provider: change ARM_PROVIDER_ENHANCED_VALIDATION default to false in 5.0 (#31678)

Co-authored-by: sreallymatt <106555974+sreallymatt@users.noreply.github.com>

Author: katbyte

internal/clients/builder.go

@@ -156,13 +156,19 @@ func Build(ctx context.Context, builder ClientBuilder) (*Client, error) {
 		return nil, fmt.Errorf("building Client: %+v", err)
 	}
 
-	if features.EnhancedValidationEnabled() {
+	if builder.Features.EnhancedValidation.Locations {
+		ctx2, cancel := context.WithTimeout(ctx, 10*time.Minute)
+		defer cancel()
+
+		location.CacheSupportedLocations(ctx2, *resourceManagerEndpoint)
+	}
+
+	if builder.Features.EnhancedValidation.ResourceProviders {
 		subscriptionId := commonids.NewSubscriptionID(client.Account.SubscriptionId)
 
 		ctx2, cancel := context.WithTimeout(ctx, 10*time.Minute)
 		defer cancel()
 
-		location.CacheSupportedLocations(ctx2, *resourceManagerEndpoint)
 		if err := resourceproviders.CacheSupportedProviders(ctx2, client.Resource.ResourceProvidersClient, subscriptionId); err != nil {
 			log.Printf("[DEBUG] error retrieving providers: %s. Enhanced validation will be unavailable", err)
 		}

internal/features/defaults.go

@@ -10,6 +10,10 @@ func Default() UserFeatures {
 			PurgeSoftDeleteOnDestroy: true,
 			RecoverSoftDeleted:       true,
 		},
+		EnhancedValidation: EnhancedValidationFeatures{
+			Locations:         !FivePointOh(),
+			ResourceProviders: !FivePointOh(),
+		},
 		AppConfiguration: AppConfigurationFeatures{
 			PurgeSoftDeleteOnDestroy: true,
 			RecoverSoftDeleted:       true,

internal/features/enhanced_validation.go

@@ -4,22 +4,105 @@
 package features
 
 import (
+	"fmt"
 	"os"
 	"strings"
 )
 
 // EnhancedValidationEnabled returns whether the feature for Enhanced Validation is enabled.
 //
 // This functionality calls out to the Azure MetaData Service to cache the list of supported
-// Azure Locations for the specified Endpoint - and then uses that to provide enhanced validation
+// Azure Locations and Resource Providers for the specified Endpoint - and then uses that to
+// provide enhanced validation. When enabled, invalid locations or resource providers are caught
+// at `terraform plan` time. When disabled, these errors are caught at `terraform apply` time
+// when Azure rejects the request.
 //
-// This is enabled by default as of version 2.20 of the Azure Provider, and can be disabled by
-// setting the Environment Variable `ARM_PROVIDER_ENHANCED_VALIDATION` to `false`.
+// This is enabled by default in version 4.x and disabled by default as of version 5.0 of the
+// Azure Provider. The default can be overridden by setting the Environment Variable
+// `ARM_PROVIDER_ENHANCED_VALIDATION` to `true` or `false`.
 func EnhancedValidationEnabled() bool {
 	value := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION")
 	if value == "" {
-		return true
+		// In 5.0, default to disabled; in 4.x, default to enabled
+		return !FivePointOh()
 	}
 
 	return strings.EqualFold(value, "true")
 }
+
+// EnhancedValidationLocationsEnabled returns whether Enhanced Validation for Locations is enabled.
+//
+// This checks the `ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS` environment variable first,
+// falling back to the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` environment variable, then to the
+// version default (enabled in 4.x, disabled in 5.0).
+func EnhancedValidationLocationsEnabled() bool {
+	// Check the locations-specific env var first
+	value := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS")
+	if value != "" {
+		return strings.EqualFold(value, "true")
+	}
+
+	// In 4.x, fall back to the legacy environment variable
+	if !FivePointOh() {
+		return EnhancedValidationEnabled()
+	}
+
+	// In 5.0, default to disabled
+	return false
+}
+
+// EnhancedValidationResourceProvidersEnabled returns whether Enhanced Validation for Resource Providers is enabled.
+//
+// This checks the `ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS` environment variable first,
+// falling back to the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` environment variable, then to the
+// version default (enabled in 4.x, disabled in 5.0).
+func EnhancedValidationResourceProvidersEnabled() bool {
+	// Check the resource-providers-specific env var first
+	value := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS")
+	if value != "" {
+		return strings.EqualFold(value, "true")
+	}
+
+	// In 4.x, fall back to the legacy environment variable
+	if !FivePointOh() {
+		return EnhancedValidationEnabled()
+	}
+
+	// In 5.0, default to disabled
+	return false
+}
+
+// ValidateEnhancedValidationEnvVars validates the enhanced validation environment variables.
+//
+// In version 5.0, the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` environment variable has been
+// removed - an error is returned if it is set, directing users to migrate to the specific
+// environment variables or the `enhanced_validation` provider block.
+//
+// In version 4.x, the legacy environment variable is still supported, but it cannot be set
+// at the same time as any of the specific environment variables.
+func ValidateEnhancedValidationEnvVars() error {
+	legacyEnv := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION")
+	if legacyEnv == "" {
+		return nil
+	}
+
+	// In 5.0, the legacy env var is no longer supported
+	if FivePointOh() {
+		return fmt.Errorf("the environment variable `ARM_PROVIDER_ENHANCED_VALIDATION` has been removed in v5.0 of the AzureRM Provider - please use the `enhanced_validation` provider block or the replacement environment variables `ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS` and `ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS` instead")
+	}
+
+	// In 4.x, check for conflicts with specific env vars
+	var conflicts []string
+	if v := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS"); v != "" {
+		conflicts = append(conflicts, "ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS")
+	}
+	if v := os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS"); v != "" {
+		conflicts = append(conflicts, "ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS")
+	}
+
+	if len(conflicts) > 0 {
+		return fmt.Errorf("the environment variable `ARM_PROVIDER_ENHANCED_VALIDATION` cannot be set at the same time as %v - please either use the legacy `ARM_PROVIDER_ENHANCED_VALIDATION` or the replacement environment variables, but not both", conflicts)
+	}
+
+	return nil
+}

internal/features/user_flags.go

@@ -8,6 +8,7 @@ type UserFeatures struct {
 	AppConfiguration         AppConfigurationFeatures
 	ApplicationInsights      ApplicationInsightFeatures
 	CognitiveAccount         CognitiveAccountFeatures
+	EnhancedValidation       EnhancedValidationFeatures
 	VirtualMachine           VirtualMachineFeatures
 	VirtualMachineScaleSet   VirtualMachineScaleSetFeatures
 	KeyVault                 KeyVaultFeatures
@@ -29,6 +30,11 @@ type CognitiveAccountFeatures struct {
 	PurgeSoftDeleteOnDestroy bool
 }
 
+type EnhancedValidationFeatures struct {
+	Locations         bool
+	ResourceProviders bool
+}
+
 type VirtualMachineFeatures struct {
 	DetachImplicitDataDiskOnDeletion bool
 	DeleteOSDiskOnDeletion           bool

internal/provider/features_test.go

@@ -35,6 +35,10 @@ func TestExpandFeatures(t *testing.T) {
 				CognitiveAccount: features.CognitiveAccountFeatures{
 					PurgeSoftDeleteOnDestroy: true,
 				},
+				EnhancedValidation: features.EnhancedValidationFeatures{
+					Locations:         true,
+					ResourceProviders: true,
+				},
 				KeyVault: features.KeyVaultFeatures{
 					PurgeSoftDeletedCertsOnDestroy:   true,
 					PurgeSoftDeletedKeysOnDestroy:    true,
@@ -236,6 +240,10 @@ func TestExpandFeatures(t *testing.T) {
 				CognitiveAccount: features.CognitiveAccountFeatures{
 					PurgeSoftDeleteOnDestroy: true,
 				},
+				EnhancedValidation: features.EnhancedValidationFeatures{
+					Locations:         true,
+					ResourceProviders: true,
+				},
 				KeyVault: features.KeyVaultFeatures{
 					PurgeSoftDeletedCertsOnDestroy:   true,
 					PurgeSoftDeletedKeysOnDestroy:    true,
@@ -437,6 +445,10 @@ func TestExpandFeatures(t *testing.T) {
 				CognitiveAccount: features.CognitiveAccountFeatures{
 					PurgeSoftDeleteOnDestroy: false,
 				},
+				EnhancedValidation: features.EnhancedValidationFeatures{
+					Locations:         true,
+					ResourceProviders: true,
+				},
 				KeyVault: features.KeyVaultFeatures{
 					PurgeSoftDeletedCertsOnDestroy:   false,
 					PurgeSoftDeletedKeysOnDestroy:    false,

internal/provider/framework/config.go

@@ -126,6 +126,36 @@ func (p *ProviderConfig) Load(ctx context.Context, data *ProviderModel, tfVersio
 	p.clientBuilder.DisableCorrelationRequestID = getEnvBoolOrDefault(data.DisableCorrelationRequestId, "ARM_DISABLE_CORRELATION_REQUEST_ID", false)
 	p.clientBuilder.DisableTerraformPartnerID = getEnvBoolOrDefault(data.DisableTerraformPartnerId, "ARM_DISABLE_TERRAFORM_PARTNER_ID", false)
 	p.clientBuilder.StorageUseAzureAD = getEnvBoolOrDefault(data.StorageUseAzureAD, "ARM_STORAGE_USE_AZUREAD", false)
+	// In 4.x, validate that the legacy and specific enhanced validation env vars don't conflict
+	if !providerfeatures.FivePointOh() {
+		if err := providerfeatures.ValidateEnhancedValidationEnvVars(); err != nil {
+			diags.Append(diag.NewErrorDiagnostic("validating enhanced validation environment variables", err.Error()))
+			return
+		}
+	} else if os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION") != "" {
+		diags.Append(diag.NewErrorDiagnostic("unsupported environment variable", "the environment variable `ARM_PROVIDER_ENHANCED_VALIDATION` has been removed in v5.0 of the AzureRM Provider - please use the `enhanced_validation` provider block or the replacement environment variables `ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS` and `ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS` instead"))
+		return
+	}
+
+	// Read enhanced_validation block
+	enhancedValidationLocations := providerfeatures.EnhancedValidationLocationsEnabled()
+	enhancedValidationResourceProviders := providerfeatures.EnhancedValidationResourceProvidersEnabled()
+	if !data.EnhancedValidation.IsNull() && !data.EnhancedValidation.IsUnknown() {
+		var evList []EnhancedValidationModel
+		d := data.EnhancedValidation.ElementsAs(ctx, &evList, true)
+		diags.Append(d...)
+		if diags.HasError() {
+			return
+		}
+		if len(evList) > 0 {
+			if !evList[0].Locations.IsNull() && !evList[0].Locations.IsUnknown() {
+				enhancedValidationLocations = evList[0].Locations.ValueBool()
+			}
+			if !evList[0].ResourceProviders.IsNull() && !evList[0].ResourceProviders.IsUnknown() {
+				enhancedValidationResourceProviders = evList[0].ResourceProviders.ValueBool()
+			}
+		}
+	}
 
 	f := providerfeatures.UserFeatures{}
 
@@ -521,6 +551,9 @@ func (p *ProviderConfig) Load(ctx context.Context, data *ProviderModel, tfVersio
 		}
 	}
 
+	f.EnhancedValidation.Locations = enhancedValidationLocations
+	f.EnhancedValidation.ResourceProviders = enhancedValidationResourceProviders
+
 	p.clientBuilder.Features = f
 	p.clientBuilder.AuthConfig = authConfig
 	p.clientBuilder.CustomCorrelationRequestID = os.Getenv("ARM_CORRELATION_REQUEST_ID")

internal/provider/framework/config_test.go

@@ -26,12 +26,16 @@ func TestProviderConfig_LoadDefault(t *testing.T) {
 		t.Skip("ARM_CLIENT_SECRET env var not set")
 	}
 
-	// Skip enhanced validation
-	t.Setenv("ARM_PROVIDER_ENHANCED_VALIDATION", "false")
+	enhancedValidation, _ := basetypes.NewObjectValueFrom(context.Background(), EnhancedValidationModelAttributes, map[string]attr.Value{
+		"locations":          basetypes.NewBoolValue(false),
+		"resource_providers": basetypes.NewBoolValue(false),
+	})
+	enhancedValidationList, _ := basetypes.NewListValue(types.ObjectType{}.WithAttributeTypes(EnhancedValidationModelAttributes), []attr.Value{enhancedValidation})
 
 	testData := &ProviderModel{
 		ResourceProviderRegistrations: types.StringValue("none"),
 		Features:                      defaultFeaturesList(),
+		EnhancedValidation:            enhancedValidationList,
 	}
 
 	testConfig.Load(context.Background(), testData, "unittest", &diag.Diagnostics{})

internal/provider/framework/model.go

@@ -36,6 +36,7 @@ type ProviderModel struct {
 	DisableCorrelationRequestId    types.Bool   `tfsdk:"disable_correlation_request_id"`
 	DisableTerraformPartnerId      types.Bool   `tfsdk:"disable_terraform_partner_id"`
 	StorageUseAzureAD              types.Bool   `tfsdk:"storage_use_azuread"`
+	EnhancedValidation             types.List   `tfsdk:"enhanced_validation"`
 	Features                       types.List   `tfsdk:"features"`
 	SkipProviderRegistration       types.Bool   `tfsdk:"skip_provider_registration"` // TODO - Remove in 5.0
 	ResourceProviderRegistrations  types.String `tfsdk:"resource_provider_registrations"`
@@ -281,3 +282,13 @@ type DatabricksWorkspace struct {
 var DatabricksWorkspaceAttributes = map[string]attr.Type{
 	"force_delete": types.BoolType,
 }
+
+type EnhancedValidationModel struct {
+	Locations         types.Bool `tfsdk:"locations"`
+	ResourceProviders types.Bool `tfsdk:"resource_providers"`
+}
+
+var EnhancedValidationModelAttributes = map[string]attr.Type{
+	"locations":          types.BoolType,
+	"resource_providers": types.BoolType,
+}

internal/provider/framework/provider.go

@@ -239,6 +239,23 @@ func (p *azureRmFrameworkProvider) Schema(_ context.Context, _ provider.SchemaRe
 		},
 
 		Blocks: map[string]schema.Block{
+			"enhanced_validation": schema.ListNestedBlock{
+				Validators: []validator.List{
+					listvalidator.SizeAtMost(1),
+				},
+				NestedObject: schema.NestedBlockObject{
+					Attributes: map[string]schema.Attribute{
+						"locations": schema.BoolAttribute{
+							Optional:    true,
+							Description: "Should the AzureRM Provider validate location arguments against the list of supported Azure Locations? When enabled, invalid locations are caught at plan time; when disabled, they are caught at apply time.",
+						},
+						"resource_providers": schema.BoolAttribute{
+							Optional:    true,
+							Description: "Should the AzureRM Provider validate Resource Provider arguments against the list of supported Resource Providers? When enabled, invalid resource providers are caught at plan time; when disabled, they are caught at apply time.",
+						},
+					},
+				},
+			},
 			"features": schema.ListNestedBlock{
 				Validators: []validator.List{
 					listvalidator.SizeBetween(1, 1),

internal/provider/provider.go

@@ -376,6 +376,28 @@ func azureProvider(supportLegacyTestSuite bool) *schema.Provider {
 				DefaultFunc: schema.EnvDefaultFunc("ARM_STORAGE_USE_AZUREAD", false),
 				Description: "Should the AzureRM Provider use Azure AD Authentication when accessing the Storage Data Plane APIs?",
 			},
+
+			"enhanced_validation": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"locations": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							DefaultFunc: schema.EnvDefaultFunc("ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS", features.EnhancedValidationLocationsEnabled()),
+							Description: "Should the AzureRM Provider validate location arguments against the list of supported Azure Locations? When enabled, invalid locations are caught at plan time; when disabled, they are caught at apply time.",
+						},
+						"resource_providers": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							DefaultFunc: schema.EnvDefaultFunc("ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS", features.EnhancedValidationResourceProvidersEnabled()),
+							Description: "Should the AzureRM Provider validate Resource Provider arguments against the list of supported Resource Providers? When enabled, invalid resource providers are caught at plan time; when disabled, they are caught at apply time.",
+						},
+					},
+				},
+			},
 		},
 
 		DataSourcesMap: dataSources,
@@ -544,6 +566,29 @@ func buildClient(ctx context.Context, p *schema.Provider, d *schema.ResourceData
 		CustomCorrelationRequestID: os.Getenv("ARM_CORRELATION_REQUEST_ID"),
 	}
 
+	// In 4.x, validate that the legacy and specific enhanced validation env vars don't conflict
+	if !features.FivePointOh() {
+		if err := features.ValidateEnhancedValidationEnvVars(); err != nil {
+			return nil, diag.FromErr(err)
+		}
+	} else if os.Getenv("ARM_PROVIDER_ENHANCED_VALIDATION") != "" {
+		return nil, diag.Errorf("the environment variable `ARM_PROVIDER_ENHANCED_VALIDATION` has been removed in v5.0 of the AzureRM Provider - please use the `enhanced_validation` provider block or the replacement environment variables `ARM_PROVIDER_ENHANCED_VALIDATION_LOCATIONS` and `ARM_PROVIDER_ENHANCED_VALIDATION_RESOURCE_PROVIDERS` instead")
+	}
+
+	// Read enhanced_validation block
+	if raw, ok := d.GetOk("enhanced_validation"); ok {
+		items := raw.([]interface{})
+		if len(items) > 0 && items[0] != nil {
+			evRaw := items[0].(map[string]interface{})
+			if v, ok := evRaw["locations"]; ok {
+				clientBuilder.Features.EnhancedValidation.Locations = v.(bool)
+			}
+			if v, ok := evRaw["resource_providers"]; ok {
+				clientBuilder.Features.EnhancedValidation.ResourceProviders = v.(bool)
+			}
+		}
+	}
+
 	//lint:ignore SA1019 SDKv2 migration - staticcheck's own linter directives are currently being ignored under golangci-lint
 	stopCtx, ok := schema.StopContext(ctx) //nolint:staticcheck
 	if !ok {