolicname,

│ on main.tf line 113, in resource "azapi_resource" "symbolicname":

│ 113: resource "azapi_resource" "symbolicname" {

I am not sure what is wrong with parent ID, I tried both above cases, but it not working may be it could be bug? or may am I still missing something?

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-04-30T17:57:22.0566667+00:00

parent_Id property is different from resourceId property. Two different properties. Several times I have mentioned that resourceId is not correct:

Varma 1,170 Reputation points

2024-05-01T06:05:43.1966667+00:00

Hi Stanislav,

I have corrected resource id, still I got error. if it is wrong, that means I did not get it correctly.

If it is wrong, Could you please fill up below details , so that I will use same thing:

parent_id = < PLEASE FILL UP and I will use same. >

resource id= < PLEASE FILL UP and I will use same. >

maintenanceconfiguraitonid =< PLEASE FILL UP and I will use same. >

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-05-01T14:27:48.7+00:00

Again, mentioned several times that your value for resourceId is not correct. It needs to be the resource ID of the subscription, not the subscription ID. From your last screenshot provide the same value for resourceId with the one that you have for parent_id. I cannot fill these as these are values specific for your environment. Also you should not be exposing your subscription ID as that is sensitive information.

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-05-01T14:32:14.9833333+00:00

Please read carefully the information I am providing otherwise it is hard to help.

Varma 1,170 Reputation points

2024-05-03T09:35:04.79+00:00

HI Stanislav,

I have read carefully, here is the information you have given

parent id ==> subscription id ===> it is subscritpion scope resource

" maintenanceConfigurationId - the value is the resource ID of the maintenance configuration.

resourceId - the value is the subscription resource ID where the dynamic scope is deployed."

" maintenanceConfigurationId - the value is the resource ID of the maintenance configuration.

resourceId - the value is the subscription resource ID where the dynamic scope is deployed."

"resourceId - the value is the subscription resource ID where the dynamic scope is deployed."

Subscription ID (93048f2d-2d0f-44cc-b12c-4df25a3c5ff5)

resource subscription ID (/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5) are two different things.

now.

since parent id is the subscription level resource id: i have given subscription id below in parent id. is that wrong?

You know what I am trying to do, and I have done exactly as you said. if I am wrong this time. can you please

please fill the values or please share me screenshots. or point me where to navigate to fetch those ids

resource "azapi_resource" "symbolicname" { type = "Microsoft.Maintenance/configurationAssignments@2023-04-01" schema_validation_enabled = false name = "dynamicscope" parent_id = "/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5" body = jsonencode({ properties = { filter = { osTypes = [ "Windows" ] resourceGroups = [ "DS" ] resourceTypes = [ "Microsoft.Compute/virtualMachines" ] tagSettings = { filterOperator = "" tags = {} } } maintenanceConfigurationId = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourcegroups/rgvm/providers/microsoft.maintenance/maintenanceconfigurations/example-mc" resourceId = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5" } }) }

Error:

│ "error": {

│ "code": "MissingSubscription",

│ "message": "The request did not have a subscription or a valid tenant level resource provider."

│ }

│ }

│ --------------------------------------------------------------------------------

│

│

│ with azapi_resource.symbolicname,

│ on main.tf line 82, in resource "azapi_resource" "symbolicname":

│ 82: resource "azapi_resource" "symbolicname" {

Stanislav Zhelyazkov 21,336 Reputation points MVP

2024-05-03T12:33:07.03+00:00

Why every time you change some values? Now resourceId is correct but parent_ID is not. parent_id and resourceId should have the same value and it is the value of resourceId from your last post that is correct.
Sign in to comment