azurerm_linux_web_app unable to configure identity provider client application requirements

[alex-smith-ans]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Support for selecting Client Application Requirements when adding Entra ID Oauth 2 Identity Provider.

It is not currently possible to select the "Allow requests only from this application itself" under client application requirements when configuration authentication_v2 and Microsoft EntraID as the IDP. This option is found in the portal in the basics section under authentication.

Please can this be added?

New or Affected Resource(s)/Data Source(s)

azurerm_linux_web_app

Potential Terraform Configuration

resource "azurerm_linux_web_app" "workload_linux_web_app" {
  name                      = "linux-web-app"
  location                  = var.location
  resource_group_name       = data.azurerm_service_plan.workload_asp.resource_group_name
  service_plan_id           = data.azurerm_service_plan.workload_asp.id
  virtual_network_subnet_id = data.azurerm_subnet.workload_subnet.id

  site_config {
    ip_restriction {
      ip_address = "10.0.0.0/8"
      action     = "Allow"
    }
    vnet_route_all_enabled = true
    application_stack {
      dotnet_version = "8.0"
    }
  }
  public_network_access_enabled = false
  identity {
    type = "SystemAssigned"
  }
  app_settings = {
    APPINSIGHTS_INSTRUMENTATIONKEY             = data.azurerm_application_insights.app_insights_api.instrumentation_key
    APPLICATIONINSIGHTS_CONNECTION_STRING      = data.azurerm_application_insights.app_insights_api.connection_string
    ApplicationInsightsAgent_EXTENSION_VERSION = "~3"
    MICROSOFT_PROVIDER_AUTHENTICATION_SECRET   = data.azurerm_key_vault_secret.workload_app_secret.value
  }

  auth_settings_v2 {
    auth_enabled           = true
    unauthenticated_action = "RedirectToLoginPage"
    default_provider       = "azureactivedirectory"
    require_https          = true
    active_directory_v2 {
      client_id                  = data.azurerm_key_vault_secret.workload_consumer_app_client_id.value
      tenant_auth_endpoint       = "https://sts.windows.net/${var.tenant_id}"
      client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
      allowed_applications       = [data.azurerm_key_vault_secret.workload_consumer_app_client_id.value]

    }
    login {
      token_store_enabled = true
    }

  }

  tags = local.tags
  lifecycle { ignore_changes = [tags] }
}

References

No response

[vladigoodman]

Exported JSON configuration for Terraform configured linux web app Command: az webapp auth show --resource-group "resourcegroupname" --name "linuxwebappname" >output.json

I found that value "allowedApplications" in JSON output is not properly updating from Terraform registry configuration block: auth_settings_v2 with (allowed_applications) setting "validation": { "allowedAudiences": [ "api://masked_client_id" ], "defaultAuthorizationPolicy": { "allowedApplications": [ "masked_client_id" ], "allowedPrincipals": {} }, "jwtClaimChecks": {} }

    The only workaround is instead of using auth_settings_v2 configuration block is to add resource

"azapi_resource" using the following MS KB https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?pivots=deployment-language-terraform or any other script to update with REST with the proper values.