Creating a dynamic scope for existing maintenance configuration

how to add dynamic scope to existing maintenance configuration.

I have created maintenance configuration using terraform. here is the code for maintenance configuration:

provider "azurerm" {
  features {}
terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
      version = "=0.4.0"
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
# resource "azurerm_maintenance_configuration" "example" {
#   name                = "example-mc"
#   resource_group_name =
#   location            = azurerm_resource_group.example.location
#   scope               = "InGuestPatch"
#   tags = {
#     Env = "prod"
#   }
# }
resource "azapi_resource" "vm_maintenance" {
  type      = "Microsoft.Maintenance/maintenanceConfigurations@2021-09-01-preview"
  name      = "vm-mc"
  parent_id = "/subscriptions/XXXX/resourceGroups/example-resources"
  location  = azurerm_resource_group.example.location
  body = jsonencode({
    properties = {
      visibility          = "Custom"
      namespace           = "Microsoft.Maintenance"
      maintenanceScope    = "InGuestPatch"
      extensionProperties = {
        "InGuestPatchMode" = "User"
      maintenanceWindow = {
        startDateTime      = formatdate("YYYY-MM-DD 17:30", timestamp())
        expirationDateTime = null
        duration           = "PT3H30M"
        timeZone           = "Eastern Standard Time"
        recurEvery         = "120Hour"
      installPatches = {
        linuxParameters = {
          classificationsToInclude  = ["Critical", "Security", "Other"]
          packageNameMasksToExclude = null
          packageNameMasksToInclude = null
        windowsParameters = {
          classificationsToInclude = ["Critical", "Security" , "UpdateRollup", "FeaturePack" , "ServicePack", "Definition" ,"Tools", "Updates"  ]
          kbNumbersToExclude       = null
          kbNumbersToInclude       = null 
        rebootSetting = "RebootIfRequired"
resource "azapi_resource" "vm_maintenance_assignment" {
  type      = "Microsoft.Maintenance/configurationAssignments@2021-09-01-preview"
  name      = "vm--mca"
  parent_id = "/subscriptions/XXX/resourceGroups/example-resources/providers/Microsoft.Compute/virtualMachines/test1"
  location  = "East US 2"
  body = jsonencode({
    properties = {
      maintenanceConfigurationId =

and I am trying to follow to add a dynamic scope to above maintenancee configuration but where to begin and how to provide input values

My approach with things such as this, where the AzureRM provider does not provide ‘native’ support and I am attempting to determine the specific properties I may need to update with the AZAPI provider is as follows:

  • Provision and configure the resource via the portal.
  • Once provisioned and configured, use the Resource Explorer in the portal to drill down into the configuration and try and work out from that what properties need to be sent via AZApi for the use case.

Hope that helps!

Happy Terraforming

Hi ExtelligencelT.

Just change in title, apolize for confusion.
I am trying to add dynamic scope for existing mainteance configuration. Please suggest. how it can be added

If this particular configuration or set of properties is not exposed or supported natively by the AzureRM provider azurerm_maintenance_configuration then you would follow the above approach to determine the ‘missing’ configuration elements between an AzureRM provider deployment and a fully deployed and tested configuration that you perform manually via the portal.

If it is possible to determine the missing elements then you have two choices of approach:

  1. Apply the configuration as far as possible using the AzureRM provider and then use the AzAPI provider’s azapi_update_resource to update/add the elements required that could not be configured via the AzureRM Provider.


  1. Forgo the AzureRM provider resource and configure the resource in its entirety using the AZApi provider.

They should both achieve the same outcome in most cases.

My personal preference is to use Option 1 wherever possible: The AzureRM provider is known to have a lag when it comes to features released in the the Azure Resource Manager API. Therefore it is possible that the feature you are configuring using AZApi becomes possible in a later version of AzureRM.
I comment the specific reason why the AzAPI is being used to apply additional parameters to a resource and if this becomes natively possible in the AzureRM resource in a later version then adding the additional parameters to the AzureRM resources and removing the AzAPI ‘shim’ is easy to carry out during an Up-versioning of the provider within the Terraform Module.

Hope that helps you with your current challenge

Happy Terraforming

Hi ExtellgenceIT
I am not clear.

so in my case I have created maintenance configuration. please tell me how to update create allocate existing VM is in dynamic scope?

i want to use arurerm provider completely , but i have not found detailed example of arguments lije install patches, windows, linux , window in the terraform document. can you please give me snippet of code which should use azurerum and should contain all the arguments.

I am not presently in a position to deploy test VM resources and maintenance plans in order to do this for you and to provide detailed information.

I have provided guidance as to an approach whereby you can determine this for yourself for this issue and similar in the future.

If the documentation does not cover the required parameters to be set against the AzureRM resource to achieve what you require (Sometimes not all configuration capabilities are exposed via the AzureRM provider) then the previously described approach is a method whereby you can deduce the additional elements that you may need to apply via AzAPI.

Hi ExtelligenceIT

But AzAPI does not give state file, does it give?

could you please tell me whether it is possible with azure rm provider to configuration maintenance configuration with guest patching scope for vms.