Authentication not disabled, when auth_settings block removed from function_app

[schwarzzz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem Description

I stumbled upon this while investigating a checkov code analysis finding (CKV_AZURE_56). I activated authentication on an azurerm_function_app and then removed the corresponding code auth_settings block again.

• When you start without an auth_settings block, authentication is disabled
• Adding this block with enabled = true enables authentication
• Removing the auth_settings block does not deactivate authentication

=> The Terraform configuration does not represent the state of the resource in Azure.

Terraform (and AzureRM Provider) Version

Terraform v1.1.3
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.92.0

Affected Resource(s)

• azurerm_function_app

Terraform Configuration Files

resource "azurerm_resource_group" "example" {
  name     = "azure-functions-cptest-rg"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "functionsapptestsa"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_app_service_plan" "example" {
  name                = "azure-functions-test-service-plan"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  kind                = "FunctionApp"

  sku {
    tier = "Dynamic"
    size = "Y1"
  }
}

resource "azurerm_function_app" "example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key

  auth_settings {
    enabled = true
  }
}

Expected Behaviour

When the auth_settings block is removed, Terraform should remove the auth_settings feature and set it to enabled = false. Authentication will be deactived.

Actual Behaviour

When the auth_settings block is removed, terraform plan shows No changes. Authentication remains active.

Steps to Reproduce

1. Deploy the function app without the auth_settings block
2. Manually add an HTTP trigger function and test it in the Portal => HTTP 200 OK
3. Add the auth_settings block and apply the configuration
4. After waiting for a minute or 2, trigger the function in the Portal => HTTP 401 Unauthorized
5. Remove the auth_settings` block and apply the configuration => I would have expected a change in the authentication settings
6. After waiting for a minute or 2, trigger the function in the Portal => HTTP 401 Unauthorized => I would have expected an HTTP 200 OK

Keeping the auth_settings block and setting enabled = false disables authentication again.

[xiaxyi]

@schwarzzz The resource is being deprecated, can you try azurerm_windows_funtion_app and azurerm_linux_funtion_app?

[pacoguzman]

I would say this is the same that what is described on this issue -> https://github.com/hashicorp/terraform-provider-azurerm/issues/21320

We're suffering that and we have continuous drift after bumping to 3.49.0

[xiaxyi]

@pacoguzman I tried to reproduce this issue, if auth -> false, auth is actually disabled from the API side, just Terraform not setting the enable -> false in state.

I may not have exactly the same production environment as yours, so just would like to confirm with you, whether the Api sets the auth enabled to false is what you expected?

[xiaxyi]

I see two properties are different between the instance that have auth turned off during initial creation and the instance with auth turned off during update: