terraform-provider-azapi Update operation fails for AI Studio Project

With the latest v1.14.0 I am able to deploy Azure AI Studio resources (hub and project) just fine.

Update operations on the project fail though. Every update causes the following validation error:

{
│   "error": {
│     "code": "ValidationError",
│     "severity": null,
│     "message": "Managed network cannot be disabled once enabled.",
│     "messageFormat": null,
│     "messageParameters": null,
│     "referenceCode": null,
│     "detailsUri": null,
│     "target": null,
│     "details": [],
│     "innerError": null,
│     "debugInfo": null,
│     "additionalInfo": null
│   },
...
│ }

My property bag does not include any managed vnet references:

...
  body = {
    kind = "Project"
    properties = {
      description   = "AI Studio Project - ${var.ai_studio_project_name}"
      friendlyName  = title(replace(var.ai_studio_project_name, "-", " "))
      hubResourceId = var.ai_studio_hub_id
    }
  }
...

The same terraform resource definition is used for initial creation and for updates. Not sure what causes the issue. Is anyone experiencing the same issues?

Two assumptions:

Either the azapi provider does not send the kind property as part of the update operation.
There is an issue on the product side.

Jul 30 '24 14:07 marvinbuss

Hi @marvinbuss ,

Thank you for taking time to report this issue.

Would you please also share the complete config to help investigate? Thanks.

Jul 31 '24 02:07 ms-henglu

Here is my config: https://github.com/PerfectThymeTech/terraform-azurerm-modules/blob/47c4e0c36df5b583770ff697e98c0674c0398807/modules/aistudioproject/main.tf#L1-L26

Jul 31 '24 07:07 marvinbuss

Thanks @marvinbuss ,

I believe this is an upstream API issue, that the managed network is enabled by default, and in the following requests, the managed network must be specified.

Please check whether below config could solve the issue:

body = {
    kind = "Project"
    properties = {
      description   = "AI Studio Project - ${var.ai_studio_project_name}"
      friendlyName  = title(replace(var.ai_studio_project_name, "-", " "))
      hubResourceId = var.ai_studio_hub_id
      managedNetwork = {
        status = {
          status = "Active"
        }
      }
    }
  }

Jul 31 '24 07:07 ms-henglu

Let me give this a try and report back. Thanks for your prompt response.

Jul 31 '24 07:07 marvinbuss

I tried the following configs:

Option 1: (like you suggested) Resulted in the same error as mentioned above.

resource "azapi_resource" "ai_studio_project" {
  type      = "Microsoft.MachineLearningServices/workspaces@2024-04-01"
  name      = var.ai_studio_project_name
  location  = var.location
  parent_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}"
  tags      = var.tags
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }

  body = {
    kind = "Project"
    properties = {
      description   = "AI Studio Project - ${var.ai_studio_project_name}"
      friendlyName  = title(replace(var.ai_studio_project_name, "-", " "))
      hubResourceId = var.ai_studio_hub_id
      managedNetwork = {
        status = {
          status     = "Active"
        }
      }
    }
  }

  response_export_values    = []
  schema_validation_enabled = false # Can be reverted once this is closed: https://github.com/Azure/terraform-provider-azapi/issues/524
  locks                     = []
  ignore_casing             = false
  ignore_missing_property   = true
}

Option 2: Resulted in the same error as mentioned above.

resource "azapi_resource" "ai_studio_project" {
  type      = "Microsoft.MachineLearningServices/workspaces@2024-04-01"
  name      = var.ai_studio_project_name
  location  = var.location
  parent_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}"
  tags      = var.tags
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }

  body = {
    kind = "Project"
    properties = {
      description   = "AI Studio Project - ${var.ai_studio_project_name}"
      friendlyName  = title(replace(var.ai_studio_project_name, "-", " "))
      hubResourceId = var.ai_studio_hub_id
      managedNetwork = {
        status = {
          status     = "Active"
          sparkReady = true
        }
      }
    }
  }

  response_export_values    = []
  schema_validation_enabled = false # Can be reverted once this is closed: https://github.com/Azure/terraform-provider-azapi/issues/524
  locks                     = []
  ignore_casing             = false
  ignore_missing_property   = true
}

Option 3: Resulted in a new error ("message": "Project workspace shouldn't define it's own managed network properties.",).

resource "azapi_resource" "ai_studio_project" {
  type      = "Microsoft.MachineLearningServices/workspaces@2024-04-01"
  name      = var.ai_studio_project_name
  location  = var.location
  parent_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}"
  tags      = var.tags
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }

  body = {
    kind = "Project"
    properties = {
      description   = "AI Studio Project - ${var.ai_studio_project_name}"
      friendlyName  = title(replace(var.ai_studio_project_name, "-", " "))
      hubResourceId = var.ai_studio_hub_id
      managedNetwork = {
        isolationMode = "AllowOnlyApprovedOutbound"
        status = {
          status     = "Active"
          sparkReady = true
        }
      }
    }
  }

  response_export_values    = []
  schema_validation_enabled = false # Can be reverted once this is closed: https://github.com/Azure/terraform-provider-azapi/issues/524
  locks                     = []
  ignore_casing             = false
  ignore_missing_property   = true
}

Looks like we are blocked.

Jul 31 '24 10:07 marvinbuss

@ms-henglu and other ideas what could be wrong?

Jul 31 '24 18:07 marvinbuss

Short update from my side:

I enabled Trace logs to review the API calls that are made to the resource provider.
I extracted some of the information and validated the via Postman.
I am able to replicate the issue via Postman right now.
Right now, I am assuming that this is a provider issue.

Will follow-up once I have any updates.

Aug 01 '24 08:08 marvinbuss

just sharing, it's happening the same to me, but using Azure Bicep...

Aug 01 '24 13:08 aldodfm

Thanks for sharing @aldodfm. Let me follow-up internally.

Aug 01 '24 13:08 marvinbuss

Hi @marvinbuss - About hubResourceId = var.ai_studio_hub_id, what should I set for the hubResourceId?

Aug 02 '24 02:08 ms-henglu

For hubResourceId you must specify the resource ID of another AML workspace of kind Hub. Sample can be found here:

Reference: https://github.com/PerfectThymeTech/terraform-azurerm-modules/blob/07344b3d77fd261a0dbc9b5a194115f2af74ffc8/modules/aistudioproject/tests/test.tftest.hcl#L99
Module for AI Studio Hub: https://github.com/PerfectThymeTech/terraform-azurerm-modules/tree/main/modules/aistudiohub

Aug 02 '24 07:08 marvinbuss

Today, another error message started showing up even though nothing has changed on the TF module:

│ {
│   "error": {
│     "code": "ValidationError",
│     "severity": null,
│     "message": "Project workspace shouldn't have it's own Key Vault",
│     "messageFormat": null,
│     "messageParameters": null,
│     "referenceCode": null,
│     "detailsUri": null,
│     "target": null,
│     "details": [],
│     "innerError": null,
│     "debugInfo": null,
│     "additionalInfo": null
│   },
│   "correlation": {
│     "operation": "",
│     "request": ""
│   },
│   "environment": "westeurope",
│   "location": "westeurope",
│   "time": "2024-08-02T07:42:06.4382655+00:00",
│   "componentName": "account-rp",
│   "statusCode": 400
│ }

Is anyone seeing the same error when updating a project?

Aug 02 '24 07:08 marvinbuss