azurerm_windows_function_app failes to change/update the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING setting when the storage account keys have been rotated

[sommkh]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.1

AzureRM Provider Version

3.116.0

Affected Resource(s)/Data Source(s)

azurerm_windows_function_app

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>3.0"
    }
  }
  backend "azurerm" {
  }
}
provider "azurerm" {
  features {
  }
  skip_provider_registration = true
  subscription_id            = var.subscription_id
}

###############   Storage Account 

data "azurerm_storage_account" "storageAccount" {
  name                = var.storageAccountName
  resource_group_name = var.resource_group_name
}

############### File  Storage Account 

data "azurerm_storage_account" "fileStorageAccount" {
  name                = var.fileStorageAccountName
  resource_group_name = var.resource_group_name
}

###############   Application Insights 

data "azurerm_application_insights" "appInsight" {
  name                = var.appInsightName
  resource_group_name = var.resource_group_name
}

############### Service Bus 

data "azurerm_servicebus_namespace" "serviceBus" {
  name                = var.serviceBus
  resource_group_name = var.resource_group_name
}

data "azurerm_servicebus_namespace_authorization_rule" "serviceBusNamespace_auth_rule" {
  name         = var.serviceBusNamespace_auth_rule_name
  namespace_id = data.azurerm_servicebus_namespace.serviceBus.id
}

###############   App Service Plan 

data "azurerm_service_plan" "appServicePlan" {
  name                = var.appServicePlanName
  resource_group_name = var.resource_group_name
}

###############   App Settings 

locals {
  appSettings = fileexists("${var.filepath}/appSettings.json") ? jsondecode(file("${var.filepath}/appSettings.json")) : null
}
locals {
  connections = fileexists("${var.filepath}/connections.json") ? jsondecode(file("${var.filepath}/connections.json")) : null
}

data "vault_generic_secret" "secrets" {
  path = var.vault_path_function_app_conn_string
}

###############   Function App 

resource "azurerm_windows_function_app" "functionApp" {
  name                        = var.functionAppName
  resource_group_name         = var.resource_group_name
  location                    = var.location
  service_plan_id             = data.azurerm_service_plan.appServicePlan.id
  storage_account_name        = data.azurerm_storage_account.storageAccount.name
  storage_account_access_key  = data.azurerm_storage_account.storageAccount.primary_access_key
  builtin_logging_enabled     = var.builtin_logging_enabled
  client_certificate_mode     = var.client_certificate_mode
  https_only                  = var.https_only
  tags                        = var.tags
  functions_extension_version = "~1"

  app_settings = merge(local.appSettings[var.functionAppName][0],
    { "AKA_AZURESTORAGE_CONNECTIONSTRING"        = data.azurerm_storage_account.fileStorageAccount.primary_connection_string,
      "AzureServiceBusConnectionString"          = data.azurerm_servicebus_namespace_authorization_rule.serviceBusNamespace_auth_rule.primary_connection_string
      "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING" = var.WEBSITE_CONTENTAZUREFILECONNECTIONSTRING == "INT_PLAN" ? data.azurerm_storage_account.storageAccount.primary_connection_string : data.azurerm_storage_account.fileStorageAccount.primary_connection_string
  })

  identity {
    type = var.identityType
  }
  site_config {
    worker_count                           = var.worker_count
    application_insights_connection_string = data.azurerm_application_insights.appInsight.connection_string #join(";", slice(split(";", nonsensitive(data.azurerm_application_insights.appInsight.connection_string)), 0, 3))
    application_insights_key               = data.azurerm_application_insights.appInsight.instrumentation_key
    ftps_state                             = var.ftps_state
    scm_minimum_tls_version                = var.scm_minimum_tls_version
    cors {
      allowed_origins     = var.allowed_origins
      support_credentials = var.support_credentials
    }
  }

  dynamic "connection_string" {
    for_each = lookup(local.connections, var.functionAppName, [])
    content {
      name  = connection_string.value.connection_string_name
      type  = connection_string.value.connection_string_type
      value = data.vault_generic_secret.secrets.data[connection_string.value.connection_string_value]
    }
  }

  depends_on = [
    data.azurerm_storage_account.storageAccount,
    data.azurerm_service_plan.appServicePlan,
    data.azurerm_storage_account.fileStorageAccount
  ]
}

Debug Output/Panic Output

# The azure function app will be updated:

  # module.functionApp["D365FO-INT-CONS-PLAN"].azurerm_windows_function_app.functionApp will be updated in-place
  ~ resource "azurerm_windows_function_app" "functionApp" {
      ~ app_settings                                   = {
          + "FUNCTIONS_EXTENSION_VERSION"                                                = "~1"
          ~ "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING"                                   = (sensitive value)
          + "WEBSITE_NODE_DEFAULT_VERSION"                                               = "6.5.0"
            # (57 unchanged elements hidden)
        }
        id                                             = "/subscriptions/xxxxxx/resourceGroups/D365FO-xxxxx/providers/Microsoft.Web/sites/D365FO-xxxxx-CONS-PLAN"
        name                                           = "D365FO-xxxxx-CONS-PLAN"
        tags                                           = {
            "CreatedBy"   = "D365-Dxxxxx"
            "displayName" = "Functions App Service"
            "owner"       = "xxxxxm"
            "project"     = "Test 365"
        }
        # (26 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Expected Behaviour

WEBSITE_CONTENTAZUREFILECONNECTIONSTRING should have been updated if a new key is rotated for the storage account, it even says so in the plan that it needs to change it.

Actual Behaviour

WEBSITE_CONTENTAZUREFILECONNECTIONSTRING retains the old key for the connection string for the storage account and it fails to update.

Steps to Reproduce

1. Create resources with terraform apply.
2. Change the storage account key by rotate.
3. Update resources with terraform apply.

Important Factoids

No response

References

Multiple such issues have been raised and on of them has been closed as well - #22174.

Other links maybe there as well - #21140 and #21212

[egorshulga]

Tried to check the code to see what's going on with this connection string: relevant line - 913.

1. On the line 907 the state.AppSettings is initialized from the AppSettings from the Function App in Azure.
2. On the line 913 the code checks: take WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, if it is not present, then assign the new value with the new access key.
   ⚠ Of course, the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING is already present - we just read it ⚠

Let me summon authors of the previous PRs into this thread: @xiaxyi @jackofallops

Please correct me if I'm wrong in the code analysis