azapi_resource_action: Microsoft.Web/sites config does not detect changes

Azure / terraform-provider-azapi

Terraform provider for Azure Resource Manager Rest API

https://registry.terraform.io/providers/Azure/azapi/latest

Mozilla Public License 2.0

193 stars 49 forks source link

azapi_resource_action: Microsoft.Web/sites config does not detect changes #557

Open phatcher opened 3 months ago

phatcher commented 3 months ago

As the app service terraform provider does not yet support setting the minimum TLS cipher suite I had a go at setting it via azapi, something like this

data "azapi_resource_id" "config" {
  type      = "Microsoft.Web/sites/config@2023-12-01"
  parent_id = azurerm_app_service.this.id
  name      = "web"
}

resource "azapi_resource_action" "config" {
  type        = "Microsoft.Web/sites/config@2023-12-01"
  resource_id = data.azapi_resource_id.config.id
  method      = "PATCH"

  body = {
    name = "web"
    properties = {
      minTlsCipherSuite = local.min_tls_ciphersuite
    }
  }
}

This works, but if the value is modified via the portal and I re-apply the terraform, no change is applied i.e. it keeps the portal setting.

Is this expected behaviour?

stemaMSFT commented 3 months ago

hey @phatcher this may be better implemented through azapi_update_resource? Since that is made for this sort of behavior in a CRUD-friendly manner.

ms-henglu commented 3 months ago

Yes, the azapi_resource_action is only used to trigger an HTTP request, it doesn't monitor the resource's state. If the minTlsCipherSuite could be updated by PUT method, it's recommended to use azapi_update_resource, because it monitors the state, and will show diff if the value is modified by other client tools.

phatcher commented 3 months ago

@stemaMSFT Thanks that is working, there's a schema issue with the VSCode extension as it wants to assign "web" to the name, but the it appears to be the base name of the site.

If I leave it as web it always show a change that never actually sticks

stemaMSFT commented 3 months ago

@phatcher are you still running into that issue with the extension? That does sound strange.

ms-henglu commented 3 months ago

@phatcher are you still running into that issue with the extension? That does sound strange.

Hi @stemaMSFT,

I believe this is the issue mentioned by @phatcher :

I think the cause is bad swagger, the generated document says that the name field only supports a list of allowed values:

phatcher commented 3 months ago

What I wasn't sure is whether the schema was correct and the API playing up or vice versa :-)

fgarcia-cnb commented 2 months ago

the problem with using azapi_update_resource is that it doesnt use PATCH, it uses PUT, so it replaces the entire appsettings config. azapi_resource_action with methog PATCH does proeprly merge key value pairs with existing values, but does not detect changes