Terraform always tries to remove default "site_config.virtual_application" on "azurerm_windows_web_app_slot".

RaulBurian commented 2 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.7

AzureRM Provider Version

3.1.0

Affected Resource(s)/Data Source(s)

azurerm_windows_web_app_slot

Terraform Configuration Files

resource "azurerm_windows_web_app" "app" {
  name                = "app"
  location            = var.location
  resource_group_name = var.rg
  service_plan_id     = azurerm_service_plan.asp.id

  site_config {
    always_on           = true
    minimum_tls_version = "1.2"
    ftps_state          = "FtpsOnly"
    http2_enabled       = true
    use_32_bit_worker   = false

    application_stack {
      current_stack  = "dotnet"
      dotnet_version = "v6.0"
    }
  }
}

resource "azurerm_windows_web_app_slot" "app_slot" {
  name           = "staging"
  app_service_id = azurerm_windows_web_app.app.id

  site_config {
    always_on           = false
    minimum_tls_version = "1.2"
    ftps_state          = "FtpsOnly"
    http2_enabled       = true
    use_32_bit_worker   = false

    application_stack {
      current_stack  = "dotnet"
      dotnet_version = "v6.0"
    }
}

Debug Output/Panic Output

# azurerm_windows_web_app_slot.app_slot has been changed
  ~ resource "azurerm_windows_web_app_slot" "app_slot" {
        id                                = "app_id"
        name                              = "staging"

        # (16 unchanged attributes hidden)

      ~ site_config {
            # (23 unchanged attributes hidden)

          - virtual_application {
              - physical_path = "site\\wwwroot"
              - preload       = false
              - virtual_path  = "/"
            }
            # (2 unchanged blocks hidden)
        }

        # (4 unchanged blocks hidden)
    }

Expected Behaviour

Since we have not configured site_config.virtual_application we would expect it to not appear at the plan / apply step as a modification that has to be done, since we are just using the default mapping and since it is optional in the docs we would expect it to not interfere with the default mapping and thus not always be detected as a change. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_web_app_slot#virtual_application.

Actual Behaviour

That mapping is the default mapping for an Azure App Serivce. When running terraform plan / apply with no configuration changes, terraform tries always tries to remove this default mapping. "terraform apply" passes, but it won't remove that mapping since it's the only one as default.

This leads to it always appearing as a change in the terraform plan / apply step which is inconvenient as it clutters up and makes it harder to read other changes since we have this one appearing all the time.

We would like to know if this is expected and we should configure the default mapping explicitly through terraform or is there another issue.

Steps to Reproduce

run terraform plan / apply on an already existing config and terraform will always try to remove the "default" virtual application on the azurerm_windows_web_app_slot

Important Factoids

No response

References

No response

ksmigiel commented 2 years ago

It happen also to azurerm_windows_web_app, not only it's slot counterpart.

evandeworp commented 2 years ago

I believe the issue is in func onlyDefaultVirtualApplication in file terraform-provider-azurerm/internal/services/appservice/helpers/web_app_schema.go.

This function uses the following logic to decide if a virtual application is the default:

    if *app.VirtualPath == "/" && *app.PhysicalPath == "site\\wwwroot" && *app.PreloadEnabled && app.VirtualDirectories == nil {
        return true
    }

The problem with the above logic is it assumes a default application must always be "preloaded" but that's only true when the web app is configured to be "always_on". In our environment, we never configure web app slots to be "always_on", so the function onlyDefaultVirtualApplication never correctly identifies our default virtual applications to be default and Terraform constantly tries to delete the default virtual applications of our web slots. This issue would also apply to the web apps as well of course if we configured them with always_on set to false.

Quartz771 commented 2 years ago

This is affecting azurerm_windows_web_app on our end as well. We've got three environments where two of them having "always_on" disabled and the third one enabled. Preload is disabled for all of them. Third one constantly wants to update site_config, whereas adjusting preload to "true" doesn't resolve the issue.

 ~ site_config {
            # (23 unchanged attributes hidden)

          + virtual_application {
              + physical_path = "site\\wwwroot"
              + preload       = false
              + virtual_path  = "/"
            }
            # (1 unchanged block hidden)
        }

When setting always_on to "false" for third environment no changes shown in terraform plan, but we need this to be activated in this env.

What I did now to workaround the problem:

removed the whole "virtual_application" block from terraform code for all environments
adjusted "always_on" to "true" for all environments (doesn't affect costs) No changes in plan anymore afterwards.

So I agree with @evandeworp, there's an issue in identifying the DefaultVirtualApplication. Giving a "thumb up".

iofh commented 1 year ago

If always_on is needed to be false. Would ignoring the site_config virtual_application in the resource lifecycle affect anything?

dani-nagy commented 11 months ago

Still an issue, any fix on the way?

$ terraform --version Terraform v1.5.7 on windows_amd64

provider registry.terraform.io/hashicorp/azurerm v3.41.0 ...

serbezki commented 6 months ago

We also have this showing up on every plan and can't really find a workaround. There is no virtual_application block defined and always_on needs to be true.

Any suggestion on what to try would be appreciated.

Nisargg007 commented 2 months ago

Thank you, @Quartz771 Your solution to set always_on to true for the [Windows] web app is brilliant and effectively resolved my issue [NOT Sure about Linux].

hashicorp / terraform-provider-azurerm