Isolated Function App with App Service Environment breaks on update without content_share_force_disabled flag.

[gegetoth]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.2

AzureRM Provider Version

3.12.0

Affected Resource(s)/Data Source(s)

azurerm_linux_function_app

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.10.0"
    }
  }
}

provider "azurerm" {
  features {}
}

variable "custom_app_settings" {
  description = "Additional app settings key-value pairs for the function app."
  type        = map(string)
  default     = {
    "test"="test"
  }
}

variable "acr_name" {}
variable "acr_username" {}
variable "acr_password" {}

locals {
  # Common tags to be assigned to all resources
  common_tags = {
    Enviromnet = "dev"
    Terraform  = "true"
  }
  location = "westeurope"
}

resource "azurerm_resource_group" "rg" {
  name     = "test-rg"
  location = local.location
  tags     = local.common_tags
}

// App Service Environment v3
resource "azurerm_virtual_network" "vnet" {
  name                = "test-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = local.location
  resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_subnet" "ase_sn" {
  name                 = "ase"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = ["10.0.0.0/24"]

  delegation {
    name = "Microsoft.Web.hostingEnvironments"
    service_delegation {
      name    = "Microsoft.Web/hostingEnvironments"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_app_service_environment_v3" "ase" {
  name                = "jjfuncpythonase"
  resource_group_name = azurerm_resource_group.rg.name
  subnet_id           = azurerm_subnet.ase_sn.id

  internal_load_balancing_mode = "None"
}

resource "azurerm_service_plan" "scraper_service_plan" {
   name                = "test-plan"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  os_type             = "Linux"

  // use App Service Environment
  sku_name            = "I1v2"
  app_service_environment_id = azurerm_app_service_environment_v3.ase.id
}

resource "azurerm_storage_account" "sta" {
  name                     = "premdockerteststa"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = local.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  tags = local.common_tags
}

resource "azurerm_linux_function_app" "app" {
  name                = "prem-docker-test-app"
  location            = local.location
  resource_group_name = azurerm_resource_group.rg.name
  service_plan_id     = azurerm_service_plan.scraper_service_plan.id

  storage_account_name       = azurerm_storage_account.sta.name
  storage_account_access_key = azurerm_storage_account.sta.primary_access_key

# Comment out to fix the app
#   content_share_force_disabled = true

  site_config {
    application_stack {
      docker {
        registry_url      = var.acr_name
        image_name        = "funcapp-tutorial-custom-image"
        image_tag         = "latest"
        registry_username = var.acr_username
        registry_password = var.acr_password
      }
    }
  }

  identity {
    type = "SystemAssigned"
  }

  builtin_logging_enabled = true

  tags = local.common_tags

}

locals {
  common_app_settings={
    "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false
    "DOCKER_ENABLE_CI"                    = true
    "WEBSITE_VNET_ROUTE_ALL" = "1"
  }
}

Debug Output/Panic Output

When I try to connect to the app logs from portal:

Failed to log container logs: Resource containerlog of type text not found.

And

Unable to fetch the host status of your function app. To use log streaming, please make sure your function host is running.

Expected Behaviour

When the function app gets created with an isolated app service plan within the app service environment the first deployment goes well and the app starts running even without the content_share_force_disabled flag and no warning. For any update the app breaks.

When it is set to true it should be kept true after update.

Actual Behaviour

When the content_share_force_disabled flag is not set to true the update of terraform (even like adding an test=test app config) breaks the function and and the container can not start.

When I set the content_share_force_disabled flag to true that solves the problem but when I run the apply or plan command I can see every time that the status of the flag is set to false and it will be modified to true. If the flag is set to true it should be kept true.

Where the documentation of the content_share_force_disabled flag can be found?

Steps to Reproduce

Used the tutorial app generated with the func tool: https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-linux-custom-image?tabs=in-process%2Cpowershell%2Cazure-cli&pivots=programming-language-python#create-supporting-azure-resources-for-your-function

Deploy the build Docker image to ACR. Use the credentials and the repo name in the terraform script.

Run the terraform apply and deploy the resources to Azure. -> after a while it should be up and running and the app should be available https://.azurewebsites.net/api/HttpExample?name=Functions

Make a small change like adding a "test"="test" to common_app_settings. Run the apply again and this should break the app. Not even the logs are available because the container can not start.

Use the content_share_force_disabled=true in the function app resource. Deploy it again and it should work. If you make any further change you will see that the content_share_force_disabled is always set to false when deployed and it will update to true terraform apply gets executed.

Important Factoids

No response

References

No response

[jjindrich]

Thanks, I have same experience - https://github.com/jjindrich/jjazure-terraform/tree/master/src-func-python