Unable to update azurerm_static_site resource after publishing site

[fvdnabee]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

• Terraform v1.1.7 on linux_amd64
• provider registry.terraform.io/hashicorp/azurerm v3.0.2

Affected Resource(s)

• azurerm_static_site

Terraform Configuration Files

Create the static site with the following configuration:

resource "azurerm_static_site" "frontend" {
  name                = "mySwa"
  resource_group_name = "myRGP"
  location            = "westeurope"
  sku_size            = "Free"
  sku_tier            = "Free"

  tags = { foo = "bar" }
}

After deploying the SWA, publish a site to the SWA. E.g. from Azure devops.

Finally, update the TF config for the SWA, e.g. by adding a new tag:

resource "azurerm_static_site" "frontend" {
  name                = "mySwa"
  resource_group_name = "myRGP"
  location            = "westeurope"
  sku_size            = "Free"
  sku_tier            = "Free"

  tags = { foo = "bar", foo2 = "bar" }
}

Apply now fails with a 400 complaining about the provider being set:

  # azurerm_static_site.frontend will be updated in-place
  ~ resource "azurerm_static_site" "frontend" {
        id                  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED"
        name                = "REDACTED"
      ~ tags                = {
          + "foo2" = "bar"
            # (5 unchanged elements hidden)
        }
        # (6 unchanged attributes hidden)
    }

azurerm_static_site.frontend: Modifying... [id=/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED]
│ Error: failed creating Static Site: (Name "REDACTED" / Resource Group "REDACTED"): web.StaticSitesClient#CreateOrUpdateStaticSite: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Provider is invalid.  Cannot change the Provider. Please detach your static site first if you wish to use to another deployment provider." Details=[{"Message":"Provider is invalid.  Cannot change the Provider. Please detach your static site first if you wish to use to another deployment provider."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51021","Message":"Provider is invalid.  Cannot change the Provider. Please detach your static site first if you wish to use to another deployment provider.","MessageTemplate":"{0} is invalid.  {1}","Parameters":["Provider","Cannot change the Provider. Please detach your static site first if you wish to use to another deployment provider."]}}]

Debug Output

The SWA details from the azure CLI, note that provider is set to DevOps:

❯ az staticwebapp show -n REDACTED -g REDACTED
{
  "allowConfigFileUpdates": true,
  "branch": "master",
  "buildProperties": null,
  "contentDistributionEndpoint": "https://content-am2.infrastructure.1.azurestaticapps.net",
  "customDomains": [
    "REDACTED"
  ],
  "defaultHostname": "REDACTED.1.azurestaticapps.net",
  "enterpriseGradeCdnStatus": "Disabled",
  "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED",
  "identity": null,
  "keyVaultReferenceIdentity": "SystemAssigned",
  "kind": null,
  "location": "West Europe",
  "name": "REDACTED",
  "privateEndpointConnections": [],
  "provider": "DevOps",
  "repositoryToken": null,
  "repositoryUrl": "https://dev.azure.com/REDACTED/REDACTED/_git/REDACTED",
  "resourceGroup": "REDACTED",
  "sku": {
    "capabilities": null,
    "capacity": null,
    "family": null,
    "locations": null,
    "name": "Free",
    "size": null,
    "skuCapacity": null,
    "tier": "Free"
  },
  "stagingEnvironmentPolicy": "Enabled",
  "tags": {
    "foo": "bar"
  },
  "templateProperties": null,
  "type": "Microsoft.Web/staticSites",
  "userProvidedFunctionApps": []
}

The terraform state of the SWA:

❯ terraform state show azurerm_static_site.REDACTED
# azurerm_static_site.REDACTED:
resource "azurerm_static_site" "REDACTED" {
    api_key             = "REDACTED"
    default_host_name   = "REDACTED.1.azurestaticapps.net"
    id                  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED"
    location            = "westeurope"
    name                = "REDACTED"
    resource_group_name = "REDACTED"
    sku_size            = "Free"
    sku_tier            = "Free"
    tags                = {
        "foo"   = "bar"
    }
}

The offending request sent to azurerm and its response (TF_LOG=DEBUG):

azurerm_static_site.REDACTED: Modifying... [id=/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED]
2022-03-30T16:38:38.796+0200 [INFO]  Starting apply for azurerm_static_site.frontend
2022-03-30T16:38:38.796+0200 [DEBUG] azurerm_static_site.frontend: applying the planned Update change
2022-03-30T16:38:38.797+0200 [INFO]  provider.terraform-provider-azurerm_v3.0.2_x5: preparing arguments for AzureRM Static Site creation.: timestamp=2022-03-30T16:38:38.797+0200
2022-03-30T16:38:38.797+0200 [DEBUG] provider.terraform-provider-azurerm_v3.0.2_x5: AzureRM Request:
PUT /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED?api-version=2021-02-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.17.5 (amd64-linux) go-autorest/v14.2.1 Azure-SDK-For-Go/v62.3.0 web/2021-02-01 HashiCorp Terraform/1.1.7 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.0.2 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 345
Content-Type: application/json; charset=utf-8
X-Ms-Authorization-Auxiliary:
X-Ms-Correlation-Request-Id: REDACTED
Accept-Encoding: gzip

{"location":"westeurope","properties":{},"sku":{"name":"Free","tier":"Free"},"tags":{"foo":"bar"}}: timestamp=2022-03-30T16:38:38.797+0200
2022-03-30T16:38:39.800+0200 [DEBUG] provider.terraform-provider-azurerm_v3.0.2_x5: AzureRM Response for https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED?api-version=2021-02-01:
HTTP/2.0 400 Bad Request
Content-Length: 785
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Wed, 30 Mar 2022 14:38:39 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Aspnet-Version: 4.0.30319
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: REDACTED
X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199
X-Ms-Request-Id: REDACTED
X-Ms-Routing-Request-Id: REDACTED
X-Powered-By: ASP.NET

Expected Behaviour

The azurerm provider is able to update the SWA resource successfully without forcing the user to detach their static site.

I'm unsure how this should be fixed, as the SWA provider is not tracked in the terraform state (see above). I'm thinking the azurerm provider could retrieve and echo all the properties object in its update request. In this case, care should be taken when a TF SWA resource attribute would set a property field; e.g. the provider could do a merge of the properties object in this case. Alternatively, perhaps dropping the empty properties: {} object from the PUT request might be a feasible workaround.

edit: see the properties property in the response for get-static-site: https://docs.microsoft.com/en-us/rest/api/appservice/static-sites/get-static-site. The response is as follows for the SWA in this issue:

❯ az rest -m get -u 'https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED?api-version=2021-02-01'
{
  "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Web/staticSites/REDACTED",
  "location": "West Europe",
  "name": "REDACTED",
  "properties": {
    "allowConfigFileUpdates": true,
    "branch": "master",
    "contentDistributionEndpoint": "https://content-am2.infrastructure.1.azurestaticapps.net",
    "customDomains": [
      "REDACTED"
    ],
    "defaultHostname": "REDACTED.1.azurestaticapps.net",
    "enterpriseGradeCdnStatus": "Disabled",
    "keyVaultReferenceIdentity": "SystemAssigned",
    "linkedBackends": null,
    "privateEndpointConnections": [],
    "provider": "DevOps",
    "publicNetworkAccess": null,
    "repositoryUrl": "https://dev.azure.com/REDACTED/REDACTED/_git/REDACTED",
    "stagingEnvironmentPolicy": "Enabled",
    "userProvidedFunctionApps": []
  },
  "sku": {
    "name": "Free",
    "tier": "Free"
  },
  "tags": {
    "foo": "bar"
}

Actual Behaviour

Updating the SWA resource fails.

Steps to Reproduce

1. terraform apply
2. Publish site to SWA from Azure Devops
3. Make config change (e.g. add tag) and run terraform apply again

Important Factoids

References

• A similar issue for bicep was filed here: https://github.com/Azure/static-web-apps/issues/516

From this issue I understand that not only the provider might have to be set, but maybe also properties related to the provider (for the DevOps this appears to be branch and repositoryUrl).

[fvdnabee]

Tagging @magodo

[rcskosir]

Linking to the upstream issue: https://github.com/Azure/azure-rest-api-specs/issues/18501