azurerm_resource_group_template_deployment LogicApp deployment removes network access controls on redeploy

[tinix0]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.5

AzureRM Provider Version

3.107.0

Affected Resource(s)/Data Source(s)

azurerm_resource_group_template_deployment

Terraform Configuration Files

resource "azurerm_resource_group_template_deployment" "logic_app_template" {
  name = "logicappdeploy"
  resource_group_name = "xxx"
  deployment_mode = "Incremental"
  template_content = <<TEMPLATE
  {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Logic/workflows",
            "name": "LogicAppTest",
            "apiVersion": "2017-07-01",
            "location": "westeurope",
            "properties": {
                "definition": {
                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
                    "actions": {
                        "Condition_2": {
                            "actions": {
                                "HTTP_2": {
                                    "inputs": {
                                        "body": {
                                            "text": "XXX:AzureAlert:Budget @{triggerBody()?['data']?['ResourceGroup']} is over budget threshold. Spending: @{triggerBody()?['data']?['SpendingAmount']}/@{triggerBody()?['data']?['Budget']} @{triggerBody()?['data']?['Unit']} Threshold: @{triggerBody()?['data']?['NotificationThresholdAmount']} @{triggerBody()?['data']?['Unit']} Type: @{triggerBody()?['data']?['BudgetType']}"
                                        },
                                        "method": "POST",
                                        "uri": "xx"
                                    },
                                    "runAfter": {},
                                    "type": "Http"
                                }
                            },
                            "else": {
                                "actions": {
                                    "Condition": {
                                        "actions": {
                                            "HTTP": {
                                                "inputs": {
                                                    "body": {
                                                        "text": "XXX:AzureAlert:@{triggerBody()?['data']?['essentials']?['description']}"
                                                    },
                                                    "method": "POST",
                                                    "uri": "xx"
                                                },
                                                "runAfter": {},
                                                "type": "Http"
                                            }
                                        },
                                        "else": {
                                            "actions": {
                                                "webhook": {
                                                    "inputs": {
                                                        "body": {
                                                            "potentialAction": [
                                                                {
                                                                    "@@type": "OpenUri",
                                                                    "name": "View Logs",
                                                                    "targets": [
                                                                        {
                                                                            "os": "default",
                                                                            "uri": "@{triggerBody()?['data']?['alertContext']?['linkToFilteredSearchResultsUI']}"
                                                                        }
                                                                    ]
                                                                },
                                                                {
                                                                    "@@type": "OpenUri",
                                                                    "name": "View alert",
                                                                    "targets": [
                                                                        {
                                                                            "os": "default",
                                                                            "uri": "@{concat('https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AlertDetailsTemplateBlade/alertId/',encodeUriComponent(triggerBody()?['data']?['essentials']?['alertId']))}"
                                                                        }
                                                                    ]
                                                                }
                                                            ],
                                                            "text": "XXXX:${azurerm_resource_group.common_resource_group.name}:AzureAlert:@{triggerBody()?['data']?['essentials']?['alertRule']}"
                                                        },
                                                        "headers": {},
                                                        "method": "POST",
                                                        "uri": "xxx"
                                                    },
                                                    "runAfter": {},
                                                    "type": "Http"
                                                }
                                            }
                                        },
                                        "expression": {
                                            "and": [
                                                {
                                                    "equals": [
                                                        "@triggerBody()?['data']?['essentials']?['monitoringService']",
                                                        "CostAlerts"
                                                    ]
                                                }
                                            ]
                                        },
                                        "runAfter": {},
                                        "type": "If"
                                    }
                                }
                            },
                            "expression": {
                                "and": [
                                    {
                                        "equals": [
                                            "@triggerBody()?['schemaId']",
                                            "AIP Budget Notification"
                                        ]
                                    }
                                ]
                            },
                            "runAfter": {},
                            "type": "If"
                        }
                    },
                    "contentVersion": "1.0.0.0",
                    "triggers": {
                        "TeamsAlertTrigger": {
                            "inputs": {
                                "schema": {
                                    "properties": {
                                        "data": {
                                            "properties": {
                                                "AccountName": {
                                                    "type": "string"
                                                },
                                                "BillingAccountId": {
                                                    "type": "string"
                                                },
                                                "BillingProfileId": {
                                                    "type": "string"
                                                },
                                                "Budget": {
                                                    "type": "string"
                                                },
                                                "BudgetCreator": {
                                                    "type": "string"
                                                },
                                                "BudgetName": {
                                                    "type": "string"
                                                },
                                                "BudgetStartDate": {
                                                    "type": "string"
                                                },
                                                "BudgetType": {
                                                    "type": "string"
                                                },
                                                "DepartmentName": {
                                                    "type": "string"
                                                },
                                                "EnrollmentName": {
                                                    "type": "string"
                                                },
                                                "EnrollmentNumber": {
                                                    "type": "string"
                                                },
                                                "InvoiceSectionId": {
                                                    "type": "string"
                                                },
                                                "NotificationThresholdAmount": {
                                                    "type": "string"
                                                },
                                                "ResourceGroup": {
                                                    "type": "string"
                                                },
                                                "SpendingAmount": {
                                                    "type": "string"
                                                },
                                                "SubscriptionId": {
                                                    "type": "string"
                                                },
                                                "SubscriptionName": {
                                                    "type": "string"
                                                },
                                                "Unit": {
                                                    "type": "string"
                                                },
                                                "alertContext": {
                                                    "properties": {
                                                        "linkToFilteredSearchResultsUI": {
                                                            "type": "string"
                                                        }
                                                    },
                                                    "type": "object"
                                                },
                                                "essentials": {
                                                    "properties": {
                                                        "alertContextVersion": {
                                                            "type": "string"
                                                        },
                                                        "alertId": {
                                                            "type": "string"
                                                        },
                                                        "alertRule": {
                                                            "type": "string"
                                                        },
                                                        "alertTargetIDs": {
                                                            "items": {
                                                                "type": "string"
                                                            },
                                                            "type": "array"
                                                        },
                                                        "description": {
                                                            "type": "string"
                                                        },
                                                        "essentialsVersion": {
                                                            "type": "string"
                                                        },
                                                        "firedDateTime": {
                                                            "type": "string"
                                                        },
                                                        "monitorCondition": {
                                                            "type": "string"
                                                        },
                                                        "monitoringService": {
                                                            "type": "string"
                                                        },
                                                        "originAlertId": {
                                                            "type": "string"
                                                        },
                                                        "resolvedDateTime": {
                                                            "type": "string"
                                                        },
                                                        "severity": {
                                                            "type": "string"
                                                        },
                                                        "signalType": {
                                                            "type": "string"
                                                        }
                                                    },
                                                    "type": "object"
                                                }
                                            },
                                            "type": "object"
                                        },
                                        "schemaId": {
                                            "type": "string"
                                        }
                                    },
                                    "type": "object"
                                }
                            },
                            "kind": "Http",
                            "type": "Request"
                        }
                    },
                    "parameters": {}
                },
                "parameters": {},
                "accessControl": {
                    "triggers": {
                        "allowedCallerIpAddresses": [
                            {
                                "addressRange": "1.2.3.4/32"
                            }
                        ]
                    },
                    "contents": {
                        "allowedCallerIpAddresses": [
                            {
                                "addressRange": "1.2.3.4/32"
                            }
                        ]
                    }
                }
            }
        }
    ],
    "outputs": {}
}

TEMPLATE

}

Debug Output/Panic Output

N/A

Expected Behaviour

Network access controls stay in place after redeploy.

Actual Behaviour

Terraform shows network access controls as removed from the template and removes them from the actual resource. Modifying the template might cause the access controls to come back temporarily but this has not been reliable for me. Template works when deployed using azure cli.

Steps to Reproduce

Deploy the template and redeploy it again.

Important Factoids

No response

References

No response

[teowa]

Hi @tinix0 , thanks for submitting this issue. I can succuessfully create the logic app with the provided config and on the Azure Portal the resource looks like below, the red rectangle box should correspond to the accessControl property. When I run terraform plan after the first terraform apply, no plan diff found. Could you please share more details about the issue you met regards network access controls as removed, terraform command output, any docs or etc.

[tinix0]

The issue is that while the Access Control is properly set after first apply, after running terraform plan again and without change in the in the template I see the following

Terraform will perform the following actions:

  # azurerm_logic_app_workflow.teams_alert_logic_app_workflow will be updated in-place
  ~ resource "azurerm_logic_app_workflow" "teams_alert_logic_app_workflow" {
        id                              = "redacted"
        name                            = "redacted"
        tags                            = {}
        # (12 unchanged attributes hidden)

      - access_control {
          - content {
              - allowed_caller_ip_address_range = [
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                ] -> null
            }
          - trigger {
              - allowed_caller_ip_address_range = [
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                  - "redacted/32",
                ] -> null
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

The template has not been touched. I will check if there is any more relevant output. Unfortunately I havent been able to figure out anything more about this. It sometimes gets deployed (only reliable way I was able to get it deployed was to change something). There are no conditions in the template or in the terraform that could cause this to change.