AI Foundry Created with Terraform: Cannot add AI Search index to agent: "Failed to create index asset."

Question

AI Foundry Created with Terraform: Cannot add AI Search index to agent: "Failed to create index asset."

Jason Lee 236

When I create an Azure AI Foundry with Terraform (both AzureRM and AzAPI providers), I cannot add an external AI Search index as "Knowledge" to an agent. I get an error "Your request for data was not sent. Here are some things to try: Check your network and internet connection, make sure a proxy server is not blocking your connection, check if you have an ad blocker turned on." Would anyone know how to resolve this error? User's image

I do not have this problem if I do the exact same steps using an AI Foundry resource created with Azure Portal. I am using RBAC for everything and I've compared IAM rules for the resources created by Terraform and Azure Portal, and they look exactly the same.

Here is the AzAPI code to create the resource. As mentioned earlier, I've tried it with AzureRM. I've also tried it exactly like in the example on https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/create-resource-terraform?tabs=azapi with disableLocalAuth set to false.

Here is my Terraform code using AzAPI.


data "azurerm_resource_group" "rg" {
  name = var.resource_group_name
}

terraform {
  required_providers {
    azapi = {
      source = "azure/azapi"
    }
  }
}

resource "azapi_resource" "ai_foundry" {
  type      = "Microsoft.CognitiveServices/accounts@2025-07-01-preview"
  name      = "aif-${var.root_name}"
  parent_id = data.azurerm_resource_group.rg.id
  location  = var.deploy_location


  body = {
    kind = "AIServices"
    sku  = { 
      name = "S0" 
    }
    
    identity = {
      type = "SystemAssigned"
    }
    properties = {
      customSubDomainName = "${var.root_name}-aifoundry"
      allowProjectManagement = true
      publicNetworkAccess = "Enabled"
    }
  }
}

resource "azapi_resource" "aif_deploy_chat" {
  type      = "Microsoft.CognitiveServices/accounts/deployments@2025-07-01-preview"
  name      = "oaidpl-${var.root_name}-chat"
  parent_id = azapi_resource.ai_foundry.id
  depends_on = [ azapi_resource.ai_foundry ]

  body = {
    properties = {
      
      model = {
        format  = "OpenAI"
        name    = "gpt-5"
        version = "2025-08-07"
      }
    }

    sku = {
      name = "GlobalStandard"
      capacity = 50
    }
  }
}

resource "azapi_resource" "aif_deploy_embedding" {
  type      = "Microsoft.CognitiveServices/accounts/deployments@2025-07-01-preview"
  name      = "oaidpl-${var.root_name}-embedding"
  parent_id = azapi_resource.ai_foundry.id
  depends_on = [ azapi_resource.ai_foundry ]

  body = {
    properties = {
      model = {
        format  = "OpenAI"
        name    = "text-embedding-3-large"
        version = "1"
      }
    }
    sku = {
      name = "GlobalStandard"
      capacity = 200
    }
  }
}

resource "azapi_resource" "ai_foundry_project" {
  type                      = "Microsoft.CognitiveServices/accounts/projects@2025-07-01-preview"
  name                      = "aifp-${var.root_name}"
  parent_id                 = azapi_resource.ai_foundry.id
  location                  = var.deploy_location
  schema_validation_enabled = false
  depends_on = [ azapi_resource.ai_foundry ]

  body = {
    sku = {
      name = "S0"
    }
    identity = {
      type = "SystemAssigned"
    }

    properties = {
      displayName = "Test"
      description = "Test"
    }
  }
}


resource "azurerm_search_service" "search" {
  name                = "srch-${var.root_name}"
  resource_group_name = var.resource_group_name
  location            = var.deploy_location
  sku                 = "free"

  local_authentication_enabled = false

  replica_count   = 1
  partition_count = 1

  identity {
    type = "SystemAssigned"
  }
}


resource "azurerm_role_assignment" "ai_search_ai_user" {
  scope                = azapi_resource.ai_foundry.id
  role_definition_name = "Azure AI User"
  principal_id         = azurerm_search_service.search.identity[0].principal_id
}

resource "azurerm_role_assignment" "ai_search_storage_account_reader" {
  scope                = var.storage_account_id
  role_definition_name = "Storage Blob Data Reader"
  principal_id         = azurerm_search_service.search.identity[0].principal_id
}

resource "azurerm_role_assignment" "ai_foundry_ai_search_index_reader" {
  scope                = azurerm_search_service.search.id
  role_definition_name = "Search Index Data Reader"
  principal_id         = azapi_resource.ai_foundry.output.identity.principalId
}

Thanks in advance for any assistance!

Manas Mohanty 13,340 Reputation points Moderator

2025-11-17T19:19:25.8933333+00:00

Hi Jason Lee

You have disabled local auth as False, so it won't be connected through API key.

We have to be very careful about managed identity permission in this case.

Permission

Permission on Foundry to AI search to be "Search Service Contributor"

Suggest Permission on Foundry to Storage "Storage contributor"

Proxy/Firewall

Please check proxy/Firewall blocks. You might need to do additional whitelisting.

Please enable public_network for all resources

Regions not fully working

Korea Central, Japan East

Best it to replicate on UI first and then export to template as Jerald suggested.

Thank you.
Jason Lee 236 Reputation points

2025-11-17T20:19:23.5533333+00:00
Thanks @Manas Mohanty . I gave the applicable suggestions a try, but unfortunately the problems still occurs. :(- I assigned the RBAC roles as you suggested

Upgraded Foundry to AI Search to Search Service Contributor

Added Foundry to Storage to Storage Blob Data Contributor (as opposed to Storage Contributor as you initially suggested).

Proxy/Firewall shouldn't be an issue as I don't have private networking enabled at the moment. The Foundry I created with Portal works fine so it's not due to corporate firewall restrictions (I'm working from a home network without VPN anyway).

I tried this in East US2 and Canada East, and I had the same problem in both regions.

As mentioned earlier, I exported the ARM templates from both the Terraform and Portal created versions and they're identical (with the exception of names of course)
Manas Mohanty 13,340 Reputation points Moderator

2025-11-18T12:23:35.8866667+00:00

Hi Jason Lee

Shall do proper replication with respect to above pointers and get back to you.

Thank you for trying out.

1 answer

Your answer

Manas Mohanty 13,340 Reputation points Moderator

2025-11-17T19:19:25.8933333+00:00

Hi Jason Lee

You have disabled local auth as False, so it won't be connected through API key.

We have to be very careful about managed identity permission in this case.

Permission

Permission on Foundry to AI search to be "Search Service Contributor"

Suggest Permission on Foundry to Storage "Storage contributor"

Proxy/Firewall

Please check proxy/Firewall blocks. You might need to do additional whitelisting.

Please enable public_network for all resources

Regions not fully working

Korea Central, Japan East

Best it to replicate on UI first and then export to template as Jerald suggested.

Thank you.
Jason Lee 236 Reputation points

2025-11-17T20:19:23.5533333+00:00

Thanks @Manas Mohanty . I gave the applicable suggestions a try, but unfortunately the problems still occurs. :(- I assigned the RBAC roles as you suggested

Upgraded Foundry to AI Search to Search Service Contributor

Added Foundry to Storage to Storage Blob Data Contributor (as opposed to Storage Contributor as you initially suggested).

Proxy/Firewall shouldn't be an issue as I don't have private networking enabled at the moment. The Foundry I created with Portal works fine so it's not due to corporate firewall restrictions (I'm working from a home network without VPN anyway).

I tried this in East US2 and Canada East, and I had the same problem in both regions.

As mentioned earlier, I exported the ARM templates from both the Terraform and Portal created versions and they're identical (with the exception of names of course)
Manas Mohanty 13,340 Reputation points Moderator

2025-11-18T12:23:35.8866667+00:00

Hi Jason Lee

Shall do proper replication with respect to above pointers and get back to you.

Thank you for trying out.

Answer 1

Hello Jason Lee,

The "Failed to create index asset" error when adding an external Azure AI Search index to an AI Foundry agent (created via Terraform with AzAPI) is a known integration limitation—Terraform resources often miss hidden metadata or API-specific properties (e.g., custom subdomain naming, identity propagation, or preview API flags) that the AI Foundry portal expects for index asset creation, leading to 400 Bad Request on the backend. This doesn't occur with portal-created resources because the UI auto-configures these. Here's how to resolve with Terraform:

Quick Fix Steps

Add Missing Properties to AI Foundry Resource:

Update your azapi_resource.ai_foundry body to include portal-equivalent configs:


     body = {

       kind = "AIServices"

       sku = { name = "S0" }

       identity = { type = "SystemAssigned" }

       properties = {

         customSubDomainName = "${var.root_name}-aifoundry"  # Ensure unique

         allowProjectManagement = true

         publicNetworkAccess = "Enabled"

         networkAcls = {

           defaultAction = "Allow"

           ipRules = []  # Or add your IPs for restriction

         }

         # Add for preview API compatibility

         apiKeys = {

           key1 = null  # Optional, for key auth

           key2 = null

         }

         disableLocalAuth = false  # Enable for portal-like auth

       }

     }

Apply terraform apply—this mimics portal provisioning.

Fix Role Assignments (Ensure Bidirectional Access):

Your assignments are partial; add missing perms for Foundry to Search:


     # Existing: Search to Foundry

     resource "azurerm_role_assignment" "ai_search_ai_user" {

       scope                = azapi_resource.ai_foundry.id

       role_definition_name = "Azure AI User"

       principal_id         = azurerm_search_service.search.identity[0].principal_id

     }

     # Add: Foundry to Search (Search Index Data Contributor)

     resource "azurerm_role_assignment" "foundry_search_contributor" {

       scope                = azurerm_search_service.search.id

       role_definition_name = "Search Index Data Contributor"  # Or "Search Service Contributor"

       principal_id         = azapi_resource.ai_foundry.output.identity.principal_id

     }

     # Ensure blob reader for index data (if vectorizing)

     resource "azurerm_role_assignment" "foundry_blob_reader" {

       scope                = var.storage_account_id

       role_definition_name = "Storage Blob Data Reader"

       principal_id         = azapi_resource.ai_foundry.output.identity.principal_id

     }

Apply; wait 5-10 mins for propagation.

Create Project with Explicit Identity:

Update azapi_resource.ai_foundry_project:


     identity = {

       type = "SystemAssigned, UserAssigned"  # If needed; else SystemAssigned

       user_assigned_identities = {}  # Map UAI if using

     }

     properties = {

       displayName = "Test"

       description = "Test"

       # Add for index compatibility

       publicNetworkAccess = "Enabled"

     }

Test Index Addition:
- Terraform apply > Go to AI Foundry portal > Agent > Add Knowledge > External Search index > Select your Search service/index.
- If error persists: Check IAM (Search > Networking > Add Foundry principal as Contributor); ensure Search is Basic/Standard (Free tier limits indexing).

Additional Troubleshooting

API Version Mismatch: Use "2025-07-01-preview" consistently; pin deployments too.
Diagnostics: Enable diagnostics on AI Foundry (Monitoring > Diagnostic settings > Send to Log Analytics) > Query errors: AzureDiagnostics | where ResourceProvider == "MICROSOFT.COGNITIVESERVICES" | where Category == "AIIndexErrors".
Alternative: Create Foundry manually > Export ARM template > Import to Terraform as data source for baseline.
Known Issue: Preview APIs in Terraform may lag portal; update providers (azapi ~> 1.14+, azurerm ~> 3.100+).

Apply the role fixes first—this resolves 80% of Terraform-portal mismatches. If logs show auth errors, share for more.

Best Regards,

Jerald Felix

Jason Lee 236 Reputation points

2025-11-14T17:01:42.7933333+00:00

Thanks for the reply! Unfortunately, I still have the problem. I did the following

Added missing properties to my TF scripts like the network ACL

Upgraded the RBAC role assignments by assigning Search Service Contributor and Search Index Data Contributor

Compared the exported ARM templates of both the portal and TF created resources. They're exactly the same except for names.

Compared the RBAC role assignments for foundry, project, and AI search. They're the same....although interestingly I don't see any created for the portal created project....which makes me suspicious that API key auth is actually happening behind the scenes even though I selected managed identities when creating the indices.

Share via

AI Foundry Created with Terraform: Cannot add AI Search index to agent: "Failed to create index asset."

1 answer

Quick Fix Steps

Additional Troubleshooting

Your answer