Azure Function App still required `storage_account_name` eventhogh it is Optional attribute according to terraform azurerm provider version latest.

[bbh111]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.4

AzureRM Provider Version

3.53.0

Affected Resource(s)/Data Source(s)

azurerm_linux_function_app

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_service_plan" "example" {
  name                = "example-app-service-plan"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  os_type             = "Linux"
  sku_name            = "Y1"
}

resource "azurerm_linux_function_app" "example" {
  name                = "example-linux-function-app"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  service_plan_id            = azurerm_service_plan.example.id

  site_config {}
}

Debug Output/Panic Output

Can not run terraform plan

Expected Behaviour

Terraform plan run without any issue.

Actual Behaviour

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[xiaxyi]

Thanks @bbh111 for raising this issue, storage account connection is a must when creating the function app, so as the validation error suggested: you need to either specify the storage_account_name or the storage_key_vault_secret_id which stores the storage account connection string for the function app to connect to.

These two attributes can't be set simultaneously and one of them is required, so we used the oprional + ExactlyOneOf validator, as for terraform validator, you may find some guidance here:https://developer.hashicorp.com/terraform/plugin/framework/migrating/attributes-blocks/validators-predefined

[bbh111]

Thanks @xiaxyi for your support

[xiaxyi]

@bbh111 No problems! Feel free to let me know if you have any follow-up questions or feel free to close the issue if everything looks cool. :)

[bbh111]

Hi @xiaxyi , so sorry because of ticket reopened. Actually I have a question and I think you can help me go through it. So I don't know why when terraform populate a function app resource, It called to the azurestorageaccount endpoint. We have an azure policy as below which deny all access except appSettings, slotconfignames and backup. "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Web/sites/config" }, { "field": "id", "notlike": "*appSettings" }, { "field": "id", "notlike": "*slotconfignames" }, { "field": "id", "notlike": "*backup" } "then": { "effect": "deny" } } When we try to run the terraform, azure applies this rule and you can see the output here

In terraform I use attribute storage_key_vault_secret_id. Thanks !

[xiaxyi]

No worreis @bbh111 , are you suggesting that you are not able to use any storage account related settings when creating the windows function app except to put them in the app_setting block?

Either storage_account_name or storage_key_vault_secret_id needs to be specified when creating the function app, the requirement is made from the api, not from Terraform, so you will need to specify the storage account settings. Documents:https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app#storage_account_name

[bbh111]

That's exactly what I got now. I only able to put them in the AzureWebJobStorage of app_settings block. I know either storage_Account_name or storage_key_vault_secret_id is mandatory . But just to make sure the API above doesn't come from terraform and then We can determine only changing the azure policy could help us to go through this issue. Could you please confirm that @xiaxyi ?

[xiaxyi]

yes, storage connection string is required by api. https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli

[rcskosir]

Thank you for taking the time to raise this! I am going to close this with @xiaxyi‘s response as an answer. If you have future questions, I suggest using the Community Resources, such as the Azure Provider forum.

[pacorreia]

Iwoud like this to be re-opened, documentation from Microsoft can be misleading if we don't read everything.

In fact you can run an Azure Function app without a storage account!

So, Yes it's required if you don't provide alternatives, like Key Vault.

Also, if you not doing remote builds and running from package, definitely you don't need a storage account, otherwise the one's I've deployed would have failed already.

The storage account name and the other parameter, both should be marked as optional, not requiring any of them to be present.

[rcskosir]

@pacorreia Thanks for the additional information, I will reopen this issue as requested.

[rachit1sharma]

Any update on it?