Retry block is missing from azapi_resource Data Source implementation - Current azapi_resource Data Source documentation indicates it is a supported syntax #1034
Description
In the documentation for the the azapi_resource Data Source, the page indicates that the Data Source supports a retry block, and documents the structure of such a retry block.
This tf is a module I have created based on the documented syntax of the azapi_resource Data Source, which keeps retrying until the resource can be read, or a timeout limit is reached:
terraform {
required_version = ">=1.11.1"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=4.38.1, <5.0"
}
azapi = {
source = "Azure/azapi"
version = ">=2.8.0, <3.0"
}
}
}
variable "subscription_id" {
description = "The ID of the subscription in which the DNS policy remediation is created"
type = string
}
variable "dns_policy_assignment_name" {
description = "The Name of the DNS Policy Assignment"
type = string
default = "Custom - Central DNS for Private Endpoints"
}
variable "private_endpoint_name" {
description = "The name of the Private Endpoint resource the DNS policy remediation is being created for."
type = string
}
variable "private_endpoint_rg_name" {
description = "The name of the Resource Group that contains the private endpoint resource the DNS policy remediation is being created for."
type = string
}
data "azurerm_subscription" "spoke" {
subscription_id = var.subscription_id
}
data "azurerm_policy_assignment" "spoke_policy_assignment" {
name = var.dns_policy_assignment_name
scope_id = data.azurerm_subscription.spoke.id
}
data "azurerm_private_endpoint_connection" "pep" {
name = var.private_endpoint_name
resource_group_name = var.private_endpoint_rg_name
}
resource "azurerm_resource_policy_remediation" "pep_dns_remediation" {
name = join("-", [var.private_endpoint_name, "rem"])
resource_id = data.azurerm_private_endpoint_connection.pep.id
policy_assignment_id = data.azurerm_policy_assignment.spoke_policy_assignment.id
}
data "azapi_resource" "pep_dns_zone_group" {
type = "Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-11-01"
name = "default"
parent_id = data.azurerm_private_endpoint_connection.pep.id
timeouts {
read = "20m"
}
retry {
error_message_regex = [ "." ]
interval_seconds = 30
max_interval_seconds = 180
}
depends_on = [azurerm_resource_policy_remediation.pep_dns_remediation]
}When I attempt to run this terraform, I get the error:
│
│ Error: Unsupported block type
│
│ on ../../modules/az-wait-for-dns/main.tf line 28, in data "azapi_resource" "pep_dns_zone_group":
│ 28: retry {
│
│ Blocks of type "retry" are not expected here. Did you mean to define
│ argument "retry"? If so, use the equals sign to assign it a value.
I would like the azapi_resource Data Source, to support the retry block, just like the azapi_resource Resource does.
Here is why:
- I need to know when a resource (a Private DNS Zone Group) is created by an external asynchronous process (an Azure Tenant Scoped Policy).
The above code creates a Policy Remediation resource to more quickly move along the policy action that creates a Private DNS Zone entry (in a centralized Private DNS Zone resource I have no permissions on), and then once that Private DNS Zone Entry is created creates the Zone Group resource that I am creating a Data Source for.
The above module was created to provide a Key Vault Secret resource block some resource dependency that can be used to synchronize the creation of dependent data plane child resources (the Key Vault Secrets) with the availability of the parent (Key Vault) data plane API endpoint. This synchronization is needed because of centrally managed Private DNS Zones, which is only created by external automation, instead of the direct resource dependency that might exist if the Private DNS Zone entries for the Key Vault Private Endpoint was being created by the same code that creates the Key Vault, its Private Endpoint, and the Key Vault Secrets.
In my use case I have code that creates a Key Vault with public access disabled, and creates a private endpoint for the Key Vault, and then needs to store some secrets (also created in the code) in the Key Vault. The resource block for the Key Vault Secret will have a depends_on clause, depending on the above module code, because the Secret can only be created once the asynchronous Azure Policy action completes and the Private DNS Zone resolution for the Private Endpoint is working. Attempting to create the Secret before the Private DNS Zone resolution is working results in failed Secret creation due to the inability to reach the Key Vault Data Plane API endpoint.
The intended behaviour of the above module code is to:
- return if the DNS Zone Group resource is created indicating that Private DNS Zone lookup of the Key Vault is expected to be working
- fail upon reaching a timeout (20 minutes) as for some reason the Azure Policy did not create the Private DNS Zone Entry, nor subsequently the DNS Zone Group resource.
This lets the resource block for the Key Vault Secrets depend on the above module and so it will run only when the module successfully completes which indicates DNS is expected to be working, or fails and alerts me to some unexpected situation, if the timeout value is reached.
If the Retry block support could be added to the azapi_resource Data Source implementation, then combined with the existing timeouts block, the above module should work to allow me to create the correct dependency structure for the Key Vault Secret resource.
Adding this capability to the azapi_resource Data Source is in my mind the cleanest way to solve this general problem of needing to know when an externally created resource is ready. It lets my pipeline automatically synchronize with external automation.
If upon analyzing the argument I presented here, it is decided not to implement the Retry block for the azapi_resource Data Source as it already is for the azapi_resource Resource, then it should be noted that the Data Source documentation should be updated to removed the Retry block as supported syntax for the azapi_resource Data Source, since I created the above code, base on that documentation, and was then gravely disappointed to find out the implementation does not match the documentation.