git merge main

Author: katbyte

.release/provider-schema.json

@@ -1,3 +1,29 @@
+## 4.63.0 (March 05, 2026)
+
+FEATURES:
+
+* provider: added the `enhanced_validation` block with the `locations` and `resource_providers` properties to replace the `ARM_PROVIDER_ENHANCED_VALIDATION` environment variable ([#31678](https://github.com/hashicorp/terraform-provider-azurerm/issues/31678))
+
+ENHANCEMENTS:
+
+* `azurerm_site_recovery_replicated_vm`- add support for `PremiumV2_LRS` in the `target_replica_disk_type` property ([#31890](https://github.com/hashicorp/terraform-provider-azurerm/issues/31890))
+
+BUG FIXES:
+
+* `azurerm_analysis_services_server` - fix an issue that prevented creation of the resource with `power_bi_service_enabled` set to `false` and one or more `ipv4_firewall_rule` blocks defined ([#31870](https://github.com/hashicorp/terraform-provider-azurerm/issues/31870))
+* `azurerm_analysis_services_server` - fix an issue that prevented adding or removing `ipv4_firewall_rule` blocks without also modifying `power_bi_service_enabled` ([#31870](https://github.com/hashicorp/terraform-provider-azurerm/issues/31870))
+* `azurerm_linux_web_app`, `azurerm_windows_web_app`, `azurerm_windows_function_app`, `azurerm_linux_function_app`, `azurerm_function_app_flex_consumption` - fix API error when removing auth_settings_v2 configuration from a previously deployed appservice ([#31821](https://github.com/hashicorp/terraform-provider-azurerm/issues/31821)) ([#31821](https://github.com/hashicorp/terraform-provider-azurerm/issues/31821))
+* dependencies: `dataprotection` - downgrade to API version `2025-07-01` due to new validation introduced by Azure on `2025-09-01` that is blocking deployments ([#31877](https://github.com/hashicorp/terraform-provider-azurerm/issues/31877))
+
+## 4.62.1 (March 02, 2026)
+
+BUG FIXES:
+
+* `azurerm_data_factory` - fix removal of `customer_managed_key_identity_id` to no longer send an empty string to Azure, instead sending an empty object ([#31858](https://github.com/hashicorp/terraform-provider-azurerm/issues/31858))
+* `azurerm_data_factory_customer_managed_key` - fix a persistent ID parsing error on `user_assigned_identity_id` when Azure returned an empty string ([#31858](https://github.com/hashicorp/terraform-provider-azurerm/issues/31858))
+* `azurerm_data_factory_customer_managed_key` - fix removal of `user_assigned_identity_id` to no longer send an empty string to Azure, instead sending an empty object ([#31858](https://github.com/hashicorp/terraform-provider-azurerm/issues/31858))
+* `azurerm_linux_function_app_slot` - fix an issue that prevented users from deploying a slot to a container-based function app ([#31842](https://github.com/hashicorp/terraform-provider-azurerm/issues/31842))
+
 ## 4.62.0 (February 26, 2026)
 
 FEATURES:

CHANGELOG.md

@@ -118,13 +118,6 @@ A `block_attribute` exports the following:
 
 ```
 
-## Timeouts
-
-When documenting timeouts, use the updated link format for all new resources:
-
-- **New resources**: Use `https://developer.hashicorp.com/terraform/language/resources/configure#define-operation-timeouts`
-- **Existing resources**: Continue using `https://www.terraform.io/language/resources/syntax#operation-timeouts` to maintain consistency
-
 ## Notes
 
 Note blocks are used to provide additional information to users beyond the basic description of a resource, argument or attribute.

contributing/topics/reference-documentation-standards.md

@@ -156,13 +156,19 @@ func Build(ctx context.Context, builder ClientBuilder) (*Client, error) {
 		return nil, fmt.Errorf("building Client: %+v", err)
 	}
 
-	if features.EnhancedValidationEnabled() {
+	if builder.Features.EnhancedValidation.Locations {
+		ctx2, cancel := context.WithTimeout(ctx, 10*time.Minute)
+		defer cancel()
+
+		location.CacheSupportedLocations(ctx2, *resourceManagerEndpoint)
+	}
+
+	if builder.Features.EnhancedValidation.ResourceProviders {
 		subscriptionId := commonids.NewSubscriptionID(client.Account.SubscriptionId)
 
 		ctx2, cancel := context.WithTimeout(ctx, 10*time.Minute)
 		defer cancel()
 
-		location.CacheSupportedLocations(ctx2, *resourceManagerEndpoint)
 		if err := resourceproviders.CacheSupportedProviders(ctx2, client.Resource.ResourceProvidersClient, subscriptionId); err != nil {
 			log.Printf("[DEBUG] error retrieving providers: %s. Enhanced validation will be unavailable", err)
 		}

internal/clients/builder.go

@@ -10,6 +10,10 @@ func Default() UserFeatures {
 			PurgeSoftDeleteOnDestroy: true,
 			RecoverSoftDeleted:       true,
 		},
+		EnhancedValidation: EnhancedValidationFeatures{
+			Locations:         !FivePointOh(),
+			ResourceProviders: !FivePointOh(),
+		},
 		AppConfiguration: AppConfigurationFeatures{
 			PurgeSoftDeleteOnDestroy: true,
 			RecoverSoftDeleted:       true,

internal/features/defaults.go

@@ -4,22 +4,105 @@
 package features
 
 import (
+	"fmt"
 	"os"
 	"strings"
 )
 
 // EnhancedValidationEnabled returns whether the feature for Enhanced Validation is enabled.
 //
 // This functionality calls out to the Azure MetaData Service to cache the list of supported
-// Azure Locations for the specified Endpoint - and then uses that to provide enhanced validation
+// Azure Locations and Resource Providers for the specified Endpoint - and then uses that to
+// provide enhanced validation. When enabled, invalid locations or resource providers are caught
+// at `terraform plan` time. When disabled, these errors are caught at `terraform apply` time
+// when Azure rejects the request.
 //
-// This is enabled by default as of version 2.20 of the Azure Provider, and can be disabled by
-// setting the Environment Variable `ARM_PROVIDER_ENHANCED_VALIDATION` to `false`.
+// This is enabled by default in version 4.x and disabled by default as of version 5.0 of the
+// Azure Provider. The default can be overridden by setting the Environment Variable
+// `ARM_PROVIDER_ENHANCED_VALIDATION` to `true` or `false`.
 func EnhancedValidationEnabled() bool {
 	value := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION")
 	if value == "" {
-		return true
+		// In 5.0, default to disabled; in 4.x, default to enabled
+		return !FivePointOh()
 	}
 
 	return strings.EqualFold(value, "true")
 }
+
+// EnhancedValidationLocationsEnabled returns whether Enhanced Validation for Locations is enabled.
+//
+// This checks the `ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS` environment variable first,
+// falling back to the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` environment variable, then to the
+// version default (enabled in 4.x, disabled in 5.0).
+func EnhancedValidationLocationsEnabled() bool {
+	// Check the locations-specific env var first
+	value := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS")
+	if value != "" {
+		return strings.EqualFold(value, "true")
+	}
+
+	// In 4.x, fall back to the legacy environment variable
+	if !FivePointOh() {
+		return EnhancedValidationEnabled()
+	}
+
+	// In 5.0, default to disabled
+	return false
+}
+
+// EnhancedValidationResourceProvidersEnabled returns whether Enhanced Validation for Resource Providers is enabled.
+//
+// This checks the `ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS` environment variable first,
+// falling back to the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` environment variable, then to the
+// version default (enabled in 4.x, disabled in 5.0).
+func EnhancedValidationResourceProvidersEnabled() bool {
+	// Check the resource-providers-specific env var first
+	value := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS")
+	if value != "" {
+		return strings.EqualFold(value, "true")
+	}
+
+	// In 4.x, fall back to the legacy environment variable
+	if !FivePointOh() {
+		return EnhancedValidationEnabled()
+	}
+
+	// In 5.0, default to disabled
+	return false
+}
+
+// ValidateEnhancedValidationEnvVars validates the enhanced validation environment variables.
+//
+// In version 5.0, the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` environment variable has been
+// removed - an error is returned if it is set, directing users to migrate to the specific
+// environment variables or the `enhanced_validation` provider block.
+//
+// In version 4.x, the legacy environment variable is still supported, but it cannot be set
+// at the same time as any of the specific environment variables.
+func ValidateEnhancedValidationEnvVars() error {
+	legacyEnv := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION")
+	if legacyEnv == "" {
+		return nil
+	}
+
+	// In 5.0, the legacy env var is no longer supported
+	if FivePointOh() {
+		return fmt.Errorf("the environment variable `ARM_PROVIDER_ENHANCED_VALIDATION` has been removed in v5.0 of the AzureRM Provider - please use the `enhanced_validation` provider block or the replacement environment variables `ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS` and `ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS` instead")
+	}
+
+	// In 4.x, check for conflicts with specific env vars
+	var conflicts []string
+	if v := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS"); v != "" {
+		conflicts = append(conflicts, "ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS")
+	}
+	if v := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS"); v != "" {
+		conflicts = append(conflicts, "ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS")
+	}
+
+	if len(conflicts) > 0 {
+		return fmt.Errorf("the environment variable `ARM_PROVIDER_ENHANCED_VALIDATION` cannot be set at the same time as %v - please either use the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` or the replacement environment variables, but not both", conflicts)
+	}
+
+	return nil
+}

internal/features/enhanced_validation.go

@@ -8,6 +8,7 @@ type UserFeatures struct {
 	AppConfiguration         AppConfigurationFeatures
 	ApplicationInsights      ApplicationInsightFeatures
 	CognitiveAccount         CognitiveAccountFeatures
+	EnhancedValidation       EnhancedValidationFeatures
 	VirtualMachine           VirtualMachineFeatures
 	VirtualMachineScaleSet   VirtualMachineScaleSetFeatures
 	KeyVault                 KeyVaultFeatures
@@ -29,6 +30,11 @@ type CognitiveAccountFeatures struct {
 	PurgeSoftDeleteOnDestroy bool
 }
 
+type EnhancedValidationFeatures struct {
+	Locations         bool
+	ResourceProviders bool
+}
+
 type VirtualMachineFeatures struct {
 	DetachImplicitDataDiskOnDeletion bool
 	DeleteOSDiskOnDeletion           bool

internal/features/user_flags.go

@@ -35,6 +35,10 @@ func TestExpandFeatures(t *testing.T) {
 				CognitiveAccount: features.CognitiveAccountFeatures{
 					PurgeSoftDeleteOnDestroy: true,
 				},
+				EnhancedValidation: features.EnhancedValidationFeatures{
+					Locations:         true,
+					ResourceProviders: true,
+				},
 				KeyVault: features.KeyVaultFeatures{
 					PurgeSoftDeletedCertsOnDestroy:   true,
 					PurgeSoftDeletedKeysOnDestroy:    true,
@@ -236,6 +240,10 @@ func TestExpandFeatures(t *testing.T) {
 				CognitiveAccount: features.CognitiveAccountFeatures{
 					PurgeSoftDeleteOnDestroy: true,
 				},
+				EnhancedValidation: features.EnhancedValidationFeatures{
+					Locations:         true,
+					ResourceProviders: true,
+				},
 				KeyVault: features.KeyVaultFeatures{
 					PurgeSoftDeletedCertsOnDestroy:   true,
 					PurgeSoftDeletedKeysOnDestroy:    true,
@@ -437,6 +445,10 @@ func TestExpandFeatures(t *testing.T) {
 				CognitiveAccount: features.CognitiveAccountFeatures{
 					PurgeSoftDeleteOnDestroy: false,
 				},
+				EnhancedValidation: features.EnhancedValidationFeatures{
+					Locations:         true,
+					ResourceProviders: true,
+				},
 				KeyVault: features.KeyVaultFeatures{
 					PurgeSoftDeletedCertsOnDestroy:   false,
 					PurgeSoftDeletedKeysOnDestroy:    false,

internal/provider/features_test.go

@@ -126,6 +126,36 @@ func (p *ProviderConfig) Load(ctx context.Context, data *ProviderModel, tfVersio
 	p.clientBuilder.DisableCorrelationRequestID = getEnvBoolOrDefault(data.DisableCorrelationRequestId, "ARM_DISABLE_CORRELATION_REQUEST_ID", false)
 	p.clientBuilder.DisableTerraformPartnerID = getEnvBoolOrDefault(data.DisableTerraformPartnerId, "ARM_DISABLE_TERRAFORM_PARTNER_ID", false)
 	p.clientBuilder.StorageUseAzureAD = getEnvBoolOrDefault(data.StorageUseAzureAD, "ARM_STORAGE_USE_AZUREAD", false)
+	// In 4.x, validate that the legacy and specific enhanced validation env vars don't conflict
+	if !providerfeatures.FivePointOh() {
+		if err := providerfeatures.ValidateEnhancedValidationEnvVars(); err != nil {
+			diags.Append(diag.NewErrorDiagnostic("validating enhanced validation environment variables", err.Error()))
+			return
+		}
+	} else if os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION") != "" {
+		diags.Append(diag.NewErrorDiagnostic("unsupported environment variable", "the environment variable `ARM_PROVIDER_ENHANCED_VALIDATION` has been removed in v5.0 of the AzureRM Provider - please use the `enhanced_validation` provider block or the replacement environment variables `ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS` and `ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS` instead"))
+		return
+	}
+
+	// Read enhanced_validation block
+	enhancedValidationLocations := providerfeatures.EnhancedValidationLocationsEnabled()
+	enhancedValidationResourceProviders := providerfeatures.EnhancedValidationResourceProvidersEnabled()
+	if !data.EnhancedValidation.IsNull() && !data.EnhancedValidation.IsUnknown() {
+		var evList []EnhancedValidationModel
+		d := data.EnhancedValidation.ElementsAs(ctx, &evList, true)
+		diags.Append(d...)
+		if diags.HasError() {
+			return
+		}
+		if len(evList) > 0 {
+			if !evList[0].Locations.IsNull() && !evList[0].Locations.IsUnknown() {
+				enhancedValidationLocations = evList[0].Locations.ValueBool()
+			}
+			if !evList[0].ResourceProviders.IsNull() && !evList[0].ResourceProviders.IsUnknown() {
+				enhancedValidationResourceProviders = evList[0].ResourceProviders.ValueBool()
+			}
+		}
+	}
 
 	f := providerfeatures.UserFeatures{}
 
@@ -521,6 +551,9 @@ func (p *ProviderConfig) Load(ctx context.Context, data *ProviderModel, tfVersio
 		}
 	}
 
+	f.EnhancedValidation.Locations = enhancedValidationLocations
+	f.EnhancedValidation.ResourceProviders = enhancedValidationResourceProviders
+
 	p.clientBuilder.Features = f
 	p.clientBuilder.AuthConfig = authConfig
 	p.clientBuilder.CustomCorrelationRequestID = os.Getenv("ARM_CORRELATION_REQUEST_ID")

internal/provider/framework/config.go

@@ -26,12 +26,16 @@ func TestProviderConfig_LoadDefault(t *testing.T) {
 		t.Skip("ARM_CLIENT_SECRET env var not set")
 	}
 
-	// Skip enhanced validation
-	t.Setenv("ARM_PROVIDER_ENHANCED_VALIDATION", "false")
+	enhancedValidation, _ := basetypes.NewObjectValueFrom(context.Background(), EnhancedValidationModelAttributes, map[string]attr.Value{
+		"locations":          basetypes.NewBoolValue(false),
+		"resource_providers": basetypes.NewBoolValue(false),
+	})
+	enhancedValidationList, _ := basetypes.NewListValue(types.ObjectType{}.WithAttributeTypes(EnhancedValidationModelAttributes), []attr.Value{enhancedValidation})
 
 	testData := &ProviderModel{
 		ResourceProviderRegistrations: types.StringValue("none"),
 		Features:                      defaultFeaturesList(),
+		EnhancedValidation:            enhancedValidationList,
 	}
 
 	testConfig.Load(context.Background(), testData, "unittest", &diag.Diagnostics{})