`allowed_applications` of `active_directory_v2` on `azurerm_windows_function_app` doesn't work

fkpwolf commented 2 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.6

AzureRM Provider Version

3.101.0

Affected Resource(s)/Data Source(s)

azurerm_windows_function_app

Terraform Configuration Files

resource "azurerm_windows_function_app" "function" {
  name                          = var.function_app_name
  location                      = var.location
  resource_group_name           = var.resource_group_name
  service_plan_id               = azurerm_service_plan.function.id
  storage_account_name          = azurerm_storage_account.function.name
  storage_uses_managed_identity = true
  https_only                    = true
  virtual_network_subnet_id     = azurerm_subnet.function.id
  site_config {
    ftps_state                  = "FtpsOnly"
    minimum_tls_version         = "1.2"
    use_32_bit_worker           = false
    scm_use_main_ip_restriction = true
    always_on                   = true
  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.function.id
    ]
  }
  auth_settings_v2 {
    auth_enabled = true
    login {
      token_store_enabled = true
    }
    require_authentication = false
    unauthenticated_action = "AllowAnonymous"
    active_directory_v2 {
      client_id            = var.function_settings["FunctionMSIAppId"]
      tenant_auth_endpoint = "https://login.microsoftonline.com/xxxx"
      allowed_applications = [
        var.function_settings["ADFMSIClientId"] # hardcode ADF Managed Identity client ID
      ]
    }
  }
}

Debug Output/Panic Output

after deploy, in Azure portal, allowed_applications is empty.

Expected Behaviour

In Azure portal, I can see the allowed application which I have set.

Actual Behaviour

after deploy, in Azure portal, allowed_applications is empty.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

bw-adriangould commented 2 months ago

This issue is also affecting our team and is exactly as described above.

Plan highlights the fact that allowed_applications will be updated, but Apply does not update the value.

Found this in the log files, if it's any help: -

2024-05-16T12:59:50.007Z [WARN] Provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value for module.function_app.azurerm_windows_function_app.function_app, but we are tolerating it because it is using the legacy plugin SDK. The following problems may be the cause of any confusing errors from downstream operations:

.auth_settings_v2[0].active_directory_v2[0].allowed_applications: element 0 has vanished

stefanmd023 commented 1 month ago

+1 Also have an issue with this. (edit: but with linux function app)

However note, not sure if related

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#arguments-reference:~:text=Azure%20Active%20Directory.-,NOTE%3A,-This%20is%20configured

bw-adriangould commented 1 month ago

+1 Also have an issue with this.

However note, not sure if related

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#arguments-reference:~:text=Azure%20Active%20Directory.-,NOTE%3A,-This%20is%20configured

Thanks, but that note is related to a Linux function app and not a Windows function app.

stefanmd023 commented 1 month ago

Interesting, so the issue is on both linux and windows function apps

bw-adriangould commented 1 month ago

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app. My immediate issue is with the Windows function app.

stefanmd023 commented 1 month ago

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app. My immediate issue is with the Windows function app.

I couldn't find any other way to set this using code, nor powershell nor az cli. It's possible the issue is the Azure API does not support it, and the note should be also on the Windows function app. That would be sad news.

bw-adriangould commented 1 month ago

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app. My immediate issue is with the Windows function app.

I couldn't find any other way to set this using code, nor powershell nor az cli. It's possible the issue is the Azure API does not support it, and the note should be also on the Windows function app. That would be sad news.

You can configure it via the Portal, and although Terraform identifies a change is necessary, but doesn't apply a change, it also doesn't undo a manual update via the Azure portal.

stefanmd023 commented 1 month ago

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app. My immediate issue is with the Windows function app.

I couldn't find any other way to set this using code, nor powershell nor az cli. It's possible the issue is the Azure API does not support it, and the note should be also on the Windows function app. That would be sad news.

You can configure it via the Portal, and although Terraform identifies a change is necessary, but doesn't apply a change, it also doesn't undo a manual update via the Azure portal.

Yes that is the same behaviour as for the Linux Function App.

fkpwolf commented 1 month ago

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

stefanmd023 commented 1 month ago

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

I do not see any change in behaviour for me. What about @bw-adriangould ?

bw-adriangould commented 1 month ago

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

I do not see any change in behaviour for me. What about @bw-adriangould ?

I haven't tried yet but no change of behavior is expected without an update to the AzureRm provider module. What version are you using @fkpwolf ?

I'm currently on hashicorp/azurerm v3.103.1

bw-adriangould commented 1 month ago

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

I do not see any change in behaviour for me. What about @bw-adriangould ?

No change and nothing in the AzureRm provider change log to indicate anything has changed.

nnnvvvcv commented 3 weeks ago

Could be a fix incoming: https://github.com/hashicorp/terraform-provider-azurerm/blob/6b4ddc7bc9931e6cb2c3fc6c636ee609ac55fc3b/CHANGELOG.md?plain=1#L26

hashicorp / terraform-provider-azurerm