I'm trying to create an Azure Container Apps Environment through the AzAPI provider on Terraform.
The configuration I'm using is the following:
resource "azapi_resource" "aca_env" {
type = "Microsoft.App/managedEnvironments@2022-03-01"
parent_id = azurerm_resource_group.rg.id
location = azurerm_resource_group.rg.location
name = var.ACA_ENV_NAME
body = jsonencode({
properties = {
appLogsConfiguration = {
destination = "log-analytics"
logAnalyticsConfiguration = {
customerId = azurerm_log_analytics_workspace.log.workspace_id
sharedKey = azurerm_log_analytics_workspace.log.primary_shared_key
daprAIConnectionString = azurerm_application_insights.insights.connection_string
vnetConfiguration = {
"internal" = true
"infrastructureSubnetId" = azurerm_subnet.aca_subnet.id
"dockerBridgeCidr" = var.ACA_ENV_BRIDGE_CIDR
"platformReservedCidr" = var.ACA_ENV_RESERVED_CIDR
"platformReservedDnsIP" = var.ACA_ENV_RESERVED_DNS_IP
depends_on = [
response_export_values = ["properties.defaultDomain", "properties.staticIp"]
ignore_missing_property = true
When I try to execute this, I get the following error:
ErrorCode: ManagedEnvironmentResourceGroupDisallowedByPolicy, Message: Fail to create managed environment because resource group creation is disallowed by policy, refer to https://go.microsoft.com/fwlink/?linkid=2198255 for more detail.
My guess is that it's trying to create a resource group somehow. However, we require certain tags to be present on a resource group, which is probably failing.
The weird part is that even though this error happens, the Azure Container Apps environment is still created. Also, if I remove the VNET configuration, the environment is created without any errors.
The question is, why is it trying to create a resource group? I referenced one already in the parent_id
This is a known issue tracked here:
For the moment, the proposed workaround is to add a policy assignment exception for resource group that have the MC_
prefix and _{region}