pulumi-azure-native
pulumi-azure-native copied to clipboard
pulumi
azure-native:features:SubscriptionFeatureRegistration fails
What happened?
Diagnostics:
azure-native:features:SubscriptionFeatureRegistration (encryptionAtHostFeature):
error: cannot create already existing resource '/subscriptions/1b9a13c6-3b56-4604-af50-e6c0947262f3/providers/Microsoft.Features/featureProviders/Microsoft.Compute/subscriptionFeatureRegistrations/EncryptionAtHost'
Steps to reproduce
resources:
encryptionAtHostFeature:
type: azure-native:features:SubscriptionFeatureRegistration
properties:
featureName: EncryptionAtHost
providerNamespace: Microsoft.Compute
Expected Behavior
Feature registered, if not already registered or nothing happens, if it is registered (pulumi succeeds)
Actual Behavior
Error that the resource already exists, both when the feature is registered and when not.
Versions used
CLI Version 3.32.1 Go Version go1.17.9 Go Compiler gc
Plugins NAME VERSION azure-native unknown kubernetes unknown yaml unknown
Host OS Microsoft Windows 10 Enterprise Version 10.0.19044 Build 19044 Arch x86_64
Current Stack: Test
TYPE URN pulumi:pulumi:Stack urn:pulumi:Test::github-actions-runners-cluster::pulumi:pulumi:Stack::github-actions-runners-cluster-Test pulumi:providers:azure-native urn:pulumi:Test::github-actions-runners-cluster::pulumi:providers:azure-native::default azure-native:resources:ResourceGroup urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup::resourceGroup azure-native:operationalinsights:Workspace urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:operationalinsights:Workspace::workspace azure-native:containerregistry:Registry urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerregistry:Registry::registry azure-native:containerservice:ManagedCluster urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster::managedCluster azure-native:authorization:RoleAssignment urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$azure-native:authorization:RoleAssignment::roleAssignment pulumi:providers:kubernetes urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$pulumi:providers:kubernetes::kubernetes kubernetes:core/v1:Namespace urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$kubernetes:core/v1:Namespace::certManagerNamespace kubernetes:core/v1:Namespace urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$kubernetes:core/v1:Namespace::githubArcNamespace kubernetes:core/v1:Namespace urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$kubernetes:core/v1:Namespace::kuredNamespace kubernetes:helm.sh/v3:Release urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$kubernetes:helm.sh/v3:Release::certManager kubernetes:helm.sh/v3:Release urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$kubernetes:core/v1:Namespace$kubernetes:helm.sh/v3:Release::kured kubernetes:helm.sh/v3:Release urn:pulumi:Test::github-actions-runners-cluster::azure-native:resources:ResourceGroup$azure-native:containerservice:ManagedCluster$kubernetes:core/v1:Namespace$kubernetes:helm.sh/v3:Release::githubArc
Found no pending operations associated with Test
Backend Name pulumi.com URL https://app.pulumi.com/Bo_Petersen User Bo_Petersen Organizations Bo_Petersen
Pulumi locates its logs in C:\Users\BOSOBO~1\AppData\Local\Temp by default
warning: Failed to get information about the project runtime: Unknown Language: yaml: %!!(MISSING)w(
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Hi @BoSoeborgPetersen - I believe you're running into an autonaming bug which should have been fixed via #1720.
Can you upgrade to most recent version and verify if the behavior still exists?
Hi @guineveresaenger, unfortunately I still get the same error with version 3.33.2, when the provider exists.
Hello, I just ran into this issue as well. Any update, or a good workaround? Thanks.
Code:
new features.SubscriptionFeatureRegistration('computeEncryptionAtHost', {
featureName: 'EncryptionAtHost',
providerNamespace: 'Microsoft.Compute',
properties: {
state: 'Registered',
},
});
Error:
error: cannot create already existing resource '/subscriptions/.../providers/Microsoft.Features/featureProviders/Microsoft.Compute/subscriptionFeatureRegistrations/EncryptionAtHost'
Also, the corresponding az cli commands work fine on the same subscription.
az feature register --name 'EncryptionAtHost' --namespace 'Microsoft.Compute' --subscription '${subscriptionId}'
az feature unregister --name 'EncryptionAtHost' --namespace 'Microsoft.Compute' --subscription '${subscriptionId}'
Related Issue for Terraform: https://github.com/hashicorp/terraform-provider-azurerm/issues/17185
Hi @sintax1 - thank you for the update and we're sorry this is still a problem.
Can you tell us a bit more about the necessary setup? I'm assuming the feature somehow already exists in Azure and that's when the issue occurred?
To let us help you faster, we do need a complete runnable program that reproduces this bug. It would be great if you could provide that.
Finally - the linked issue would not affect this provider, it would affect the Azure RM provider which according to the issue does not currently have support for this. It might be possible for you to use pulumi-azure for this resource, and use their workaround?
Hello @guineveresaenger, I did a bit more digging and found the issue -
For Azure subscription feature registrations, the resource name directly controls which feature is being registered. This creates a catch-22:
-
If using the correct feature name (e.g., "EncryptionAtHost"):
- GET request returns 200 (resource already exists)
- Pulumi skips creation, assuming the resource is already managed
- Example:
GET https://management.azure.com/subscriptions/.../providers/Microsoft.Features/featureProviders/Microsoft.Compute/subscriptionFeatureRegistrations/EncryptionAtHost?api-version=2021-07-01→ 200 OK
-
If using a different name (e.g., "EncryptionAtHost2"):
- GET request returns 404 (resource doesn't exist)
- Pulumi attempts creation with PUT request
- Azure rejects the request because "EncryptionAtHost2" is not a valid feature name
- Example:
PUT https://management.azure.com/subscriptions/.../providers/Microsoft.Features/featureProviders/Microsoft.Compute/subscriptionFeatureRegistrations/EncryptionAtHost2?api-version=2021-07-01→ Error
The EncryptionAtHost resource that is returned by GET before the feature is enabled (note state: "Unregistered" toggles to "Registered" when enabled).
{
"id": "/subscriptions/.../providers/Microsoft.Features/providers/Microsoft.Compute/features/EncryptionAtHost",
"name": "Microsoft.Compute/EncryptionAtHost",
"properties": {
"state": "Unregistered"
},
"type": "Microsoft.Features/providers/features"
}
A self-contained program to reproduce the issue: https://github.com/sintax1/pulumi-azure-native-issue-1722
Hi @sintax1 - apologies for the delay here. We've added this to our backlog.
Root Cause Analysis
I've investigated this issue and identified the root cause. The problem is that Feature Registrations are singleton resources that "always exist" in Azure, but Pulumi's existence check is blocking their creation.
The Catch-22 Problem
The issue occurs in provider/pkg/azure/client_azcore.go:443-453 in the CanCreate function:
case http.StatusOK == resp.StatusCode:
// 200 means the resource already exists
var outputs map[string]interface{}
err := runtime.UnmarshalAsJSON(resp, &outputs)
if err == nil && len(outputs) > 0 {
return fmt.Errorf("cannot create already existing resource '%s'", id)
}
return nil
Why this fails for Feature Registrations:
-
Feature names ARE the resource identifier - You cannot use a different name; the
featureNamepath parameter (e.g., "EncryptionAtHost") directly identifies the feature. -
Features always "exist" in Azure - Azure feature registrations have implicit existence. They always return HTTP 200 with their current state, even before explicit registration:
{ "properties": { "state": "Unregistered" // ← toggles to "Registered" } } -
The Catch-22:
- ✗ Using correct name → GET returns 200 OK → Pulumi blocks creation
- ✗ Using different name → GET returns 404 → Pulumi attempts PUT → Azure rejects (invalid feature)
Solution: Treat as Singleton Resource
Feature registrations should be marked as singleton resources, similar to other "always-existing" resources already handled in the provider:
applicationinsights:ComponentCurrentBillingFeatureappplatform:ConfigServerappplatform:MonitoringSetting
These resources have "singleton": true in metadata-compact.json, which causes Pulumi to:
- Skip the
CanCreateexistence check - Directly call the PUT API (which Azure documents as "CreateOrUpdate")
- Enable idempotent management of state
Implementation Approach
- Update codegen to mark
SubscriptionFeatureRegistrationas a singleton resource - Regenerate schema/metadata with
make schema - Verify
bin/metadata-compact.jsoncontains"singleton": true - Test with the EncryptionAtHost feature to confirm fix
This will allow the resource to work like az feature register, which doesn't check for existence before calling the API.
I can prepare a PR with this fix if that would be helpful.
