`public_network_access_enabled` not updating on `azurerm_linux_web_app`

[emilypie]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.0

AzureRM Provider Version

3.86.0

Affected Resource(s)/Data Source(s)

azurerm_linux_web_app

Terraform Configuration Files

resource "azurerm_linux_web_app" "app_service" {
  name                      = "test-linux-web-app"
  resource_group_name       = azurerm_resource_group.example.name
  location                  = azurerm_resource_group.example.location
  service_plan_id           = azurerm_app_service_plan.example.id
  virtual_network_subnet_id = azurerm_subnet.example1.id
  https_only                = true
  identity {
    type = "SystemAssigned"
  }
  public_network_access_enabled   = true
  site_config {
    ip_restriction {
      name                      = "Access From FrontDoor"
      action                    = "Allow"
      priority                  = "100"
      virtual_network_subnet_id = null
      ip_address                = null
      service_tag               = "AzureFrontDoor.Backend"
      headers                   = null
    }
    always_on = true
    vnet_route_all_enabled = true
  }
}

resource "azurerm_private_endpoint" "private_endpoint" {
  name                              = "test-appservice-private-endpoint"
  location                          = azurerm_resource_group.example.location
  resource_group_name               = azurerm_resource_group.example.name
  subnet_id                         = azurerm_subnet.example2.id
  custom_network_interface_name     = "test-private-endpoint-nic"

  private_service_connection {
    name                            = "test-appservice-private-service-connection"
    is_manual_connection            = false
    private_connection_resource_id  = var.app_service_id
    subresource_names               = ["sites"]
  }

  timeouts {}
}

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.environment.module.claimant_portal_api.module.private_endpoint[0].azurerm_private_endpoint.private_endpoint will be created
  + resource "azurerm_private_endpoint" "private_endpoint" {
      + custom_dns_configs            = (known after apply)
      + custom_network_interface_name = "test-private-endpoint-nic"
      + id                            = (known after apply)
      + location                      = "eastus"
      + name                          = "test-appservice-private-endpoint"
      + network_interface             = (known after apply)
      + private_dns_zone_configs      = (known after apply)
      + resource_group_name           = "example"
      + subnet_id                     = "/subscriptions/redacted/resourceGroups/redacted/providers/Microsoft.Network/virtualNetworks/redacted/subnets/redacted"

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = "test-appservice-private-service-connection"
          + private_connection_resource_id = "/subscriptions/redacted/resourceGroups/redacted/providers/Microsoft.Web/sites/redacted"
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "sites",
            ]
        }

      + timeouts {}
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Expected Behaviour

Under Inbound traffic configuration, Public network access should be Enabled, because the terraform config says to explicitly override the default behavior.

Additionally, clicking on the linked text should show the radio button Enabled from select virtual networks and IP addresses selected.

Actual Behaviour

Under Inbound traffic configuration, Public network access is Disabled (Using default behavior).

Additionally, clicking on the linked text shows none of the 3 radio buttons under Public Network Access are selected.

Steps to Reproduce

1. Copy/paste the app service terraform
2. terraform plan
3. terraform apply
4. Copy/paste the private endpoint terraform
5. terraform plan
6. terraform apply
7. Visit the app service in Azure Portal
8. Click Networking on the left

Important Factoids

No response

References

It seems like this is an issue with more than just azurerm_linux_web_app:

• https://github.com/hashicorp/terraform-provider-azurerm/pull/22352/files#diff-ab09c2bcb6bfe7b872c14757a5d57774918b1095809b62a267986dfec19868fbR363
• https://github.com/Azure/azure-rest-api-specs/issues/24681
• https://github.com/hashicorp/terraform-provider-azurerm/issues/23809#issuecomment-1892216603
• https://github.com/hashicorp/terraform-provider-azurerm/pull/24842#issuecomment-1940344969

[pauldotknopf]

I'm starting to get conflict errors related to this change:

performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","Target":null,"Details":[{"Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."],"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."}}],"Innererror":null}

/cc @jackofallops

[mitcheman]

I'm starting to get conflict errors related to this change:

performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","Target":null,"Details":[{"Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."],"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."}}],"Innererror":null}

/cc @jackofallops

Also receiving a new conflict error for site/siteConfig properties

SiteConfig.VnetRouteAllEnabled cannot be modified. Please modify the Site.VnetRouteAllEnabled property.

[dpickeringjudge]

we're also seeing the exact same issue ^

[mrk9676]

I'm starting to get conflict errors related to this change:

performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","Target":null,"Details":[{"Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."],"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."}}],"Innererror":null}

/cc @jackofallops

Also receiving a new conflict error for site/siteConfig properties

SiteConfig.VnetRouteAllEnabled cannot be modified. Please modify the Site.VnetRouteAllEnabled property.

Hello all,

We are getting below issue since last 2 days for Azure App Service VNET configuration. It's behaving very odd. Enabling vnet_route_all_enabled is throwing the conflict. If I remove this setting, VNET Routing is getting enabled by default in few subscriptions. In few subscriptions it is not enabling. Please let me know if there is any solution or workaround.

Error:: Code="BadRequest" Message="There was a conflict. SiteConfig.VnetRouteAllEnabled cannot be modified. Please modify the Site.VnetRouteAllEnabled property."

[skillbuilderzone]

Any update on this ?

[xiaxyi]

@mrk9676 I think the api is not throwing the error now? Do you mind double check to see if you are still getting the 400 error? @skillbuilderzone Are you still getting the 400 error?