Upgrade terraform-provider-azurerm to v4.17.0

.pulumi-java-gen.version

@@ -1 +1 @@
-1.0.0
+1.1.0

examples/go.mod

@@ -1,12 +1,14 @@
 module github.com/pulumi/pulumi-azure/examples/v5
 
-go 1.21
+go 1.22
+
+toolchain go1.23.5
 
 replace github.com/hashicorp/vault => github.com/hashicorp/vault v1.2.0
 
 require (
-	github.com/pulumi/pulumi/pkg/v3 v3.145.0
-	github.com/stretchr/testify v1.9.0
+	github.com/pulumi/pulumi/pkg/v3 v3.147.0
+	github.com/stretchr/testify v1.10.0
 )
 
 require (
@@ -26,7 +28,7 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/ProtonMail/go-crypto v1.1.3 // indirect
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
@@ -56,16 +58,16 @@ require (
 	github.com/cheggaaa/pb v1.0.29 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/deckarep/golang-set/v2 v2.5.0 // indirect
 	github.com/djherbis/times v1.5.0 // indirect
 	github.com/edsrzf/mmap-go v1.1.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
-	github.com/go-git/go-git/v5 v5.12.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.1 // indirect
+	github.com/go-git/go-git/v5 v5.13.1 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -128,7 +130,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
 	github.com/pulumi/esc v0.10.0 // indirect
-	github.com/pulumi/pulumi/sdk/v3 v3.145.0 // indirect
+	github.com/pulumi/pulumi/sdk/v3 v3.147.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
@@ -137,7 +139,7 @@ require (
 	github.com/segmentio/asm v1.1.3 // indirect
 	github.com/segmentio/encoding v0.3.5 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
-	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
@@ -158,16 +160,16 @@ require (
 	gocloud.dev v0.37.0 // indirect
 	gocloud.dev/secrets/hashivault v0.37.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
-	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/mod v0.19.0 // indirect
 	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.22.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.169.0 // indirect
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect

patches/0001-Set-user-agent-in-client-options.patch

@@ -6,19 +6,22 @@ Subject: [PATCH] Set user agent in client options
 Use Pulumi-specific user agent which includes the current provider version number.
 
 diff --git a/internal/common/client_options.go b/internal/common/client_options.go
-index 99352e4d62..5006e975b0 100644
+index c143bb85a9..d27416056d 100644
 --- a/internal/common/client_options.go
 +++ b/internal/common/client_options.go
-@@ -101,6 +101,8 @@ func userAgent(userAgent, tfVersion, partnerID string, disableTerraformPartnerID
- 	if features.FivePointOhBeta() {
- 		providerUserAgent = fmt.Sprintf("%s terraform-provider-azurerm/%s+5.0-beta", tfUserAgent, version.ProviderVersion)
- 	}
+@@ -95,9 +95,8 @@ func (o ClientOptions) ConfigureClient(c *autorest.Client, authorizer autorest.A
+ }
+
+ func userAgent(userAgent, tfVersion, partnerID string, disableTerraformPartnerID bool) string {
+-	tfUserAgent := fmt.Sprintf("HashiCorp Terraform/%s (+https://www.terraform.io)", tfVersion)
+-
+-	providerUserAgent := fmt.Sprintf("%s terraform-provider-azurerm/%s", tfUserAgent, version.ProviderVersion)
 +	// FORK: this gives us the ability to add a Pulumi Specific user agent
-+	providerUserAgent = fmt.Sprintf("pulumi-azure/%s", version.ProviderVersion)
++	providerUserAgent := fmt.Sprintf("pulumi-azure/%s", version.ProviderVersion)
  	userAgent = strings.TrimSpace(fmt.Sprintf("%s %s", userAgent, providerUserAgent))
 
  	// append the CloudShell version to the user agent if it exists
-@@ -109,11 +111,11 @@ func userAgent(userAgent, tfVersion, partnerID string, disableTerraformPartnerID
+@@ -106,11 +105,11 @@ func userAgent(userAgent, tfVersion, partnerID string, disableTerraformPartnerID
  	}
 
  	// only one pid can be interpreted currently

patches/0006-Make-shared-features-config-optional.patch

@@ -9,10 +9,10 @@ Modified in fork in https://github.com/pulumi/terraform-provider-azurerm/commit/
 This originally included a conditional block to only set the SharedFeatures config if it had a value but this seems to have been lost during the provider config being refactored in https://github.com/hashicorp/terraform-provider-azurerm/commit/57bcf134131514ffcc962f20b12f993fad7d6060#diff-58d6a027753b50994deb7e11e4a99dde423f35844986019bd9cea5e0c94aba22
 
 diff --git a/internal/provider/features.go b/internal/provider/features.go
-index 0becb67ac8..f43ffd2766 100644
+index 25b07caab5..9837e1c709 100644
 --- a/internal/provider/features.go
 +++ b/internal/provider/features.go
-@@ -425,7 +425,7 @@ func schemaFeatures(supportLegacyTestSuite bool) *pluginsdk.Schema {
+@@ -434,7 +434,7 @@ func schemaFeatures(supportLegacyTestSuite bool) *pluginsdk.Schema {
 
  	return &pluginsdk.Schema{
  		Type:     pluginsdk.TypeList,

patches/0007-Make-storage-account-resource_group_name-optional-in.patch

@@ -7,7 +7,7 @@ Subject: [PATCH] Make storage account resource_group_name optional in data
 Look up resource_group_name by using `storageClient.FindAccount` as storage account names should be unique, and resolve back to the resource group it belongs to.
 
 diff --git a/internal/services/storage/storage_account_data_source.go b/internal/services/storage/storage_account_data_source.go
-index 0267fa95bd..cb80352076 100644
+index f11b07db5c..b21ce8cf01 100644
 --- a/internal/services/storage/storage_account_data_source.go
 +++ b/internal/services/storage/storage_account_data_source.go
 @@ -38,7 +38,8 @@ func dataSourceStorageAccount() *pluginsdk.Resource {

patches/0008-Relax-storage-management-policy-validation.patch

@@ -6,7 +6,7 @@ Subject: [PATCH] Relax storage management policy validation
 Remove validation of tier_to_cool_after_days_since_last_access_time_greater_than range.
 
 diff --git a/internal/services/storage/storage_management_policy_resource.go b/internal/services/storage/storage_management_policy_resource.go
-index c90910e01c..1e3e9900e2 100644
+index 6d930cc533..23cad6155b 100644
 --- a/internal/services/storage/storage_management_policy_resource.go
 +++ b/internal/services/storage/storage_management_policy_resource.go
 @@ -138,10 +138,9 @@ func resourceStorageManagementPolicy() *pluginsdk.Resource {

patches/0013-Update-documentation.patch

@@ -998,7 +998,7 @@ index ed1f00c577..a4568c1ce0 100644
  ---
 
 diff --git a/website/docs/r/container_registry.html.markdown b/website/docs/r/container_registry.html.markdown
-index d847c69797..dc19703131 100644
+index 50052e74c1..f5cdd73f95 100644
 --- a/website/docs/r/container_registry.html.markdown
 +++ b/website/docs/r/container_registry.html.markdown
 @@ -11,9 +11,6 @@ description: |-
@@ -1197,14 +1197,14 @@ index 9e93c39f0e..39fb29509c 100644
  ---
 
 diff --git a/website/docs/r/data_factory_integration_runtime_self_hosted.html.markdown b/website/docs/r/data_factory_integration_runtime_self_hosted.html.markdown
-index 3bfeb2ad0b..360443e61d 100644
+index 09ac7f73e5..360443e61d 100644
 --- a/website/docs/r/data_factory_integration_runtime_self_hosted.html.markdown
 +++ b/website/docs/r/data_factory_integration_runtime_self_hosted.html.markdown
 @@ -52,7 +52,7 @@ A `rbac_authorization` block supports the following:
 
  * `resource_id` - (Required) The resource identifier of the integration runtime to be shared.
 
---> **Please Note**: RBAC Authorization creates a [linked Self-hosted Integration Runtime targeting the Shared Self-hosted Integration Runtime in resource_id](https://docs.microsoft.com/azure/data-factory/create-shared-self-hosted-integration-runtime-powershell#share-the-self-hosted-integration-runtime-with-another-data-factory). The linked Self-hosted Integration Runtime needs Contributor access granted to the Shared Self-hosted Data Factory. See example [Shared Self-hosted](https://github.com/hashicorp/terraform-provider-azurerm/tree/main/examples/data-factory/shared-self-hosted).
+--> **Please Note:** RBAC Authorization creates a [linked Self-hosted Integration Runtime targeting the Shared Self-hosted Integration Runtime in resource_id](https://docs.microsoft.com/azure/data-factory/create-shared-self-hosted-integration-runtime-powershell#share-the-self-hosted-integration-runtime-with-another-data-factory). The linked Self-hosted Integration Runtime needs Contributor access granted to the Shared Self-hosted Data Factory. See example [Shared Self-hosted](https://github.com/hashicorp/terraform-provider-azurerm/tree/main/examples/data-factory/shared-self-hosted).
 +-> **Please Note**: RBAC Authorization creates a [linked Self-hosted Integration Runtime targeting the Shared Self-hosted Integration Runtime in resource_id](https://docs.microsoft.com/azure/data-factory/create-shared-self-hosted-integration-runtime-powershell#share-the-self-hosted-integration-runtime-with-another-data-factory). The linked Self-hosted Integration Runtime needs Contributor access granted to the Shared Self-hosted Data Factory.
 
  For more information on the configuration, please check out the [Azure documentation](https://docs.microsoft.com/rest/api/datafactory/integrationruntimes/createorupdate#linkedintegrationruntimerbacauthorization)
@@ -1557,7 +1557,7 @@ index b43ebe8ea2..0cfd72ddf2 100644
 
    storage_account {
 diff --git a/website/docs/r/healthcare_service.html.markdown b/website/docs/r/healthcare_service.html.markdown
-index 18197f4acd..f7991b35d9 100644
+index 3a0428c910..28b0658cdc 100644
 --- a/website/docs/r/healthcare_service.html.markdown
 +++ b/website/docs/r/healthcare_service.html.markdown
 @@ -84,9 +84,9 @@ An `identity` block supports the following:
@@ -1629,25 +1629,22 @@ index d9c71a1023..c1c041691e 100644
    eventhub_endpoint_name = "events"
    resource_group_name    = azurerm_resource_group.example.name
 diff --git a/website/docs/r/key_vault.html.markdown b/website/docs/r/key_vault.html.markdown
-index 2b480185e6..42864de069 100644
+index 90d88f96b6..1577e7f7c4 100644
 --- a/website/docs/r/key_vault.html.markdown
 +++ b/website/docs/r/key_vault.html.markdown
-@@ -12,12 +12,9 @@ Manages a Key Vault.
+@@ -12,9 +12,9 @@ Manages a Key Vault.
 
  ## Disclaimers
 
--~> **Note:** It's possible to define Key Vault Access Policies both within [the `azurerm_key_vault` resource](key_vault.html) via the `access_policy` block and by using [the `azurerm_key_vault_access_policy` resource](key_vault_access_policy.html). However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.
+-~> **Note:** It's possible to define Key Vault Access Policies both within [the `azurerm_key_vault` resource](key_vault.html) via the `access_policy` block and by using [the `azurerm_key_vault_access_policy` resource](key_vault_access_policy.html). However, it's not possible to use both methods to manage Access Policies within a KeyVault, since there will be conflicts.
 +~> **Note:** It's possible to define Key Vault Access Policies both within the `azurerm_key_vault` resource via the `access_policy` block and by using the `azurerm_key_vault_access_policy` resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.
 
--<!-- TODO: Remove Note in 4.0 -->
--~> **Note:** It's possible to define Key Vault Certificate Contacts both within [the `azurerm_key_vault` resource](key_vault.html) via the `contact` block and by using [the `azurerm_key_vault_certificate_contacts` resource](key_vault_certificate_contacts.html). However it's not possible to use both methods to manage Certificate Contacts within a KeyVault, since there'll be conflicts.
--
 -~> **Note:** Terraform will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the `features` block within the Provider block.
 +~> **Note:** It's possible to define Key Vault Certificate Contacts both within the `azurerm_key_vault` resource via the `contact` block and by using the `azurerm_key_vault_certificate_contacts` resource. However it's not possible to use both methods to manage Certificate Contacts within a KeyVault, since there'll be conflicts.
 
  ## Example Usage
 
-@@ -84,7 +81,7 @@ The following arguments are supported:
+@@ -81,7 +81,7 @@ The following arguments are supported:
 
  ---
 
@@ -1656,7 +1653,7 @@ index 2b480185e6..42864de069 100644
 
  -> **NOTE** Since `access_policy` can be configured both inline and via the separate `azurerm_key_vault_access_policy` resource, we have to explicitly set it to empty slice (`[]`) to remove it.
 
-@@ -100,7 +97,7 @@ The following arguments are supported:
+@@ -97,7 +97,7 @@ The following arguments are supported:
 
  * `purge_protection_enabled` - (Optional) Is Purge Protection enabled for this Key Vault? 
 
@@ -1723,7 +1720,7 @@ index c6387f8e37..ab11365777 100644
 
  ```hcl
 diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown
-index dd3898b6c5..f8cb8ab6f7 100644
+index b60323b21c..e09ae2fa2d 100644
 --- a/website/docs/r/kubernetes_cluster.html.markdown
 +++ b/website/docs/r/kubernetes_cluster.html.markdown
 @@ -10,15 +10,9 @@ description: |-
@@ -1779,7 +1776,7 @@ index dd3898b6c5..f8cb8ab6f7 100644
  * `ip_versions` - (Optional) Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are `IPv4` and/or `IPv6`. `IPv4` must always be specified. Changing this forces a new resource to be created.
 
  ->**Note:** To configure dual-stack networking `ip_versions` should be set to `["IPv4", "IPv6"]`.
-@@ -1045,19 +1037,6 @@ The `kube_admin_config` and `kube_config` blocks export the following:
+@@ -1047,19 +1039,6 @@ The `kube_admin_config` and `kube_config` blocks export the following:
 
  * `password` - A password or token used to authenticate to the Kubernetes cluster.
 
@@ -2303,7 +2300,7 @@ index c82917be5a..131701e1d9 100644
  * `cross_region_restore_enabled` - (Optional) Is cross region restore enabled for this Vault? Only can be `true`, when `storage_mode_type` is `GeoRedundant`. Defaults to `false`.
 
 diff --git a/website/docs/r/redis_cache.html.markdown b/website/docs/r/redis_cache.html.markdown
-index f613043486..21d73ac845 100644
+index 6f2e193082..11d863c9d8 100644
 --- a/website/docs/r/redis_cache.html.markdown
 +++ b/website/docs/r/redis_cache.html.markdown
 @@ -15,7 +15,7 @@ Manages a Redis Cache.
@@ -2724,7 +2721,7 @@ index a77a466231..a4c7275acf 100644
 --> **NOTE:** This ID is specific to Terraform - and is of the format `{virtualDesktopWorkspaceID}|{virtualDesktopApplicationGroupID}`.
 +-> **NOTE:** This ID is specific to this provider - and is of the format `{virtualDesktopWorkspaceID}|{virtualDesktopApplicationGroupID}`.
 diff --git a/website/docs/r/virtual_machine.html.markdown b/website/docs/r/virtual_machine.html.markdown
-index 20ddbcdb28..79bf235222 100644
+index a00b120455..0150d8f418 100644
 --- a/website/docs/r/virtual_machine.html.markdown
 +++ b/website/docs/r/virtual_machine.html.markdown
 @@ -12,13 +12,13 @@ Manages a Virtual Machine.

provider/cmd/pulumi-resource-azure/bridge-metadata.json

@@ -3702,6 +3702,15 @@
                 "current": "azure:cognitive/accountRaiBlocklist:AccountRaiBlocklist",
                 "majorVersion": 6
             },
+            "azurerm_cognitive_account_rai_policy": {
+                "current": "azure:cognitive/accountRaiPolicy:AccountRaiPolicy",
+                "majorVersion": 6,
+                "fields": {
+                    "content_filter": {
+                        "maxItemsOne": false
+                    }
+                }
+            },
             "azurerm_cognitive_deployment": {
                 "current": "azure:cognitive/deployment:Deployment",
                 "majorVersion": 6,
@@ -14747,6 +14756,15 @@
                 "current": "azure:mssql/jobSchedule:JobSchedule",
                 "majorVersion": 6
             },
+            "azurerm_mssql_job_target_group": {
+                "current": "azure:mssql/jobTargetGroup:JobTargetGroup",
+                "majorVersion": 6,
+                "fields": {
+                    "job_target": {
+                        "maxItemsOne": false
+                    }
+                }
+            },
             "azurerm_mssql_managed_database": {
                 "current": "azure:mssql/managedDatabase:ManagedDatabase",
                 "majorVersion": 6,
@@ -23739,6 +23757,10 @@
                 "current": "azure:apimanagement/getProduct:getProduct",
                 "majorVersion": 6
             },
+            "azurerm_api_management_subscription": {
+                "current": "azure:apimanagement/getSubscription:getSubscription",
+                "majorVersion": 6
+            },
             "azurerm_api_management_user": {
                 "current": "azure:apimanagement/getUser:getUser",
                 "majorVersion": 6