Error when updating azurerm_logic_app_standard - There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property

[Mechanolatry]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.2

AzureRM Provider Version

3.101.0

Affected Resource(s)/Data Source(s)

azurerm_logic_app_standard

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.100.0"
    }
  }
}
provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "test-logic-app-standard-1984"
  location = "northeurope"
}

resource "azurerm_storage_account" "example" {
  name                     = "testlogicappstandard1984"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location 
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_service_plan" "example" {
  name                = "test-logic-app-standard-1984"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku_name            = "WS1"
  os_type             = "Windows"

}

resource "azurerm_logic_app_standard" "example" {
  name                       = "test-logic-app-standard-1984"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key

  app_settings = {
    "FUNCTIONS_WORKER_RUNTIME"     = "node"
    "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
  }
# identity {
#   type = "SystemAssigned"
# }
}

Debug Output/Panic Output

azurerm_logic_app_standard.example: Modifying... [id=/subscriptions/302850e0-90f7-4390-96ad-ff15040d9b13/resourceGroups/test-logic-app-standard-1984/providers/Microsoft.Web/sites/test-logic-app-standard-1984]
╷
│ Error: updating Logic App Standard: (Site Name "test-logic-app-standard-1984" / Resource Group "test-logic-app-standard-1984"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property." Details=[{"Message":"There was a conflict. 
SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"01020","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess 
cannot be modified. Please modify the Site.PublicNetworkAccess property."]}}]
│
│   with azurerm_logic_app_standard.example,
│   on main.tf line 36, in resource "azurerm_logic_app_standard" "example":
│   36: resource "azurerm_logic_app_standard" "example" {
│
╵

Expected Behaviour

Logic_App_Standard resource should apply with any (valid) changes made to the resource block.

Actual Behaviour

After initial Apply creating the resource, any subsequent apply that requires the resource to be updated causes the above error and fails to update the resource.

Steps to Reproduce

1. terraform apply
2. make any/trivial change to azurerm_logic_app_standard resource (Such as add identity block)
3. terraform apply

Important Factoids

No response

References

The following PR resolves this issue for other resources based on the Microsoft.Web/Sites resources/API

25794 Update various files to not set SiteConfig.PublicNetworkAccess

Issue below (On a different resource) may also be related

25818 May also be related

[PG-RichT]

Experiencing the same issue with vnetRouteAllEnabled on windows_function_app as well.

[ManojSethuraman]

Experiencing the same issue. Any dates for the fix to be available?

[BigFrog-coding]

Having same issue. Using the required attributes only, on the first run it will deploy the app, but on subsequent run it gives this error. If I try to add the code to set the attribute it gives this error and doesn't deploy at all.

[ManojSethuraman]

Experiencing the same issue. Any dates for the fix to be available?

@JosiahSiegel , can you help on this issue?

[daniel-steinmann]

Experiencing the same issue with vnetRouteAllEnabled on windows_function_app as well.

@PG-RichT we face this issue with azurerm_windows_web_app. This was the response from the App Service product group:

If customers are unable to set route all enabled to true, that is because the setting is already true and they are just seeing an issue with our API. There is a potential issue here is that certain portal operations might actually set it to false while they are in this state. Customers can mitigate by setting it to false properly and then back to true. Either through an ARM template, or by ticking another checkbox and saving it.

[4865783a5d]

We're expiriencing this issue with as well with azurerm_linux_web_app_slot, with azurerm_linux_web_app it works as intended. Currently working around the issue like this:

lifecycle {
    ignore_changes = [
      site_config[0].vnet_route_all_enabled
    ]
  }

[brad-scott-talogy]

We are using this as a work around for the time being until a fix is released. Posting here in-case it helps someone.

lifecycle { ignore_changes = [site_config["VnetRouteAllEnabled"], ] }

I expect VnetRouteAllEnabled can be replaced with any problem parameter like PublicNetworkAccess

[ghost]

I think the issue is whenever we touch site_config... Im having a very similar issue but with creating LA's, not updating... so have just raised #25891

[BigFrog-coding]

I also just hit the same error trying to add vnet_integration to the logic app standard. That attribute is not within the site_config but did give the site_config conflict error. Working around by ignoring these settings, but have to manually set the network how I want it, which is not a scalable solution.

Can we get a "BUG" label added?

[jquinn99002]

I also just hit the same error trying to add vnet_integration to the logic app standard. That attribute is not within the site_config but did give the site_config conflict error. Working around by ignoring these settings, but have to manually set the network how I want it, which is not a scalable solution.

Can we get a "BUG" label added?

Hmm we managed to do vnet integration in some other code we have, are you sure you don't have any site_config stuff going on? We just had to comment out the whole site_config section to make it work.

[BigFrog-coding]

I also just hit the same error trying to add vnet_integration to the logic app standard. That attribute is not within the site_config but did give the site_config conflict error. Working around by ignoring these settings, but have to manually set the network how I want it, which is not a scalable solution. Can we get a "BUG" label added?

Hmm we managed to do vnet integration in some other code we have, are you sure you don't have any site_config stuff going on? We just had to comment out the whole site_config section to make it work.

Did you run the code again? Was the resource already deployed when you tried adding the vnet afterwards? It does seem to work fine first deploy, but subsequent runs hit the error in my experience

[jakaxd]

I am currently using azurerm v3.94.0, and this is also affecting windows function apps:

│ Error: updating Windows App Service (Subscription: "***"
│ Resource Group Name: "***"
│ Site Name: "***"): performing CreateOrUpdate: unexpected status 400 with response: {"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","Target":null,"Details":[{"Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."],"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."}}],"Innererror":null}
│ 
│   with module.windows_func_app["001"].azurerm_windows_function_app.windows_function_app,
│   on .terraform/modules/windows_func_app/main.tf line 12, in resource "azurerm_windows_function_app" "windows_function_app":
│   12: resource "azurerm_windows_function_app" "windows_function_app" {
│ 
│ updating Windows App Service (Subscription:
│ "***"
│ Resource Group Name: "***"
│ Site Name: "***"): performing CreateOrUpdate:
│ unexpected status 400 with response: {"Code":"BadRequest","Message":"There
│ was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please
│ modify the Site.PublicNetworkAccess
│ property.","Target":null,"Details":[{"Message":"There was a conflict.
│ SiteConfig.PublicNetworkAccess cannot be modified. Please modify the
│ Site.PublicNetworkAccess
│ property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There
│ was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot
│ be modified. Please modify the Site.PublicNetworkAccess
│ property."],"Code":"BadRequest","Message":"There was a conflict.
│ SiteConfig.PublicNetworkAccess cannot be modified. Please modify the
│ Site.PublicNetworkAccess property."}}],"Innererror":null}

[photonn]

"Historically, we have also had two of the networking settings in site config properties, namely vnetRouteAllEnabled and publicNetworkAccess. Again, because of the limitations to control via policy, we have been introducing these properties as site properties. For a while they have been modifiable in both places, but we will start enforcing that you can only modify the setting using the site property and you may see an error message like this: “SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property”. If you see this error you will need to update your scripts or templates to use the site property equivalent."

There is a change on Microsoft API a few days ago: https://azure.github.io/AppService/2024/04/23/Networking-compliance-improvements.html

[JosiahSiegel]

Please upvote this Terraform issue as well for visibility: https://github.com/hashicorp/terraform-provider-azurerm/issues/25824

[BigFrog-coding]

"Historically, we have also had two of the networking settings in site config properties, namely vnetRouteAllEnabled and publicNetworkAccess. Again, because of the limitations to control via policy, we have been introducing these properties as site properties. For a while they have been modifiable in both places, but we will start enforcing that you can only modify the setting using the site property and you may see an error message like this: “SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property”. If you see this error you will need to update your scripts or templates to use the site property equivalent."

There is a change on Microsoft API a few days ago: https://azure.github.io/AppService/2024/04/23/Networking-compliance-improvements.html

Problem is not all resourses have the "site" property. Standard logic app does not have the property for instance. But it still throws the error for that property.

[photonn]

"Historically, we have also had two of the networking settings in site config properties, namely vnetRouteAllEnabled and publicNetworkAccess. Again, because of the limitations to control via policy, we have been introducing these properties as site properties. For a while they have been modifiable in both places, but we will start enforcing that you can only modify the setting using the site property and you may see an error message like this: “SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property”. If you see this error you will need to update your scripts or templates to use the site property equivalent." There is a change on Microsoft API a few days ago: https://azure.github.io/AppService/2024/04/23/Networking-compliance-improvements.html

Problem is not all resourses have the "site" property. Standard logic app does not have the property for instance. But it still throws the error for that property.

Wrote this here only for awareness and reference. Resource neds to be updated to suport this change.

[kamalini1986]

Can you please assign this issue to me