Skip to content

Preflight Validation - Unknown value #1022

New issue
New issue
Open
Open
Preflight Validation - Unknown value#1022
Labels
bugSomething isn't working
@JasonWhall

Description

@JasonWhall
JasonWhall
opened on Nov 24, 2025

When using AzApi provider to create an AI Foundry resource, I am sometimes observing the below error message when enabling pre-flight and running plan/apply:

│ POST https://management.azure.com/providers/Microsoft.Resources/validateResources
│ --------------------------------------------------------------------------------
│ RESPONSE 400: 400 Bad Request
│ ERROR CODE: ResourceValidationFailed
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "ResourceValidationFailed",
│     "message": "Resource validation failed, correlation id: 'fe43b4df-b9c3-a974-b65e-e7d4fd18c26a', see details for more information.",
│     "details": [
│       {
│         "code": "InvalidResourceProperties",
│         "message": "The 'properties' field is invalid,  error: 'Invalid/Bad format NetworkInjection.SubnetArmId [length('foo')]'."
│       }
│     ]
│   }
│ }
│ --------------------------------------------------------------------------------
│
╵

When inspecting the verbose logs, I can see on the request to the validate resources endpoint, a property is being set to an invalid value: "subnetArmId":"[length('foo')]"

Resource for reference:

resource "azapi_resource" "ai_foundry" {
  type                      = "Microsoft.CognitiveServices/accounts@2025-09-01"
  name                      = var.ai_foundry_name
  parent_id                 = var.resource_group_id
  location                  = var.location
  schema_validation_enabled = false
  tags                      = var.tags

  body = {
    kind = "AIServices",
    sku = {
      name = "S0"
    }
    identity = {
      type = "SystemAssigned"
    }

    properties = {
      disableLocalAuth       = true
      allowProjectManagement = true
      customSubDomainName    = var.ai_foundry_name
      publicNetworkAccess    = "Disabled"
      networkAcls = {
        defaultAction = "Deny"
        bypass        = "AzureServices"
      }

      # Enable VNet injection for Standard Agents
      networkInjections = [
        {
          scenario                   = "agent"
          subnetArmId                = var.agent_subnet_id
          useMicrosoftManagedNetwork = false
        }
      ]
    }
  }

  lifecycle {
    prevent_destroy = true
  }
}

Where var.agent_subnet_id is being passed in to the module from the earlier defined subnet resource azurerm_subnet.subnet_agent.id. Disabling preflight check allows creating the resources correctly so is a valid configuration.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions