Is it possible to deploy multiple Azure resources in a single azapi_resource?

Question

My employer's Azure estate is heavily policied, which results in complications when trying to provisioning infrastructure with the AzureRM Terraform provider. For example, the Azure Key Vaults should use private link policy makes it impossible to provision Key Vaults without a private link assigned. However, creating a private link requires the target resource to already exist. This results in a catch-22 situation where both resources must be deployed simultaneously. Our current workaround is to deploy both resources at the same time via an ARM template deployment using azurerm_resource_group_template_deployment.

We are gradually trying to replace all usages of azurerm_resource_group_template_deployment with the azapi provider. Is it possible to deploy multiple Azure resources in a single azapi_resource resource in the azapi provider?

Answer 1

Yes, it is possible to deploy within a single provider. you can use depends_on block to specify the order in which resources are created.

I tried using depends_on to create a sample workspace and container applications environment using the azapi provider, and it worked as intended.

main.tf:

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
      version = "1.7.0"
    }
  }
}
provider "azurerm"{
features{}
}
provider "azapi"{}
resource "azurerm_resource_group" "main" {
  name     = "ksdnf-rg-rg"
  location = "eastus"
}
 
resource "azurerm_log_analytics_workspace" "main" {
  name                = "newest-la"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  sku                 = "PerGB2018"
  retention_in_days   = 90
}
resource "azapi_resource" "containerapp_environment" {
  type      = "Microsoft.App/managedEnvironments@2022-03-01"
  name      = "conajshacae"
  parent_id = azurerm_resource_group.main.id
  location  = azurerm_resource_group.main.location
 
  body = jsonencode({
    properties = {
      appLogsConfiguration = {
        destination = "log-analytics"
        logAnalyticsConfiguration = {
          customerId = azurerm_log_analytics_workspace.main.workspace_id
        }
      }
    }
  })
  depends_on = [
    azapi_resource.containerapp_environment
  ]
}

Initialized terraform init and validated the configuration with terraform plan:

Executed terraform plan:

Created successfully using terraform apply:

Deployed in Portal:

Reference article by @Thomas Thornton for more relevant information.

Note: In some scenarios, it would be a specific behavior of the azapi provider you specified if it permits installing multiple Azure resources within a single azapi_resource block. In such cases, I would recommend you use AzureRM providers to avoid any conflicts.