azurerm_function_app throws error when upgrading from 2.76.0 to 2.77.0

[nluedema]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

• Terraform v1.0.7
• azurerm v2.77.0

Affected Resource(s)

• azurerm_function_app

Terraform Configuration Files

terraform {
  required_version = ">= 1.0.7"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "2.77.0"
    }
  }
}
provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "fun-rg" {
  name     = "fun-rg"
  location = "westeurope"
}

resource "azurerm_storage_account" "store0127u" {
  name                     = "store0127u"
  resource_group_name      = azurerm_resource_group.fun-rg.name
  location                 = azurerm_resource_group.fun-rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  network_rules {
    default_action = "Deny"
  }
}

resource "azurerm_app_service_plan" "fun-plan" {
  name                = "fun-plan"
  resource_group_name = azurerm_resource_group.fun-rg.name
  location            = azurerm_resource_group.fun-rg.location
  kind                = "elastic"
  reserved            = true

  sku {
    tier = "ElasticPremium"
    size = "EP1"
  }
}

resource "azurerm_function_app" "fun-function-app" {
  name                       = "fun-function-app"
  resource_group_name        = azurerm_resource_group.fun-rg.name
  location                   = azurerm_resource_group.fun-rg.location
  app_service_plan_id        = azurerm_app_service_plan.fun-plan.id
  storage_account_name       = azurerm_storage_account.store0127u.name
  storage_account_access_key = azurerm_storage_account.store0127u.primary_access_key
  os_type                    = "linux"
}

Debug Output

While looking at the logs I found the following relevant difference between the 2.77.0 run and the 2.76.0 run.

2.77.0
"appSettings": [
                {
                    "name": "AzureWebJobsStorage",
                    "value": "DefaultEndpointsProtocol=https;AccountName=store0127u;AccountKey=<key>;EndpointSuffix=core.windows.net"
                },
                {
                    "name": "FUNCTIONS_EXTENSION_VERSION",
                    "value": "~1"
                },
                {
                    "name": "AzureWebJobsDashboard",
                    "value": "DefaultEndpointsProtocol=https;AccountName=store0127u;AccountKey=<key>;EndpointSuffix=core.windows.net"
                },
                {
                    "name": "WEBSITE_CONTENTSHARE",
                    "value": "fun-function-app7431"
                },
                {
                    "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
                    "value": "DefaultEndpointsProtocol=https;AccountName=store0127u;AccountKey=<key>;EndpointSuffix=core.windows.net"
                }
            ]

2.76.0
"appSettings": [
                {
                    "name": "AzureWebJobsStorage",
                    "value": "DefaultEndpointsProtocol=https;AccountName=store0127u;AccountKey=<key>;EndpointSuffix=core.windows.net"
                },
                {
                    "name": "FUNCTIONS_EXTENSION_VERSION",
                    "value": "~1"
                },
                {
                    "name": "AzureWebJobsDashboard",
                    "value": "DefaultEndpointsProtocol=https;AccountName=store0127u;AccountKey=<key>;EndpointSuffix=core.windows.net"
                }
            ]

Panic Output

Expected Behaviour

Configuration is applied without error.

Actual Behaviour

Terraform throws the following error:

Error: web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible." Details=[{"Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"99022","Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.","MessageTemplate":"Creation of storage file share failed with: '{0}'. Please check if the storage account is accessible.","Parameters":["The remote server returned an error: (403) Forbidden."]}}]

Steps to Reproduce

1. terraform apply --> error
2. change azurerm to version 2.76.0
3. terraform init -upgrade
4. terraform apply --> no error

Important Factoids

It seems that 2.77.0 automatically sets WEBSITE_CONTENTSHARE and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, while 2.76.0 does not do it. According to this comment not setting WEBSITE_CONTENTSHARE and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING allows to deploy a Premium Plan when the network access to the storage account is restricted.

I think this new behaviour was introduced with #13349.

To conclude, is my error a bug or expected behavior? If it is expected behavior, any ideas how to make my config work in 2.77.0? I tried to set WEBSITE_CONTENTSHARE and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING explicitly to empty strings, but the log shows that they get overwritten.

[jackofallops]

Hi @nluedema - Thanks for opening this. The scenario here appeared to be fine in testing, I'll look into it asap.

[github-actions]

This functionality has been released in v2.80.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[benjamin-goldman]

looks like this issue was introduced into azurerm_logic_app_standard as well

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.