azurerm_linux_function_app, azurerm_linux_function_app_slot - support for the vnet_image_pull_enabled property.
#25249
Conversation
| * `vnet_image_pull_enabled` - (Optional) Should the traffic for the image pull be routed over virtual network enabled. Defaults to `false`. | ||
|
|
||
| ~> **Note:** The feature can also be enabled via the app setting `WEBSITE_PULL_IMAGE_OVER_VNET`. |
There was a problem hiding this comment.
What happens when a user sets this through the app settings block. Will they get a diff? Also what is the behaviour vice versa?
It looks like this property might need to be managed like WEBSITE_VNET_ROUTE_ALL/vnet_route_all_enabled
github-actions
bot
added
size/M
waiting-response
and removed
size/S
waiting-response
labels
There was a problem hiding this comment.
@xiaxyi having looked at this a bit closer I discovered this behaviour after performing the following steps:
- Create a linux function app with Terraform
- Set
WEBSITE_PULL_IMAGE_OVER_VNETtotruein the app settings for the app over the portal - Running a Terraform plan the API returns the property
vnetImagePullEnabledreturnsfalse
The documentation linked implies that both properties can be used to toggle the routing over the vnet, but from the behaviour shown above it's unclear which property takes precedence?
|
Thanks @stephybun for the comment! I checked with the API team, and they still suggest the user to set the feature via the property under siteConfig not app setting, besides, they indicate that they are trying to phase out the kvp under app setting so we need to lead the user to start use the property As for your concerns, the api will check both of the properties, so the feature will be enabled if either of them is set to |
|
Thanks for clarifying @xiaxyi! Would you be able to find out from the service team what the timeline is for phasing out the |
|
@stephybun The removal of the |
|
@xiaxyi Thank you for using our new PR Template! Can you please update it to include only the relevant check box sections? For this PR, since you are adding support to an existing resource, you can remove the "New Feature Submissions" check boxes for example, but should be checking the boxes for changes to an existing resource as well as the general PR checklist boxes. Please always include a description under the description heading. Thank you, this helps with the review process, as well as aids our users to better understand what's happening in this PR. |
There was a problem hiding this comment.
Thanks @xiaxyi, I left some suggestions to simplify and make this more consistent with other resources across the provider.
Given the behaviour of this property for Linux Function Apps, I don't think we can release this until 4.0 since in it's current state it would be a breaking change for users running in an App Service Environment. Can you please wrap those changes in the features.FourPointOhBeta() flag.
| if isAseEnvironment && !functionApp.VnetImagePullEnabled { | ||
| return fmt.Errorf("`vnet_image_pull_enabled` cannot be disabled for app running in an app service environment.") | ||
| } | ||
|
|
There was a problem hiding this comment.
Let's move this into theif block on line 415 and simplify it to
| if isAseEnvironment && !functionApp.VnetImagePullEnabled { | |
| return fmt.Errorf("`vnet_image_pull_enabled` cannot be disabled for app running in an app service environment.") | |
| } | |
| if !functionApp.VnetImagePullEnabled { | |
| return fmt.Errorf("`vnet_image_pull_enabled` cannot be disabled for app running in an app service environment.") | |
| } | |
| @@ -394,6 +402,7 @@ func (r LinuxFunctionAppResource) Create() sdk.ResourceFunc { | |||
| } | |||
|
|
|||
| var planSKU *string | |||
| var isAseEnvironment bool | |||
There was a problem hiding this comment.
This can be removed then
| var isAseEnvironment bool |
| @@ -404,6 +413,7 @@ func (r LinuxFunctionAppResource) Create() sdk.ResourceFunc { | |||
| } | |||
|
|
|||
| if ase := servicePlanModel.Properties.HostingEnvironmentProfile; ase != nil { | |||
| isAseEnvironment = true | |||
There was a problem hiding this comment.
As can this
| isAseEnvironment = true |
| _, newValue := rd.GetChange("vnet_image_pull_enabled") | ||
| servicePlanId, err := commonids.ParseAppServicePlanID(planId.(string)) | ||
| if err != nil { | ||
| return fmt.Errorf("reading service plan id %+v", err) |
There was a problem hiding this comment.
The parse functions already return verbose information so we don't need to wrap the error
| return fmt.Errorf("reading service plan id %+v", err) | |
| return err |
|
|
||
| asp, err := client.Get(ctx, *servicePlanId) | ||
| if err != nil { | ||
| return fmt.Errorf("could not read Service Plan %s: %+v", servicePlanId, err) |
There was a problem hiding this comment.
Simplify this error message like we do elsewhere
| return fmt.Errorf("could not read Service Plan %s: %+v", servicePlanId, err) | |
| return fmt.Errorf("retrieving %s: %+v", servicePlanId, err) |
| @@ -139,6 +139,10 @@ The following arguments are supported: | |||
|
|
|||
| ~> **Note:** Assigning the `virtual_network_subnet_id` property requires [RBAC permissions on the subnet](https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration#permissions) | |||
|
|
|||
| * `vnet_image_pull_enabled` - (Optional) Should the traffic for the image pull be routed over virtual network enabled. Defaults to `false`. | |||
There was a problem hiding this comment.
Can we rephrase this to
| * `vnet_image_pull_enabled` - (Optional) Should the traffic for the image pull be routed over virtual network enabled. Defaults to `false`. | |
| * `vnet_image_pull_enabled` - (Optional) Specifies whether traffic for the image pull should be routed over virtual network. Defaults to `false`. |
| @@ -139,6 +139,10 @@ The following arguments are supported: | |||
|
|
|||
| ~> **Note:** Assigning the `virtual_network_subnet_id` property requires [RBAC permissions on the subnet](https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration#permissions) | |||
|
|
|||
| * `vnet_image_pull_enabled` - (Optional) Should the traffic for the image pull be routed over virtual network enabled. Defaults to `false`. | |||
|
|
|||
| ~> **Note:** The feature can also be enabled via the app setting `WEBSITE_PULL_IMAGE_OVER_VNET`. The Setting is enabled by default for app running in the App Service Environment. | |||
There was a problem hiding this comment.
| ~> **Note:** The feature can also be enabled via the app setting `WEBSITE_PULL_IMAGE_OVER_VNET`. The Setting is enabled by default for app running in the App Service Environment. | |
| ~> **Note:** The feature can also be enabled via the app setting `WEBSITE_PULL_IMAGE_OVER_VNET`. Must be set to `true` when running in an App Service Environment. |
| @@ -131,7 +131,11 @@ The following arguments are supported: | |||
| ~> **NOTE on regional virtual network integration:** The AzureRM Terraform provider provides regional virtual network integration via the standalone resource [app_service_virtual_network_swift_connection](app_service_virtual_network_swift_connection.html) and in-line within this resource using the `virtual_network_subnet_id` property. You cannot use both methods simultaneously. If the virtual network is set via the resource `app_service_virtual_network_swift_connection` then `ignore_changes` should be used in the function app slot configuration. | |||
|
|
|||
| ~> **Note:** Assigning the `virtual_network_subnet_id` property requires [RBAC permissions on the subnet](https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration#permissions) | |||
|
|
|||
|
|
|||
| * `vnet_image_pull_enabled` - (Optional) Should the traffic for the image pull be routed over virtual network enabled. Defaults to `false`. | |||
There was a problem hiding this comment.
| * `vnet_image_pull_enabled` - (Optional) Should the traffic for the image pull be routed over virtual network enabled. Defaults to `false`. | |
| * `vnet_image_pull_enabled` - (Optional) Specifies whether traffic for the image pull should be routed over virtual network. Defaults to `false`. | |
|
@stephybun Thanks for the comment, of course I can wrap it in the |
|
Thanks @stephybun ! I updated the comment and test cases. For test cases related to ASE, as the vnet related features have to be enabled for app running in the app service environment, so I still put it in the ASE test and added comment accordingly. Let me know about your feedbacks. |
There was a problem hiding this comment.
Thanks @xiaxyi. This is nearly ready but it is unfortunately not sufficient to leave a 4.0 property commented out in a test config as explained in the review comment. Can you please resolve all the comments, after that this should be good to go!
| @@ -1210,6 +1237,29 @@ func (r LinuxFunctionAppResource) CustomizeDiff() sdk.ResourceFunc { | |||
| Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error { | |||
| client := metadata.Client.AppService.ServicePlanClient | |||
| rd := metadata.ResourceDiff | |||
| if rd.HasChange("vnet_image_pull_enabled") { | |||
There was a problem hiding this comment.
Although this shouldn't be problematic, can we still add the FourPointOhBeta flag here to make it clear and consistent that this is a 4.0 property
| if rd.HasChange("vnet_image_pull_enabled") { | |
| if rd.HasChange("vnet_image_pull_enabled") && features.FourPointOhBeta() { |
Please apply this to the other resources too
| @@ -4244,6 +4247,7 @@ resource "azurerm_linux_function_app" "test" { | |||
| storage_account_name = azurerm_storage_account.test.name | |||
| storage_account_access_key = azurerm_storage_account.test.primary_access_key | |||
|
|
|||
| // vnet_image_pull_enabled = true | |||
There was a problem hiding this comment.
When we hook the feature flag FourPointOhBeta up to an environment variable to be able to enable the beta and to test that the 4.0 features work, this will be problematic and require manual intervention to uncomment the line in order to test. This needs to be removed and added to a new test that is skipped prior to 4.0 e.g.
if !features.FourPointOhBeta() {
t.Skip("this test requires 4.0 mode")
}
Please make this change to the other resource tests too
|
@xiaxyi this is good to go once the last round of review comments has been resolved |
…to appservice/addVnetProperties # Conflicts: # internal/services/appservice/linux_function_app_resource_test.go # internal/services/appservice/linux_function_app_slot_resource_test.go
There was a problem hiding this comment.
Hi @xiaxyi - Can you take a look at updating this PR based on the below comment?
Thanks!
| @@ -71,6 +72,8 @@ type LinuxFunctionAppModel struct { | |||
| PublishingFTPBasicAuthEnabled bool `tfschema:"ftp_publish_basic_authentication_enabled"` | |||
| Identity []identity.ModelSystemAssignedUserAssigned `tfschema:"identity"` | |||
|
|
|||
| // VnetImagePullEnabled bool `tfschema:"vnet_image_pull_enabled"` // TODO 4.0 not supported on Consumption plans | |||
There was a problem hiding this comment.
This can be included now using the additional struct tag
| // VnetImagePullEnabled bool `tfschema:"vnet_image_pull_enabled"` // TODO 4.0 not supported on Consumption plans | |
| VnetImagePullEnabled bool `tfschema:"vnet_image_pull_enabled,addedInNextMajorVersion"` // TODO 4.0 not supported on Consumption plans |
Can you also look to address the 4.0 TODO here within this PR?
|
Hi @xiaxyi - as I mentioned offline, I made some updates to this to move it forward. Unfortunately I can't push to your fork any more for some reason, so I've pushed your commits to a new branch to be able to update and I'm going to close this PR in favour of that. |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Community Note
PR Checklist
For example: “
resource_name_here- description of change e.g. adding propertynew_property_name_here”Changes to existing Resource / Data Source
Documentation Changes
Description
The property is controlling the image pull feature in virtual network integration. Although the feature can be set via key
WEBSITE_PULL_IMAGE_OVER_VNETunderapp_setting, given the fact that the service team would like to guide user to use this property undersite_config, added it in Terraform as well.Testing Logs/Evidence
Related Issue(s)
Fixes #0000
Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
azurerm_linux_function_app- support for thevnet_image_pull_enabledpropertyThis is a (please select all that apply):
Note
If this PR changes meaningfully during the course of review please update the title and description as required.