azurerm_app_service_virtual_network_swift_connection - Require permission subnet/write - windows app service / function

[dandcg]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.4.6

AzureRM Provider Version

3.43.0

Affected Resource(s)/Data Source(s)

azurerm_app_service_virtual_network_swift_connection

Terraform Configuration Files

data "azurerm_windows_function_app" "wa" {
  name                = "wa-poc"
  resource_group_name = "rg-poc"
}

data "azurerm_subnet" "default" {
  name                 = "default"
  virtual_network_name = "vn-poc"
  resource_group_name  = "rg-poc"
}

resource "azurerm_app_service_virtual_network_swift_connection" "wa-to-sub-default" {
  app_service_id = data.azurerm_app_service.wa.id
  subnet_id      = data.azurerm_subnet.default.id
}

Debug Output/Panic Output

Error: creating/updating App Service VNet association between "wa-poc" (Resource Group "rg-poc") and Virtual Network "vn-poc":
web.AppsClient#CreateOrUpdateSwiftVirtualNetworkConnectionWithCheck: Failure responding to request: 
StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="LinkedAuthorizationFailed" 
Message="The client 'xxxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' has permission to perform action 
'Microsoft.Web/sites/networkConfig/write' on scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-poc/providers/Microsoft.Web/sites/wa-poc/networkConfig/virtualNetwork'; 
however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-poc/providers/Microsoft.Network/virtualNetworks/vn-poc/subnets/default' 
or the linked scope(s) are invalid."

  on maint.tf line 12, in resource "azurerm_app_service_virtual_network_swift_connection" "wa-to-sub-default":
  12: resource "azurerm_app_service_virtual_network_swift_connection" "wa-to-sub-default" {

Expected Behaviour

terraform apply should enable Vnet integration successfully for Windows Function App - with write permissions on subnet.

Works through Azure Portal or last azure cli, it works.

Actual Behaviour

Error: creating/updating App Service VNet association between "wa-poc" (Resource Group "rg-poc") and Virtual Network "vn-poc": web.AppsClient#CreateOrUpdateSwiftVirtualNetworkConnectionWithCheck: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' has permission to perform action 'Microsoft.Web/sites/networkConfig/write' on scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-poc/providers/Microsoft.Web/sites/wa-poc/networkConfig/virtualNetwork'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-poc/providers/Microsoft.Network/virtualNetworks/vn-poc/subnets/default' or the linked scope(s) are invalid."

on maint.tf line 12, in resource "azurerm_app_service_virtual_network_swift_connection" "wa-to-sub-default": 12: resource "azurerm_app_service_virtual_network_swift_connection" "wa-to-sub-default" {

Steps to Reproduce

Steps to Reproduce Create a Resource Group rg-poc. Create a Web App wa-poc. Create a Virtual Network vn-poc, with a subnet named default. On the default subnet, enable service delegation to Microsoft.Web/serverFarms. Give your user Contributor rôle on Web App scope. Give your user a custom role without Microsoft.Network/virtualNetworks/subnets/write permission on Virtual Network scope : { "properties": { "roleName": "custom_vnetintegration_poc_nowrite", "description": "", "assignableScopes": [ ], "permissions": [ { "actions": [ "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } terraform init terraform plan terraform apply

Important Factoids

No response

References

Previously opened issue matches this exactly - https://github.com/hashicorp/terraform-provider-azurerm/issues/15213 - but appears issue wasn't resolved for Windows Function App and Windows App Service.

[xiaxyi]

Thanks @dandcg for raising this issue. The property virtual_network_subnet_id is available in windows function app, I can run below script successfully, can you try it?

resource "azurerm_subnet" "test1" {
  name                 = "subnet1"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefixes     = ["10.0.1.0/24"]
  delegation {
    name = "delegation"
    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_windows_function_app" "test" {
  name                       = "xiaxintest-WFA"
  location                   = azurerm_resource_group.test.location
  resource_group_name        = azurerm_resource_group.test.name
  service_plan_id            = azurerm_service_plan.test.id
  storage_account_name       = azurerm_storage_account.test.name
  storage_account_access_key = azurerm_storage_account.test.primary_access_key
  virtual_network_subnet_id  = azurerm_subnet.test1.id
  site_config {}
}

Besides, below script also works for me:

resource "azurerm_subnet" "test2" {
  name                 = "subnet2"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefixes     = ["10.0.2.0/24"]
  delegation {
    name = "delegation"
    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_windows_function_app" "test1" {
  name                       = "xiaxintest-WFA1"
  location                   = azurerm_resource_group.test.location
  resource_group_name        = azurerm_resource_group.test.name
  service_plan_id            = azurerm_service_plan.test.id
  storage_account_name       = azurerm_storage_account.test.name
  storage_account_access_key = azurerm_storage_account.test.primary_access_key
  site_config {}
}

resource "azurerm_app_service_virtual_network_swift_connection" "example" {
  app_service_id = azurerm_windows_function_app.test1.id
  subnet_id      = azurerm_subnet.test2.id
}

have you tried to add the delegation permission in your subnet when assigning it the the vnet?

[dandcg]

My problem was due to security boundaries; I don't have write permissions on subnets. The azurerm_app_service_virtual_network_swift_connection resource requires subnet write permission even if the delegation is already applied.

However, moving the code to utilise an inline virtual_network_subnet_id as you suggested works. So there is probably still an inconsistency there in terms of the Windows resources acting differently to the Linux ones when using azurerm_app_service_virtual_network_swift_connection as per https://github.com/hashicorp/terraform-provider-azurerm/issues/15213.