azurerm_linux_function_app shows the entire app_settings block as sensitive if using sensitive variables

[Krusty93]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.10.1

AzureRM Provider Version

4.14.0

Affected Resource(s)/Data Source(s)

azurerm_linux_function_app

Terraform Configuration Files

resource "azurerm_linux_function_app" "this" {
  name                = "dx-d-itn-repr-sensitive-func-02"
  location            = "italynorth"
  resource_group_name = azurerm_resource_group.dx.name

  service_plan_id = azurerm_service_plan.example.id

  storage_account_name          = azurerm_storage_account.this.name
  storage_uses_managed_identity = true
  builtin_logging_enabled       = false

  https_only                    = true

  identity {
    type = "SystemAssigned"
  }

  site_config {
    http2_enabled                          = true
    always_on                              = true
    vnet_route_all_enabled                 = true

    application_stack {
      node_version = "20"
    }
  }

  app_settings = {
    "sensitive" = sensitive(azurerm_service_plan.example.id)
    "nonsensitive" = "ndonsensitive"
    "sensitivevar" = var.sensitivevar
  }

  lifecycle {
    ignore_changes = [
      app_settings["WEBSITE_HEALTHCHECK_MAXPINGFAILURES"],
      tags["hidden-link: /app-insights-conn-string"],
      tags["hidden-link: /app-insights-instrumentation-key"],
      tags["hidden-link: /app-insights-resource-id"]
    ]
  }
}

Debug Output/Panic Output

~ resource "azurerm_linux_function_app" "this" {
      ~ app_settings                                   = (sensitive value)
        id                                             = <hidden>
        name                                           = <hidden>
        tags                                           = { hidden }
        # (32 unchanged attributes hidden)

      ~ sticky_settings {
          ~ app_setting_names       = [
                # (6 unchanged elements hidden)
                "AzureWebJobs.sendEmailOnWalletInstanceCreation.Disabled",
              + "AzureWebJobs.sendEmailOnWalletInstanceRevocation.Disabled",
            ]
            # (1 unchanged attribute hidden)
        }

        # (2 unchanged blocks hidden)
    }

Expected Behaviour

In Terraform plan command's output, app_settings shall show the diff for each key, highlighting the added, removed and updated settings with their values (if not marked as secrets)

Actual Behaviour

~ app_settings = (sensitive value) hides all changes, making difficult to predict apply outcome

However, this happens only if a value of a variable marked as sensitive is used as app setting. The behavior is instead correct when a sensitive output (such as Storage Account connection string) is set in the app settings

Steps to Reproduce

1. create a function app with some setting, including sensitive ones (do not use variables)
2. change value of the settings on your Terraform code
3. run terraform plan
4. the output should reflect your changes properly
5. add a variable in your Terraform configuration and mark it as sensitive
6. assign that variable to a new or existing app setting
7. run terraform plan
8. the entire app_settings block is now hidden

Important Factoids

No response

References

No response