hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.61k stars 4.65k forks source link

AzureWebJobsStorage__accountName within azurerm_windows_function_app not added to state file #27784

Open bertsch-ronja-office opened 3 weeks ago

bertsch-ronja-office commented 3 weeks ago

Is there an existing issue for this?

Community Note

Terraform Version

1.9.4

AzureRM Provider Version

4.7.0

Affected Resource(s)/Data Source(s)

azurerm_windows_function_app

Terraform Configuration Files

resource "azurerm_windows_function_app" "this" {
  name                          = var.name
  resource_group_name           = var.resource_group_name
  location                      = var.location
  public_network_access_enabled = var.public_network_access_enabled

  storage_account_name          = module.storage_account.name
  storage_uses_managed_identity = true
  service_plan_id               = azurerm_service_plan.this.id

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.function_app.id]
  }

  site_config {
    always_on                              = var.always_on
    application_insights_connection_string = var.application_insights_connection_string
    elastic_instance_minimum               = 1
    minimum_tls_version                    = local.minimum_tls_version
    scm_minimum_tls_version                = local.minimum_tls_version
    vnet_route_all_enabled                 = true
    scm_use_main_ip_restriction            = var.scm_use_main_ip_restriction
    ip_restriction_default_action          = var.ip_restriction_default_action
    scm_ip_restriction_default_action      = var.scm_ip_restriction_default_action

    dynamic "ip_restriction" {
      for_each = var.ip_restriction == null ? toset([]) : toset([1])
      content {
        action      = var.ip_restriction.action
        name        = var.ip_restriction.name
        priority    = var.ip_restriction.priority
        service_tag = var.ip_restriction.service_tag
      }
    }

    dynamic "scm_ip_restriction" {
      for_each = var.scm_use_main_ip_restriction == true ? toset([]) : toset([1])
      content {
        action      = var.scm_ip_restriction.action
        name        = var.scm_ip_restriction.name
        priority    = var.scm_ip_restriction.priority
        service_tag = var.scm_ip_restriction.service_tag
      }
    }
  }

  functions_extension_version     = var.functions_extension_version
  https_only                      = true
  virtual_network_subnet_id       = var.virtual_network_subnet_id
  builtin_logging_enabled         = false
  key_vault_reference_identity_id = azurerm_user_assigned_identity.function_app.id

  app_settings = merge(
    {
      "AzureWebJobsStorage__credential"  = "managedidentity"
      "AzureWebJobsStorage__accountName" = module.storage_account.name
      "AzureWebJobsStorage__clientId"    = azurerm_user_assigned_identity.function_app.client_id
      "WEBSITE_CONTENTOVERVNET"          = 1
      "WEBSITE_RUN_FROM_PACKAGE"         = 1
    }, var.app_settings
  )

  tags = local.tags

  depends_on = [azurerm_role_assignment.function_app_mui_storage_account]

  lifecycle {
    ignore_changes = [
      tags["hidden-link: /app-insights-conn-string"],
      tags["hidden-link: /app-insights-instrumentation-key"],
      tags["hidden-link: /app-insights-resource-id"]
    ]
  }
}

Debug Output/Panic Output

This output happens on each run. The setting AzureWebJobsStorage__accountName  is not added to the state file.

  # module.pr_title_validator_function_app.azurerm_windows_function_app.this will be updated in-place
  ~ resource "azurerm_windows_function_app" "this" {
      ~ app_settings                                   = {
          + "AzureWebJobsStorage__accountName"    = "stsharedprtitlevalwe"
            # (6 unchanged elements hidden)
        }
        id                                             = "/subscriptions/fe30bafb-f6c0-4acc-9851-d4019a7245c0/resourceGroups/rg-shared-pr-title-validator-we/providers/Microsoft.Web/sites/func-shared-pr-title-validator-we"
        name                                           = "func-shared-pr-title-validator-we"
        tags                                           = {
            "capability"                                     = "skid"
            "contact"                                        = "mailbox.ciamdevops@de.bosch.com"
            "environment"                                    = "shared"
            "hidden-link: /app-insights-conn-string"         = "InstrumentationKey=9bc216cf-42e3-4b09-b799-bd81847f3ff9;IngestionEndpoint=https://westeurope-3.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostics.monitor.azure.com/;ApplicationId=de2684f8-2a84-489f-ad96-0ddbe82ae5eb"
            "hidden-link: /app-insights-instrumentation-key" = "9bc216cf-42e3-4b09-b799-bd81847f3ff9"
            "hidden-link: /app-insights-resource-id"         = "/subscriptions/fe30bafb-f6c0-4acc-9851-d4019a7245c0/resourceGroups/rg-shared-global-appi-we/providers/microsoft.insights/components/appi-shared-we"
            "managed_by"                                     = "terraform"
            "module_name"                                    = "windows-function-app"
        }
        # (32 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Expected Behaviour

No changes as the setting is not new. /

Actual Behaviour

TF apply succeeds, but the setting AzureWebJobsStorage__accountName is never added to the state file.

Steps to Reproduce

Execute terraform apply twice

Important Factoids

-

References

-

CorrenSoft commented 3 weeks ago

I did some testing and I could verify the described situation; however, I think that is intended and not a bug.

The provider is taking the value from storage_account_name and using it to populate the AppSetting, so the explicit definition is redundant and discouraged (check docs). That been said, I would recommend you to just remove AzureWebJobsStorage__accountName from AppSettings.

bertsch-ronja-office commented 3 weeks ago

@CorrenSoft Thanks a lot for the hint - I removed the value from the config and everything worked out :)

Still I would not say that it is clear from the docs that such settings should not be explicitly set as it says:

~> Note: For storage related settings, please use related properties that are available such as storage_account_access_key, terraform will assign the value to keys such as WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, AzureWebJobsStorage in app_setting.

I am missing the information that the explicit definition is redundant and discouraged - could you add this in a more specific way?

CorrenSoft commented 3 weeks ago

@CorrenSoft Thanks a lot for the hint - I removed the value from the config and everything worked out :)

Happy to help :)

Still I would not say that it is clear from the docs that such settings should not be explicitly set as it says:

~> Note: For storage related settings, please use related properties that are available such as storage_account_access_key, terraform will assign the value to keys such as WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, AzureWebJobsStorage in app_setting.

I am missing the information that the explicit definition is redundant and discouraged - could you add this in a more specific way?

Well, my words are my conclusion after reading that paragraph and observing the behavior of the resource, not what the text actually says... so yes, it could be clearer.

I would like to have confirmation from the maintainers, in case I got it wrong. If that, I can submit a PR.