Open BradAF opened 3 years ago
Is that the correct syntax for key vault references? I'm using the following and it's working "fine"
@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.name.id})
*fine isn't really fine - there's a separate issue where changes to the secret values changes the URI and causes an "inconsistent final plan" error when setting the function app config.
I think so, I don’t recall where I had originally found it in the Microsoft Docs, I’ll have to check my notes.
The other two app settings (NextIterationLogicAppAddreas and WEB_HOST) use the same syntax and are working as expected, though. I forgot to mention, the App Config that it shows for AzureWebJobsStorage is correct, but it contains a key which is why we would prefer that it show only the KeyVault connection and pull from there. I think if syntax were incorrect, it would just show the incorrect string which makes me think that the function app is overwriting it after it has been set by Terraform.
Indeed, that syntax is fine according to https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
You may be right that the AzureWebJobsStorage is being overwritten. If you reveal the hidden value, is it the full config string or the key vault reference?
Yup, under the hidden value the full config string appears; not the key vault reference or any string similar to what it would be if I had typo'd it:
If the function app is in consumption or premium plan, also the app setting WEBSITE_CONTENTAZUREFILECONNECTIONSTRING is automatically created with the storage account connection string as app config. It would also be nice to allow this app setting to be a key vault reference. This app setting is not even recognized in the state, it is marked as new on any apply. I am writing in the issue because I guess it is a change that can be made together.
is this still a bug? or is this an unintentional feature? The documentation clearly states: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#app_settings
The values for
AzureWebJobsStorage
andFUNCTIONS_EXTENSION_VERSION
will be filled by other input arguments and shouldn't be configured separately.AzureWebJobsStorage
is filled based onstorage_account_name
andstorage_account_access_key
.FUNCTIONS_EXTENSION_VERSION
is filled based on version.
still hope that this will be changed.
Hope this can be change to use KeyVault Reference, as this is exposing the storage connection string in the Application Settings.
An update: AzureWebJobsStorage
related support may be imported in new resources azurerm_linux_function_app and azurerm_windows_function_app, which were not released yet, rather than in current resource type.
This actually works with storage_connection_string
(deprecated) argument. Problem is with setting storage_account_name
and storage_account_access_key
. App settings get replaced as stated in documentation and storage_account_access_key
doesn't support @Microsoft.KeyVault()
syntax.
This works like a charm (apart from deprecation warning):
storage_connection_string = @Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.name.versionless_id})
An update:
AzureWebJobsStorage
related support may be imported in new resources azurerm_linux_function_app and azurerm_windows_function_app, which were not released yet, rather than in current resource type.
@lonegunmanb But, can azurerm_windows_function_app/azurerm_linux_function_app be used for consumption plan functions? As per documentation, a requirement argument is service_plan_id
which is of an app service plan.
service_plan_id
Hi @kiranpradeep ,
I think a new issue would be better to ask for support for azurerm_windows_function_app
/azurerm_linux_function_app
consumption plan.
I think a new issue would be better to ask for support for
azurerm_windows_function_app
/azurerm_linux_function_app
consumption plan.
In my view, I was more pointing out that the comment made by @lonegunmanb on 13/Oct/2021, which suggested azurerm_windows_function_app/azurerm_linux_function_app as a workaround for this issue is not matching with the documentation. Maybe I am wrong.
Eitherway, I followed that suggestion and had raised new issue at #15627. I raised in this thread itself so that others who follow this thread and see that suggestion, could save some hours by not following it for now.
@BradAF Can you check if the property AzureWebJobsSecretStorageType
was correctly set?
A Blob Storage SAS URL for a second storage account used for key storage. By default, Functions uses the account set in AzureWebJobsStorage. When using this secret storage option, make sure that AzureWebJobsSecretStorageType isn't explicitly set or is set to blob. To learn more, see Secret repositories.
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.13.3
Affected Resource(s)
azurerm_function_app
Terraform Configuration Files
Expected Behavior
The AzureWebJobsStorage app setting should be configured to use the Azure Key Vault value, and be labeled as a 'Key Vault Reference'
Terraform should not try to overwrite the configuration unless it is changed.
Actual Behavior
The AzureWebJobsStorage app setting is configured locally, as an 'App Config' instead of 'Key Vault Reference'
Every subsequent deployment attempts to overwrite the AzureWebJobsStorage app setting with the correct Azure Key Vault setting.
Steps to Reproduce
terraform apply
Important Factoids
Other app settings configured to use the Azure Key Vault work as expected.
References