Open robinkb opened 4 years ago
@robinkb, thanks for opening this issue. Seems azurerm_function_app
is updated and the property identity_ids
is changed before updating azurerm_function_app_slot
at second tf apply
so that terraform found identity_ids
is different with the value at first tf apply
and threw above error message.
I think that the issue is that the identity_ids
field does not have a consistent order. Terraform keeps showing changes in that field during the plan phase.
# azurerm_function_app.middleware_api will be updated in-place
~ resource "azurerm_function_app" "middleware_api" {
# Snip...
~ identity {
~ identity_ids = [
- "/subscriptions/****/resourcegroups/DEV/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-****-dev-keyvault-read",
"/subscriptions/****/resourcegroups/DEV/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-****-dev-storage-account-manage",
+ "/subscriptions/****/resourcegroups/DEV/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-****-dev-keyvault-read",
]
type = "UserAssigned"
}
# Snip...
}
I am having the same problem for both azurerm_function_app
and azurerm_app_service
.
azurerm_app_service:
~ resource "azurerm_app_service" "microservice" {
identity {
~ identity_ids = [
- "/subscriptions/***/resourcegroups/***/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-sql-dev",
"/subscriptions/***/resourcegroups/***/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-keyvault-dev",
+ "/subscriptions/***/resourcegroups/***/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-sql-dev",
]
# (3 unchanged attributes hidden)
}
azurerm_function_app:
~ resource "azurerm_function_app" "microservice" {
~ identity {
~ identity_ids = [
- "/subscriptions/***/resourcegroups/***/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-sql-dev",
"/subscriptions/***/resourcegroups/***/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-cosmos-dev",
# (1 unchanged element hidden)
"/subscriptions/***/resourcegroups/***/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-servicebus-dev",
+ "/subscriptions/***/resourcegroups/***/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-sql-dev",
]
# (3 unchanged attributes hidden)
}
I was going to try working around this by looking up the order using the data source for azurerm_app_service and data source for aazurerm_function_app but the identity is not available on the results of azurerm_app_service to determine the order.
@neil-yechenwei any work arounds you can suggest? I have valid use cases where these change so am unable to use ignore_changes. This solution also has several azurerm_app_service and azurerm_function_app across multiple regions which is also inflating this and causing large diff results.
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.12.26
Affected Resource(s)
azurerm_function_app_slot
Terraform Configuration Files
Debug Output
(Is the true debug output necessary for this issue?)
Expected Behavior
Terraform applies the changes without error.
Actual Behavior
Terraform errors out.
Steps to Reproduce
terraform apply
Important Factoids
I have other function app slots in my configuration, but no other has multiple managed identities, and none of them have the dynamic snippet in them. Maybe the dynamic snippet is causing the issue?
References
N/A