[1.15.0]Trying to create a policy results in 404 Policy not Found error

[A7exSchin]

[azapi provider version 1.15.0]
Hello there,

I am currently trying to create a JIT Policy for VMs. This is my configuration object:

locals {
  ljit_subnets_ips = [for idx, ip in var.jit_allowed_subnets :
    ip
  ]

  ljit_subnet_prefixes = concat([var.bastion_subnet_address_prefix], local.ljit_subnets_ips)

  ljit_linux_vm_names   = [for idx, linvm in module.linux : linvm.name]

  llinux_virtual_machine_ids = [for idx, vm_name in local.ljit_linux_vm_names :
    {
      "id" : "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/${var.resource_group_name}/providers/Microsoft.Compute/virtualMachines/${vm_name}",
      "ports" : [
        {
          "number" : 22,
          "protocol" : "TCP",
          "allowedSourceAddressPrefixes" : local.ljit_subnet_prefixes,
          "maxRequestAccessDuration" : "PT1H"
        }
      ]
    }
  ]
}

resource "azapi_resource" "linux_vm_jit_policy" {
  depends_on                = [module.linux]
  name                      = "bastion-linux-vm-jit-policy"
  parent_id                 = "${var.resource_group_id}/providers/Microsoft.Security/locations/${var.location}"
  type                      = "Microsoft.Security/locations/jitNetworkAccessPolicies@2020-01-01"
  schema_validation_enabled = false
  body = jsonencode({
    "kind" : "Basic"
    "properties" : {
      "virtualMachines" : local.llinux_virtual_machine_ids
    }
    "location" : var.location
  })
}

The plan runs through without an issue, however, if I try to apply I get the following error:

│ Error: Failed to create/update resource
│ 
│   with module.Bastion.azapi_resource.linux_vm_jit_policy,
│   on .terraform/modules/Bastion/vms.tf line 97, in resource "azapi_resource" "linux_vm_jit_policy":
│   97: resource "azapi_resource" "linux_vm_jit_policy" {
│ 
│ creating/updating Resource: (ResourceId
│ "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG-XXXXX/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/bastion-linux-vm-jit-policy" / Api
│ Version "2020-01-01"): GET
│ https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG-XXXXX/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/bastion-linux-vm-jit-policy
│ --------------------------------------------------------------------------------
│ RESPONSE 404: 404 Not Found
│ ERROR CODE: PolicyNotFound
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "PolicyNotFound",
│     "message": "Just-In-Time Network Access Policy '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG-XXXXX/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/bastion-linux-vm-jit-policy' does not exist."
│   }
│ }
│ --------------------------------------------------------------------------------

Why is there even a GET Request sent? I want to create the resource, so it is expected that the resource does not exist. It kind of does not make sense to me how this behaves.

[ms-henglu]

Hi @A7exSchin ,

Thank you for taking time to report this issue.

I can reproduce this issue with the example: https://github.com/Azure/terraform-provider-azapi/blob/main/quickstarts/Microsoft.Security/jitNetworkAccessPolicies/main.tf

I believe it's caused by the upstream API. The azapi_resource makes a PUT request before creating the resource, to make sure the target resource doesn't exist. And yes, it's expected to receive a 404.

After making a PUT request to create the resource, azapi will make another GET request to check whether the resource is created, however it still returns 404.

Are you able to create the resource with other client tools? If not, I think it's better to open an Azure Support ticket to report the API bug.