Deploying Azure NetApp Files Preview features using Terraform AzAPI Provider

I was working on a project that was using Azure NetApp Files and the idea was to test some of the preview features to understand how they can positively improve the capabilities and user experience. The infrastructure was provisioned using terraform. However, those preview features are not enabled yet on the Terraform AzureRM provider. Some time back the solution if we had to use terraform was to use the ARM template wrapped with azurerm_template_deployment to make it terraform native which was not time consuming and not that great.

I assume based on community feedback and Microsoft investment, the provider has definitely improved to release new features and enable private preview ones in a faster cadence yet, there are projects that want or need to be able to have those features enabled as soon as they are released which usually you can deploy natively with ARM templates and/or Bicep.

Microsoft has released recently the Terraform AzAPI provider which helps breaking that barrier in the IaC development process and enable us to deploy features that are not yet released in the AzureRM provider. The definition is quite clear and taken from the provider github page.

The AzAPI provider is a very thin layer on top of the Azure ARM REST APIs. Use this new provider to authenticate to and manage Azure resources and functionality using the Azure Resource Manager APIs directly.

After start playing with the provider, it felt like working with bicep in a way and I was able to deploy the preview features using the AzAPI provider and they were deployed successfully.👌

The diagram below depicts the architecture to deploy for the test.

Azure NetApp Files preview features 🕵️‍♀️

There are two new features in Azure NetApp Files that are not yet released in the AzureRM provider. These features are related to the NFS Volume or dual-protocol volumes with the Unix security style providing more flexibility and control over the access to the NFS volumes:

• Unix Permissions: This feature allows you to specify change permissions for the mount path. The setting does not apply to the files under the mount path. By default those permissions are set to 0770 which means read, write, & execute for owner and group only.
• Change of Ownership (Chown mode): This feature enables you to set the ownership management capabilities of files and directories

Note The Unix permissions you specify apply only for the volume mount point (root directory). You can modify the Unix permissions on the source volume but not on the destination volume that is in a cross-region replication configuration.

Azure NetApp Files resource provider configuration

In order to test-drive those new capabilities we need to enable those new features. Depending on how you manage the Resource Providers, you can enable those features by adding the below to the azurerm_resource_provider_registration resource:

Note This can take ~15 mins to complete. De-registering the resource provider can take longer than 30 mins to complete.

resource "azurerm_resource_provider_registration" "anf" {
  name = "Microsoft.NetApp"
  feature {
    name       = "ANFChownMode"
    registered = true
  }
  feature {
    name       = "ANFUnixPermissions"
    registered = true
  }
}

Important Adding or Removing Preview Features will re-register the Resource Provider if managed by Terraform.In addition, you cannot modify a resource provider that is not managed by terraform as expected.

Terraform Configuration 👨‍💻

I am deploying ANF using a Module with the AzureRM provider and configuring the preview features using the AzAPI provider.

ANF Repo
        |_Modules
            |_ANF_Pool
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf
        |   |_ ANF_Volume
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf        
        |_ main.tf
        |_ providers.tf
        |_ variables.tf
        |_ outputs.tf

Terraform AzAPI and AzureRM Providers

I have declared the providers config to be used as below.

provider "azurerm" {
  skip_provider_registration = true
  features {}
}

provider "azapi" {
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.00"
    }

    azapi = {
      source = "azure/azapi"
    }
  }
}

Deploying the Azure NetApp Files 👷

I will deploy my ANF structure using the following resources

• ANF Account
• Capacity Pool
• Volume
• Export policy which contain one or more export rules that process each client access request

resource "azurerm_netapp_account" "analytics" {
  name                = "cero-netappaccount"
  location            = data.azurerm_resource_group.one.location
  resource_group_name = data.azurerm_resource_group.one.name
}

module "analytics_pools" {
  source   = "./modules/anf_pool"

  for_each = local.pools

  account_name        = azurerm_netapp_account.analytics.name
  resource_group_name = azurerm_netapp_account.analytics.resource_group_name
  location            = azurerm_netapp_account.analytics.location
  volumes             = each.value
  tags                = var.tags
}

Important In order to create Azure NetApp Files, you need to request access to the region in which you are deploying via support ticket.

AzAPI update resource configuration

Given I already deployed my ANF Account, I will use azapi_update_resource as it allows me to manage the properties I need from the existing ANF resource properties. It does use the same auth methods as the AzureRM provider.

• Make sure you install the Terraform AzAPI provider extension in VSCode, as it will make life easier with the intellisense completion.

resource "azapi_update_resource" "vol_update"{
  type = "Microsoft.NetApp/netAppAccounts/capacityPools/[email protected]"
  resource_id = module.analytics_pools["pool1"].volumes.volume1.volume.id
  body = jsonencode({
    properties = {
      unixPermissions = "0740",
      exportPolicy = {
        rules = [ {
          RuleIndex = 1,
          chownMode = "unRestricted"}
        ]
      }
    }
    
  })
}

AzAPI to AzureRM Migration

I did try to see how this tool would work. However, as per below those settings are still not available in the AzureRM provider. Hence, I have to wait to test this with ANF when those features are available in the AzureRM provider. More info about this tool here

Summary 📻

AzAPI provider definitely allow us to manage Azure resources and functionality using the Azure ARM REST APIs directly without having to make complex deployments to be able to leverage terraform. It give us the flexibility to manage zero day feature support for Azure resources. This is a great example of how to leverage the AzAPI provider to manage Azure resources and allow me to increase agility by been able to test new features easily if invested in terraform. Azure NetApp files keeps improving and adding new features that will make the best choice for your data management needs, and I am excited to see how this will be used in the future. I did find a bug in the Azure Portal UI when changing the chownMode property from restricted to unRestricted. This property was not changed in the UI. However, it was in the Azure API. The other way around unRestricted to restricted works fine.

I am so keen to see how the AzAPI2AzureRM migration tool will work in this case when the features are added to the AzureRM provider and see how seamless the experience is.

I do hope this helps someone and that you find it informative,, so please let me know your constructive feedback as it’s always important🕵️‍♂️,, That’s it for now,,, Hasta la vista🐱‍🏍!!!

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working in new content 🚴‍♂️.