"allow_new_private_endpoint_connections" ASE setting Failing Idempotency

[nmcbdev]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.4

AzureRM Provider Version

3.115.0

Affected Resource(s)/Data Source(s)

azurerm_app_service_environment_v3

Terraform Configuration Files

resource "azurerm_app_service_environment_v3" "ase" {
  for_each                     = var.ase
  name                         = each.key
  resource_group_name          = azurerm_resource_group.ase.name
  subnet_id                    = data.azurerm_subnet.ase[each.key].id
  zone_redundant               = each.value.zone_redundant
  internal_load_balancing_mode = "Web, Publishing"
  tags                         = local.tags
}

Debug Output/Panic Output

2024-09-17T18:31:53.2497269Z ##[section]Starting: terraform idempotency check
2024-09-17T18:31:53.2505845Z ==============================================================================
2024-09-17T18:31:53.2506113Z Task         : terraform runner
2024-09-17T18:31:53.2506335Z Description  : Execute terraform commands to manage resources on Azure
2024-09-17T18:31:53.2506605Z Version      : 1.0.1071598
2024-09-17T18:31:53.2506812Z Author       : Author
2024-09-17T18:31:53.2507013Z Help         : 
2024-09-17T18:31:53.2507205Z ==============================================================================
2024-09-17T18:31:53.4788724Z [command]/opt/hostedtoolcache/terraform/1.9.4/x64/terraform plan -no-color -input=false -detailed-exitcode
2024-09-17T18:31:56.9171043Z data.azurerm_virtual_network.ase["name"]: Reading...
2024-09-17T18:31:56.9180240Z data.azurerm_subnet.ase["name"]: Reading...
2024-09-17T18:31:56.9181227Z data.azurerm_virtual_network.secure-hub-vnet: Reading...
2024-09-17T18:31:56.9182496Z azurerm_resource_group.ase: Refreshing state... 
2024-09-17T18:31:56.9971046Z azurerm_private_dns_zone.ase["name"]: Refreshing state... 
2024-09-17T18:31:57.0774794Z data.azurerm_virtual_network.secure-hub-vnet: Read complete after 0s 
2024-09-17T18:31:57.0982415Z data.azurerm_subnet.ase["name"]: Read complete after 0s 
2024-09-17T18:31:57.1014661Z azurerm_app_service_environment_v3.ase["name"]: Refreshing state... [id]
2024-09-17T18:31:57.1283508Z data.azurerm_virtual_network.ase["name"]: Read complete 
2024-09-17T18:31:57.3217815Z azurerm_private_dns_zone_virtual_network_link.ase_secure_hub["name"]: Refreshing state... 
2024-09-17T18:31:57.3272265Z azurerm_private_dns_zone_virtual_network_link.ase["name"]: Refreshing state...
2024-09-17T18:32:14.8289588Z azurerm_private_dns_a_record.star["name"]: Refreshing state... 
2024-09-17T18:32:14.8291596Z azurerm_private_dns_a_record.at["name"]: Refreshing state...
2024-09-17T18:32:14.8294258Z azurerm_private_dns_a_record.scm["name"]: Refreshing state...
2024-09-17T18:32:14.8296218Z azurerm_service_plan.ase["shared_windows"]: Refreshing state... 
2024-09-17T18:32:15.0558568Z Terraform used the selected providers to generate the following execution
2024-09-17T18:32:15.0559487Z plan. Resource actions are indicated with the following symbols:
2024-09-17T18:32:15.0560456Z   ~ update in-place
2024-09-17T18:32:15.0561190Z 
2024-09-17T18:32:15.0561976Z Terraform will perform the following actions:
2024-09-17T18:32:15.0562213Z 
2024-09-17T18:32:15.0562882Z   # azurerm_app_service_environment_v3.ase["name"] will be updated in-place
2024-09-17T18:32:15.0563550Z   ~ resource "azurerm_app_service_environment_v3" "ase" {
2024-09-17T18:32:15.0564411Z       ~ allow_new_private_endpoint_connections = false -> true
2024-09-17T18:32:15.0565402Z         id                                     = "id"
2024-09-17T18:32:15.0566237Z         name                                   = "name"
2024-09-17T18:32:15.0573065Z         # (15 unchanged attributes hidden)
2024-09-17T18:32:15.0573536Z     }
2024-09-17T18:32:15.0573705Z 
2024-09-17T18:32:15.0574189Z Plan: 0 to add, 1 to change, 0 to destroy.
2024-09-17T18:32:15.0574407Z 
2024-09-17T18:32:15.0575028Z ─────────────────────────────────────────────────────────────────────────────
2024-09-17T18:32:15.0575269Z 
2024-09-17T18:32:15.0575858Z Note: You didn't use the -out option to save this plan, so Terraform can't
2024-09-17T18:32:15.0576511Z guarantee to take exactly these actions if you run "terraform apply" now.
2024-09-17T18:32:15.1344880Z ##[error]Error: The process '/opt/hostedtoolcache/terraform/1.9.4/x64/terraform' failed with exit code 2
2024-09-17T18:32:15.1385430Z ##[section]Finishing: terraform idempotency check

Expected Behaviour

The idempotency check should pass successfully and the "allow_new_private_endpoint_connections" setting should remain as True in the "azurerm_app_service_environment_v3" resource, as per Terraform documentation the setting should Default to True, even if not specified.

Actual Behaviour

Idempotency check fails as the setting has been somehow set to False during/after Terraform Apply:

Terraform will perform the following actions:

  # azurerm_app_service_environment_v3.ase["name"] will be updated in-place
  ~ resource "azurerm_app_service_environment_v3" "ase" {
      ~ allow_new_private_endpoint_connections = false -> true
        id                                     = "id"
        name                                   = "name"
       }

Idempotency check fails even if the setting is explicitly defined as True in the Terraform configuration.

We have previously looked into this with Azure support team to see if this is some sort of bug on their side, but confirmed that's not the case. From our findings, it seems like the ARM payload coming from Terraform to Azure during apply doesn't contain any value for the allow_new_private_endpoint_connections setting, which suggests it's not actually always set to True as per Terraform documentation. In turn, Azure then sets it to their Default which is False, since Terraform hasn't provided any value. However, I still do not understand why would it still fail even if we DO specify the setting in our Terraform configuration.

We started seeing this issue a couple of months ago and haven't found any code changes/policies/other settings that could've started affecting this setting from our side.

Steps to Reproduce

1. terraform apply
2. idempotency check post-apply

Important Factoids

No response

References

Reference to ASE resource documentation, which states that the setting's Default is True.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_environment_v3#:~:text=allow_new_private_endpoint_connections%20%2D%20(Optional)%20Should%20new%20Private%20Endpoint%20Connections%20be%20allowed.%20Defaults%20to%20true.

[Chambras]

@nmcbdev sometime ago this resource was migrated to the go-azure-sdk maybe that introduced this behavior. I will try to take a look. Hopefully it is something simple :)

[nmcbdev]

Hi @Chambras Have you got any updates on this?