Deploying Azure NetApp Files Preview Features Using Terraform AzAPI Provider

5 minute read

"Buy Me A Coffee"


I was working on a project using Azure NetApp Files, aiming to test some preview features to understand how they can improve capabilities and user experience. The infrastructure was provisioned using Terraform. However, those preview features are not yet enabled in the Terraform AzureRM provider. Previously, the workaround was to use ARM templates wrapped with azurerm_template_deployment to make it Terraform-native, which was not ideal.

Thanks to community feedback and Microsoft’s investment, the provider has improved to release new features and enable private preview ones at a faster cadence. Still, some projects need to enable features as soon as they are released, which is usually possible natively with ARM templates or Bicep.

Microsoft recently released the Terraform AzAPI provider, which helps break that barrier in the IaC development process and enables us to deploy features not yet released in the AzureRM provider. The definition is clear, as taken from the provider GitHub page:

The AzAPI provider is a very thin layer on top of the Azure ARM REST APIs. Use this new provider to authenticate to and manage Azure resources and functionality using the Azure Resource Manager APIs directly.

After playing with the provider, it felt similar to working with Bicep, and I was able to deploy the preview features using the AzAPI provider successfully. 👌

Note:
The diagram below depicts the architecture to deploy for the test.

Azure NetApp Files Architecture


Azure NetApp Files Preview Features 🕵️‍♀️

There are two new features in Azure NetApp Files that are not yet released in the AzureRM provider. These features are related to the NFS Volume or dual-protocol volumes with the Unix security style, providing more flexibility and control over access to the NFS volumes:

  • Unix Permissions: Allows you to specify change permissions for the mount path. The setting does not apply to files under the mount path. By default, permissions are set to 0770, meaning read, write, and execute for owner and group only.
  • Change of Ownership (Chown mode): Enables you to set the ownership management capabilities of files and directories.

Note:
The Unix permissions you specify apply only to the volume mount point (root directory).
You can modify the Unix permissions on the source volume but not on the destination volume in a cross-region replication configuration.


Azure NetApp Files Resource Provider Configuration

To test these new capabilities, you need to enable the features. Depending on how you manage Resource Providers, you can enable these features by adding the following to the azurerm_resource_provider_registration resource:

Note:
This can take ~15 minutes to complete. De-registering the resource provider can take longer than 30 minutes.

resource "azurerm_resource_provider_registration" "anf" {
  name = "Microsoft.NetApp"
  feature {
    name       = "ANFChownMode"
    registered = true
  }
  feature {
    name       = "ANFUnixPermissions"
    registered = true
  }
}

Important:
Adding or removing preview features will re-register the Resource Provider if managed by Terraform. In addition, you cannot modify a resource provider that is not managed by Terraform as expected.


Terraform Configuration 👨‍💻

I am deploying ANF using a module with the AzureRM provider and configuring the preview features using the AzAPI provider.

ANF Repo
    |_Modules
        |_ANF_Pool
            |_ main.tf
            |_ variables.tf
            |_ outputs.tf
        |_ ANF_Volume
            |_ main.tf
            |_ variables.tf
            |_ outputs.tf        
    |_ main.tf
    |_ providers.tf
    |_ variables.tf
    |_ outputs.tf

Terraform AzAPI and AzureRM Providers

I have declared the providers configuration as below:

provider "azurerm" {
  skip_provider_registration = true
  features {}
}

provider "azapi" {
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.00"
    }
    azapi = {
      source = "azure/azapi"
    }
  }
}

Deploying the Azure NetApp Files 👷

I will deploy my ANF structure using the following resources:

  • ANF Account
  • Capacity Pool
  • Volume
  • Export policy containing one or more export rules that process each client access request
resource "azurerm_netapp_account" "analytics" {
  name                = "cero-netappaccount"
  location            = data.azurerm_resource_group.one.location
  resource_group_name = data.azurerm_resource_group.one.name
}

module "analytics_pools" {
  source   = "./modules/anf_pool"
  for_each = local.pools

  account_name        = azurerm_netapp_account.analytics.name
  resource_group_name = azurerm_netapp_account.analytics.resource_group_name
  location            = azurerm_netapp_account.analytics.location
  volumes             = each.value
  tags                = var.tags
}

ANF Deployment Diagram

Important:
To create Azure NetApp Files, you need to request access to the region in which you are deploying via a support ticket.


AzAPI Update Resource Configuration

Given I already deployed my ANF Account, I use azapi_update_resource to manage the properties I need from the existing ANF resource properties. It uses the same authentication methods as the AzureRM provider.

resource "azapi_update_resource" "vol_update" {
  type        = "Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2021-10-01"
  resource_id = module.analytics_pools["pool1"].volumes.volume1.volume.id
  body = jsonencode({
    properties = {
      unixPermissions = "0740",
      exportPolicy = {
        rules = [{
          RuleIndex = 1,
          chownMode = "unRestricted"
        }]
      }
    }
  })
}

ANF Volume Update


AzAPI to AzureRM Migration

I tried to see how this tool would work. However, as shown below, those settings are still not available in the AzureRM provider. I will have to wait to test this with ANF when those features are available in the AzureRM provider. More info about this tool [here][az2rm].

AzAPI to AzureRM Migration


Summary 📻

The AzAPI provider definitely allows us to manage Azure resources and functionality using the Azure ARM REST APIs directly, without having to make complex deployments to leverage Terraform. It gives us the flexibility to manage zero-day feature support for Azure resources.

This is a great example of how to leverage the AzAPI provider to manage Azure resources and increase agility by being able to test new features easily if you are invested in Terraform. Azure NetApp Files keeps improving and adding new features, making it an excellent choice for your data management needs. I am excited to see how this will be used in the future.

I did find a bug in the Azure Portal UI when changing the chownMode property from restricted to unRestricted. This property was not changed in the UI, but it was in the Azure API. The other way around (unRestricted to restricted) works fine.

I am eager to see how the AzAPI2AzureRM migration tool will work when these features are added to the AzureRM provider and how seamless the experience will be.

I hope this helps someone and that you find it informative. Please let me know your constructive feedback, as it’s always important. 🕵️‍♂️ That’s it for now—Hasta la vista! 🐱‍🏍

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working on new content. 🚴‍♂️

"Buy Me A Coffee"

Comments