ARM API version linter: prevent preview API from being used in azurerm

[gerrytan]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

Usage of preview ARM API version is a big grey area. This PR adds a new linter "ARM API Version Linting" that prevents preview API from being imported. It does so by scanning the vendor folder for 3 piece of information: go modules name + service + version string.

The linter is invoked when PRs are opened / new commits pushed on the PR.

Historical use of preview APIs are allowlisted in historical-exceptions.yml.

A documentation to educate users on the consequences of preview API, and also process to obtain new exceptions has been added, see guide-api-version.md

With this process contributors will be more informed about risks and consequences of preview API and increased transparency on why a specific preview API was used.

See below example of a PR that fails the linter checks:

https://github.com/hashicorp/terraform-provider-azurerm/actions/runs/17665781010/job/50207049336

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• [] (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

No azurerm user facing changes

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

n/a

Rollback Plan

Disable the GitHub workflow "ARM API Version Linting" via UI

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[mybayern1974]

suggest stating stableVersionTargetDate as optional as there would be cases the preview API promoter could provide justifications to enroll preview API but their team has no clear plan to release stable. In addition, there might be further justifications as "our preview API would always be of prod SLA, so there is no need to wait our stable API."

[gerrytan]

We actually want a commitment to release stable version in the future. See the argument at the beginning of guide-api-version.md about automated breaking change checks. If this is bypassed, the API is always at risk of breaking change that severely impacts azurerm users. Such bypass should only be on temporary basis.

[mybayern1974]

As for the responsibleIndividual:

1. Assume it should be one of the API owner team, and let them know they are expected to sign on AzureRM repo here towards their justification on their preview API is ok to use
2. There might be exception on privacy say the API owner is not willing to expose their GH handles. While, we can start by this and see how it's going to work.

[gerrytan]

GH profile URL is always public in nature, and individuals can always fine-tune the GitHub privacy setting to expose / hide certain informations. The concept of ownership is important so we know who to contact / follow up to 2-3 months in the future if the needs arise.

[mybayern1974]

Suggest not mentioning this concrete v3.0 -> v4.0 example, because breaking api changes brought by preview API could be part of the reason that increases the duration between major versions, but it does not constitute the decisive factor. Mentioning the v3.0 -> v4.0 example implies its duration was due to breaking api changes brought by preview API.

[gerrytan]

Mentioning v3 -> v4 timeline here is only to highlight the potential user pain if a major version breaking change occur. While I understand it's not necessarily the future schedule going forward, it is a historical fact that can be viewed simply from the repository releases section.

[github-actions]

This PR is being labeled as "stale" because it has not been updated for 30 or more days.

If this PR is still valid, please remove the "stale" label. If this PR is blocked, please add it to the "Blocked" milestone.

If you need some help completing this PR, please leave a comment letting us know. Thank you!

[katbyte]

some quick comments

[katbyte]

Suggested change

	# Guide: ARM API Version
	# Guide: ARM API Versions

[katbyte]

Suggested change

Provider logic should be implemented using stable Azure Resource Manager (ARM) API version. Preview versions are prone to breaking changes which results in very poor azurerm user experience (eg: removed property). There are [automated checks on azure-rest-api-specs that prevents breaking changes against stable version](https://github.com/Azure/azure-rest-api-specs/blob/main/documentation/ci-fix.md#sdk-breaking-change-review). Such checks are not applicable to preview versions.

The provider should be implemented using stable Azure Resource Manager (ARM) API/SDK version. Preview versions are prone to sudden breaking changes which can result in a less then ideal user experience (eg: removed property or behavioural change). There are [automated checks on azure-rest-api-specs that prevents breaking changes against stable version](https://github.com/Azure/azure-rest-api-specs/blob/main/documentation/ci-fix.md#sdk-breaking-change-review) but they do not catch everything and are not applicable to preview versions.

[katbyte]

Suggested change

	Breaking API changes often materialise into [azurerm breaking change](guide-breaking-changes.md) which involves non-trivial upgrade steps and long major version release wait time. v3.0.0 was released in March 2022 and v4.0.0 in August 2024.
	These breaking API changes often materialise into [breaking changes](guide-breaking-changes.md) which can involve non-trivial upgrade steps and/or require waiting till a major version release to make the breaking change. v3.0.0 was released in March 2022 and v4.0.0 in August 2024.

[katbyte]

Suggested change

	Day-0 Terraform support for preview API should be done via [azapi provider](https://registry.terraform.io/providers/Azure/azapi/latest/docs) where users have full control of API version choice.
	Day-0 Terraform support for preview APIs can be done via [azapi provider](https://registry.terraform.io/providers/Azure/azapi/latest/docs) where users have full control of API version choice.

[katbyte]

Suggested change

	> preview API version usage is risky, prone to human error and can result in very poor azurerm user experience. Add an exception as a last resort only when all the consequences are fully understood.
	> using a preview API version can be risky, prone to human error, and can result in a substandard user experience. An exception is a last resort only when all the consequences are fully understood and there is no alternitive.

[katbyte]

Suggested change

	1. There is a clear business reason for not using stable API version, for example: reputational damage to Microsoft / Azure because azurerm Terraform support for the feature cannot be provided in time to meet customers' expectation and azapi support is insufficient
	1. Guarantee that no breaking change will be made to the relevant preview API that could negatively impact azurerm users
	1. There is a commitment to release a stable API version in the near future, a specific target date has to be set
	1. There is a responsible individual with deep knowledge of the API that can be contacted in the future if required
	1. There is an agreement between Microsoft and Hashicorp that the exception is appropriate
	1. There is a clear and compelling reason for not using a stable API version. For example: the fix for a critical security vulnerability or impactful bug is only available in a the preview version.
	1. There is a commitment from the service that no breaking changes will be made to the relevant preview API that could negatively impact azurerm users.
	1. There is a commitment from the service team to release a stable API version in the near future, a specific target date has to be set.
	1. There is a responsible individual with deep knowledge of the API that can be contacted in the future if required.
	1. There is an agreement between Microsoft and Hashicorp that the exception is appropriate.

[katbyte]

i might want to make this tool something more explicit like preview-api-version-lint[er] so its more descriptive in it focuses on preview apis

[katbyte]

some quick comments

[gerrytan]

Thank you for reviewing @katbyte , all comments have been addressed. Have also merged latest main and checked the GH workflow passes.

[catriona-m]

Hi @gerrytan thanks for working on this, I left a few suggestions inline for you to consider, but then I can take another look. Thanks!

[catriona-m]

Suggested change

The provider should be implemented using stable Azure Resource Manager (ARM) API/SDK version. Preview versions are prone to sudden breaking changes which can result in a less then ideal user experience (eg: removed property or behavioural change). There are [automated checks on azure-rest-api-specs that prevents breaking changes against stable version](https://github.com/Azure/azure-rest-api-specs/blob/main/documentation/ci-fix.md#sdk-breaking-change-review) but they do not catch everything and are not applicable to preview versions.

The provider should be implemented using stable Azure Resource Manager (ARM) API/SDK version. Preview versions are prone to sudden breaking changes which can result in a less than ideal user experience (eg: removed property or behavioural change). There are [automated checks on azure-rest-api-specs that prevents breaking changes against stable version](https://github.com/Azure/azure-rest-api-specs/blob/main/documentation/ci-fix.md#sdk-breaking-change-review) but they do not catch everything and are not applicable to preview versions.

[gerrytan]

Fixed in 205c261

[catriona-m]

Suggested change

Day-0 Terraform support for preview APIs can be done via [azapi provider](https://registry.terraform.io/providers/Azure/azapi/latest/docs) where users have full control of API version choice.

it would be good to focus on the do's/don'ts of preview versions in the provider for this guide, rather than making further recommendations that are outside of the provider

[gerrytan]

Fixed in 205c261

[catriona-m]

Suggested change

	In October 2025 we implemented an API version check on PRs that prevents the use of preview versions. All historical usages of preview versions have been allow-listed as exceptions. See `internal/tools/preview-api-version-linter` for the implementation details.
	In November 2025 we implemented an API version check on PRs that prevents the use of preview versions. All historical usages of preview versions have been allow-listed as exceptions. See `internal/tools/preview-api-version-linter` for the implementation details.

[gerrytan]

Fixed in 205c261

[catriona-m]

Suggested change

	> using a preview API version can be risky, prone to human error, and can result in a substandard user experience. An exception is a last resort only when all the consequences are fully understood and there is no alternative.
	> Using a preview API version can be risky, prone to human error, and can result in a substandard user experience. An exception is a last resort only when all the consequences are fully understood and there is no alternative.

[gerrytan]

Fixed in 205c261

[catriona-m]

Suggested change

	To add an exception to use preview API version, following criteria must be met:
	To add an exception to use preview API version, the following criteria must be met:

[gerrytan]

Fixedin 205c261

[catriona-m]

Suggested change

	1. There is a clear and compelling reason for not using a stable API version. For example: the fix for a critical security vulnerability or impactful bug is only available in a the preview version.
	1. There is a clear and compelling reason for not using a stable API version. For example: the fix for a critical security vulnerability or impactful bug is only available in the preview version.

[gerrytan]

Fixed in 205c261

[catriona-m]

Suggested change

> Feature being in preview phase is not a sufficient reason to add this exception. The concept of preview should be decoupled between feature and ARM API. It is okay to leave the feature in preview phase while having the API promoted to stable. This will safeguard the API against breaking changes and ensure azurerm support for the feature can be shipped sooner to customers. Otherwise Terraform support for the feature should be provided via azapi.

> A feature being in preview phase is not a sufficient reason to add this exception. The concept of preview should be decoupled between feature and ARM API. It is okay to leave the feature in preview phase while having the API promoted to stable. This will safeguard the API against breaking changes and ensure azurerm support for the feature can be shipped sooner to customers.

[gerrytan]

Fixed in 205c261

[catriona-m]

should we consider narrowing this down by packages or resources as well? having this scoped at the version could mean someone could use a preview api that is already in use the service, but for a different resource

[gerrytan]

Hi @catriona-m the current scoping / granularity should be sufficient:

1. Including the resource will increase the permutation, causing a very large allowlist / exception file, making it hard to maintain
2. True that further use of allow-listed preview API is harder to prevent, have to rely on PR review, but at the same time with this process the responsible individual from service team (someone with deep expertise of the API) would have already sign off the exemption and should be fully aware of the breaking change risk and consequences

[catriona-m]

Suggested change

	These breaking API changes often materialise into [breaking changes](guide-breaking-changes.md) which can involve non-trivial upgrade steps and/or require waiting till a major version release to make the breaking change. v3.0.0 was released in March 2022 and v4.0.0 in August 2024.
	These breaking API changes often materialise into [breaking changes](guide-breaking-changes.md) which can involve non-trivial upgrade steps and/or require waiting until a major version release to make the breaking change. v3.0.0 was released in March 2022 and v4.0.0 in August 2024.

[gerrytan]

Fixed in 205c261

[gerrytan]

Thank you @catriona-m , I have addressed all the feedbacks. Also have merged latest main and rerun the linter test.

Can you please have another look 🙏.

[catriona-m]

Thanks @gerrytan I just spotted one typo but once that's fixed this should be good to go.

[catriona-m]

Suggested change

	Preview versions are prone to sudden breaking changes which can result in a less then ideal user experience,
	Preview versions are prone to sudden breaking changes which can result in a less than ideal user experience,

[gerrytan]

Oops, thank you @catriona-m , I have pushed a fix for this

[gerrytan]

@catriona-m this PR is ready for you to take another look. I have addressed all feedbacks, merged latest main and fixed linter errors.

[catriona-m]

Thanks @gerrytan LGTM!

comments addressed

[gerrytan]

Thank you @catriona-m !

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.