Skip to content

apimanagement.Service: pulumi-azure says client_certificate_enabled must be False but Azure API says it must be True #3315

New issue
New issue
Open
Open
apimanagement.Service: pulumi-azure says client_certificate_enabled must be False but Azure API says it must be True#3315
Labels
awaiting-upstreamThe issue cannot be resolved without action in another repository (may be owned by Pulumi).kind/bugSome behavior is incorrect or out of spec
@codethief

Description

@codethief
codethief
opened on Oct 17, 2025

Describe what happened

I'm deploying an pulumi_azure.apimanagement.Service with sku_name="Developer_1". After setting client_certificate_enabled=True, running pulumi up will have the pulumi-azure provider complain that

Diagnostics:
  azure:apimanagement:Service (my-apim):
    error:   sdk-v2/provider2.go:566: sdk.helper_schema: `client_certificate_enabled` is only supported when sku type is `Consumption`: [email protected]
    error: 1 error occurred:
    	* updating urn:pulumi:dev::my-project::<parent component>$azure:apimanagement/service:Service::my-apim: 1 error occurred:
    	* `client_certificate_enabled` is only supported when sku type is `Consumption`

which is also what the API docs say.

However, when setting client_certificate_enabled=False, pulumi up yields:

Service Name: "my-apim"): performing Update: unexpected status 400 (400 Bad Request) with error: EnableClientCertificateCannotBeChangedForSku: Setting EnableClientCertificate flag to false is not supported for Developer SKU.

As a result, I can only set client_certificate_enabled=None and trust that the default is (and stays) what I want.

Sample program

Writing a fully reproducible program is difficult because of all the other resources you need to deploy an API Management service but the gist is:

import pulumi_azure

pulumi_azure.apimanagement.Service(
    resource_name="my-apim",
    sku_name="Developer_1",
    client_certificate_enabled=True,
    # …
)

Log output

See above

Affected Resource(s)

pulumi_azure.apimanagement.Service

Output of pulumi about

$ pulumi about
CLI
Version      3.178.0
Go Version   go1.24.4
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  acme          0.10.0
resource  azure         6.22.1
resource  azure-native  3.4.0
language  python        3.178.0
resource  time          0.1.1
resource  tls           5.2.0

Host
OS       nixos
Version  25.11 (Xantusia)
Arch     x86_64


This project is written in python: executable='/path/to/my-project/.venv/bin/python' version='3.12.11'

Current Stack: organization/my-project/dev

[…]

Backend
Name           my-hostname
URL            azblob://…
User            my-user
Organizations
Token type     personal

Dependencies:
NAME                   VERSION
Jinja2                 3.1.6
nodejs-wheel-binaries  22.16.0
pulumi_azure           6.22.1
pulumi_azure_native    3.4.0
pulumi_tls             5.2.0
pulumiverse_acme       0.10.0
pulumiverse_time       0.1.1
pydantic               2.11.4
pyright                1.1.401
pytest-mock            3.14.0

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Metadata

Metadata

Assignees

No one assigned

    Labels

    awaiting-upstreamThe issue cannot be resolved without action in another repository (may be owned by Pulumi).kind/bugSome behavior is incorrect or out of spec

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions