function app removes existing vnet integration with terraform apply if configured using "app_service_virtual_network_swift_connection"

[mg-8]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.2

AzureRM Provider Version

3.20.0

Affected Resource(s)/Data Source(s)

azurerm_windows_function_app

Terraform Configuration Files

resource "azurerm_windows_function_app" "this" {

  name                       = var.function_app.name
  resource_group_name        = var.resource_group.name
  location                   = var.resource_group.location
  service_plan_id            = data.azurerm_service_plan.this.id
  storage_account_name       = azurerm_storage_account.this.name
  storage_account_access_key = sensitive(azurerm_storage_account.this.primary_access_key)
  https_only                 = true
  client_certificate_enabled = true
  client_certificate_mode    = "Required"

  identity {
    type         = "UserAssigned"
    identity_ids = [data.azurerm_user_assigned_identity.this.id]
  }

  site_config {
    pre_warmed_instance_count = "1"
    http2_enabled             = true
    vnet_route_all_enabled = "true"
    application_insights_connection_string = sensitive(data.azurerm_application_insights.this.connection_string)
    application_insights_key               = sensitive(data.azurerm_application_insights.this.instrumentation_key)
  }

  app_settings = {
    vnet_route_all_enabled = "1"
  }

  lifecycle {
    ignore_changes = [
      tags,
    ]
  }

  depends_on = [
    azurerm_storage_account.this,
  ]
}

// vnet integration for function app
resource "azurerm_app_service_virtual_network_swift_connection" "this" {

  app_service_id = azurerm_windows_function_app.this.id
  subnet_id      = data.azurerm_subnet.vnet_integration.id

  depends_on = [
    azurerm_windows_function_app.this,
  ]
}

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.function_app["syd-non-app-func-app-01"].azurerm_windows_function_app.this will be updated in-place
  ~ resource "azurerm_windows_function_app" "this" {
        id                                = "/subscriptions/xxxxx/resourceGroups/syd-non-app-rg/providers/Microsoft.Web/sites/syd-non-app-func-app-01"
        name                              = "syd-non-app-func-app-01"

      - virtual_network_subnet_id         = "/subscriptions/xxxxx/resourceGroups/syd-app-non-network-rg/providers/Microsoft.Network/virtualNetworks/syd-app-non-vnet/subnets/func-app-asp-subnet" -> null
        # (25 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected Behaviour

Terraform plan/apply must not remove virtual_network_subnet_id as it can be configured in-line within resource azurerm_windows_function_app or separately app_service_virtual_network_swift_connection

Actual Behaviour

Terraform plan/apply is doing an update in-place to remove virtual_network_subnet_id

Steps to Reproduce

1) Terraform apply for the first time to create the function app and vnet integration 2) Run terrform plan or apply again

Important Factoids

No response

References

No response

[radui1398]

I'm also encountering this problem.

[mg-8]

It's doing the same thing for "azurerm_logic_app_standard" post release of provider version 3.23.0. As it supports for the virtual_network_subnet_id property for vNet integration (https://github.com/hashicorp/terraform-provider-azurerm/issues/17731). This must be fixed on both function and logic app to avoid this behavior.

[xiaxyi]

Thanks @mg-8 for raising this issue, you can track the status of fix in the mentioned pr

[orjan]

I've noticed the same thing in 3.25.0.

In this case is there a benefit or even a difference between using azurerm_app_service_virtual_network_swift_connection or by setting azurerm_windows_function_app.virtual_network_subnet_id. If not we could go with the latter?

[bobharkins]

I am also encountering this problem; I have tested this in AzureRM version 3.26.0 which still has the issue.

Can you give a timeline for this bug to be fixed?

[xiaxyi]

@bobharkins , as I mentioned in issue #18288 . It would be a little difficult for us to deal with it in the provider. The property can be set via two places but not simultaneously, the user needs to use the ignore_change feature. We will add notes in documents

[orjan]

Thanks @xiaxyi do you know if there’s a difference between the two alternatives?

https://github.com/hashicorp/terraform-provider-azurerm/issues/18225#issuecomment-1263162538

[xiaxyi]

@orjan There is no difference, both of them is setting the same thing.

The notes are added in pr https://github.com/hashicorp/terraform-provider-azurerm/pull/18738

[mudman2k]

Can someone give me a sample code block to use for the ignore_change feature please?

This issue still exists with the latest provider.

Thanks in advance all.

[orjan]

@mudman2k you should be able to add this block in the end of your config for the app service.

https://github.com/hashicorp/terraform-provider-azurerm/issues/18288#issuecomment-1272840733

If you run a terraform plan before and after you should be able to notice the difference

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.