azurerm_(linux|windows)_web_app_slot - VNET integration fails

[alexpilon666]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.3

AzureRM Provider Version

3.103.1

Affected Resource(s)/Data Source(s)

azurerm_windows_web_app_slot, azurerm_linux_web_app_slot

Terraform Configuration Files

resource "azurerm_windows_web_app" "windows_web_app" {
  for_each = var.application_stack.kind == "Windows" ? zipmap([var.name], [var.name]) : {}

  name                = local.webapp_name
  resource_group_name = var.resource_group_name
  location            = var.location
  service_plan_id     = var.service_plan_id

  virtual_network_subnet_id = var.virtual_network_subnet_id
}

resource "azurerm_windows_web_app_slot" "windows_web_app_slot" {
  for_each = var.application_stack.kind == "Windows" ? local.slots_map : {}

  name           = each.value.name
  app_service_id = azurerm_windows_web_app.windows_web_app[var.name].id
  enabled                 = var.enabled

  virtual_network_subnet_id = var.virtual_network_subnet_id
}

Debug Output/Panic Output

unexpected status 409 (409 Conflict) with response: {"Code":"Conflict","Message":"An App Service Plan is required to use Regional VNET Integration","Target":null,"Details":[{"Message":"An App Service Plan is required to use Regional VNET Integration"},{"Code":"Conflict"},{"ErrorEntity":{"ExtendedCode":"53215","MessageTemplate":"An App Service Plan is required to use Regional VNET Integration","Parameters":[],"Code":"Conflict","Message":"An App Service Plan is required to use Regional VNET Integration"}}],"Innererror":null}

Expected Behaviour

The Web App Slot should get properly created and attached to the specified VNET

Actual Behaviour

Terraform fails saying that the slot does not have an App Service Plan, but it does because its parent is attached to an App Service Plan.

I tried adding service_plan_id to azurerm_windows_web_app_slot and received an error that this argument can only be used if it is different from the service_plan_id of the parent Web app, thus confirming that Terraform is aware that the parent already is connected to a Service Plan.

Steps to Reproduce

• Create an App Service Plan (S1 or above)
• Create a Web App
• Try and have Terraform create a Web App Slot attached to its parent Web App (which is itself attached to the App Service Plan)

Important Factoids

No response

References

No response

[roisanchezriveira]

This seems about the order of the steps when the provider is creating the slot.

If I create the slot first without VNET integration virtual_network_subnet_id = null, and then I follow up with a code change to add the VNET integration to the same resource virtual_network_subnet_id = some_subnet_id, it will perform the change and manage to configure the VNET integration.

Obviously, this is not a workable workaround, as it required to make the changes in different steps.

A different workaround that I tried now, and edited this note for it, is using the resource azurerm_app_service_slot_virtual_network_swift_connection, this seems the less evil at this point, but this resource is part of a schema that seems to be under deprecation (although no note for this one)
And once this issue is fixed, moving the config back to azurerm_windows_web_app it will require some state manipulation to avoid downtime.

[alexpilon666]

@roisanchezriveira thanks for the tests. It does indeed seem like an issue of ordering, but unsure whether it's at the provider-level or the ARM API-level. This used to work fine before because we've had that configuration for over a year on our end but don't regularly need to deploy it as it is part of a testing example we have for our WebApp module (which we only deploy when modifications are performed on said module), so I'm unable to say when or even approximately when this issue started happening, only noticed it last week when testing the module.

[roisanchezriveira]

@alexpilon666 I can't say either, I just added slots configuration to our WebApp module and found this issue when I was searching for the error, trying to figure out if it was my mistake or a provider error.

Because our module was still WIP for this, I could add the workaround I suggested in my response, but seems far from ideal and that's not a fix for everyone else having their modules already built and using the functionality.

For context, I'm AzureRM Provider Version 3.98.0 and it's present, so it's at least since that one.

[alexpilon666]

Issue has been fixed with the following PR, just did a test with the latest provider version and confirms it's working as it should: #25634

According to the PR, the issue has been present since v3.88.0, so it's been there for a while 😅

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.