Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_linux_function_app service_tag firewall configuration is changed every time #16109

Closed
kharkevich opened this issue Mar 28, 2022 · 3 comments · Fixed by #16426
Closed

azurerm_linux_function_app service_tag firewall configuration is changed every time #16109

kharkevich opened this issue Mar 28, 2022 · 3 comments · Fixed by #16426
Assignees
@jackofallops
Labels
bug service/app-service v/3.x
Milestone
v3.3.0

Comments

@kharkevich
Copy link

Terraform (and AzureRM Provider) Version

  • AzureRM 3.0.2
  • Terraform v1.1.7

Affected Resource(s)

  • azurerm_linux_function_app

Terraform Configuration Files

variable "ip_restriction" {
  type = list(object({
    name                      = string
    ip_address                = string
    service_tag               = string
    virtual_network_subnet_id = string
    priority                  = string
    action                    = string
    headers = list(object({
      x_azure_fdid      = list(string)
      x_fd_health_probe = list(string)
      x_forwarded_for   = list(string)
      x_forwarded_host  = list(string)
    }))
  }))
  default = [
      {
        name                      = "allow_azure"
        ip_address                = null
        service_tag               = "AzureCloud"
        virtual_network_subnet_id = null
        priority                  = "100"
        action                    = "Allow"
        headers                   = null
      }
  ]
}

resource "azurerm_application_insights" "function_app_linux" {
  name                = "redacted"
  location            = var.location
  resource_group_name = var.resource_group
  application_type    = var.application_type
  tags                = var.tags
}

locals {
  app_settings = {
    WEBSITES_ENABLE_APP_SERVICE_STORAGE = "true"
    WEBSITE_ENABLE_SYNC_UPDATE_SITE     = "true"
    JAVA_OPTS                           = "-Dlog4j2.formatMsgNoLookups=true"
    LOG4J_FORMAT_MSG_NO_LOOKUPS         = "true"
    WEBSITE_USE_PLACEHOLDER             = "0"
    AZURE_LOG_LEVEL                     = "info"
    AzureWebJobsDisableHomepage         = "true"
  }
}

resource "azurerm_linux_function_app" "function_app_linux" {
  depends_on                    = [azurerm_application_insights.function_app_linux]
  name                          = "redacted"
  location                      = var.location
  resource_group_name           = var.resource_group
  storage_account_name          = var.log_storage_name
  service_plan_id               = var.service_plan_id
  storage_uses_managed_identity = true
  https_only                    = true
  enabled                       = true
  builtin_logging_enabled       = false
  functions_extension_version   = "~4"
  tags                          = var.tags
  app_settings                  = merge(local.app_settings, var.app_settings)
  identity {
    type         = "SystemAssigned"
  }
  site_config {
    application_insights_connection_string = azurerm_application_insights.function_app_linux.connection_string
    application_insights_key               = azurerm_application_insights.function_app_linux.instrumentation_key
    always_on                              = true
    ftps_state                             = "Disabled"
    http2_enabled                          = true
    websockets_enabled                     = false
    use_32_bit_worker                      = false
    ip_restriction                         = var.ip_restriction
    scm_ip_restriction                     = var.ip_restriction
    application_stack {
      java_version = var.java_version
    }
  }
}

Output

  # module.redacted.azurerm_linux_function_app.function_app_linux will be updated in-place
  ~ resource "azurerm_linux_function_app" "function_app_linux" {
        id                                = "/subscriptions/redacted"
        name                              = "redacted"
      ~ storage_account_name              = "" -> "st~redacted~eu"
        tags                              = {
            "env"    = "redacted"
            "region" = "redacted"
        }
        # (24 unchanged attributes hidden)



      ~ site_config {
          ~ ip_restriction                                = [
              ~ {
                  ~ ip_address                = "AzureCloud" -> null
                    # (6 unchanged elements hidden)
                },
                {
                    action                    = "Allow"
                    headers                   = []
                    ip_address                = ""
                    name                      = "redacted"
                    priority                  = 101
                    service_tag               = ""
                    virtual_network_subnet_id = "/subscriptions/redacted"
                },
            ]
          ~ scm_ip_restriction                            = [
              ~ {
                  ~ ip_address                = "AzureCloud" -> null
                    # (6 unchanged elements hidden)
                },
                {
                    action                    = "Allow"
                    headers                   = []
                    ip_address                = ""
                    name                      = "redacted"
                    priority                  = 101
                    service_tag               = ""
                    virtual_network_subnet_id = "/subscriptions/redacted"
                },
            ]
            # (31 unchanged attributes hidden)

          + application_stack {
              + java_version                = "8"
              + use_dotnet_isolated_runtime = false
            }
        }
        # (2 unchanged blocks hidden)
    }

Panic Output

Expected Behaviour

value of ip_address is ignored for changes if it is have value null or AzureCloud in case if firewall rules based on service_tag

Actual Behaviour

value of id_adress always changed

                  ~ ip_address                = "AzureCloud" -> null

Steps to Reproduce

  1. terraform apply
  2. Repeat terraform apply
  3. check plan for ~ ip_address = "AzureCloud" -> null
@APErebus
Copy link

APErebus commented Apr 19, 2022
edited
Loading

We are also seeing this in the azurerm_linux_web_app resource in AzureRM v3.1.0

@jackofallops jackofallops mentioned this issue Apr 19, 2022
Merged
@jackofallops jackofallops added this to the v3.3.0 milestone Apr 19, 2022
@github-actions
Copy link

This functionality has been released in v3.3.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jackofallops jackofallops

Labels
bug service/app-service v/3.x
Projects
None yet
Milestone
v3.3.0
Development

Successfully merging a pull request may close this issue.

AppService - fix bug in flattening ip_restriction shared code hashicorp/terraform-provider-azurerm
5 participants
@APErebus @katbyte @kharkevich @jackofallops @catriona-m