Bug: Duplicate registry server url in image name when doing an update

[pacorreia]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.6

AzureRM Provider Version

3.17.0

Affected Resource(s)/Data Source(s)

azurerm_linux_function_app

Terraform Configuration Files

resource "azurerm_resource_group" "rg" {
  name     = "rg-func-app-docker-issue"
  location = "westeurope"
}

resource "azurerm_container_registry" "acr" {
  name                = "acrfuncappdockerissue"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  sku                 = "Basic"
  admin_enabled       = true
}

resource "azurerm_role_assignment" "acr_role_assignment" {
  scope                = azurerm_container_registry.acr.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_linux_function_app.func.identity[0].principal_id
}

resource "azurerm_service_plan" "asp" {
  name                = "asp-func-app-docker-issue"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  os_type             = "Linux"
  sku_name            = "B1"
}

resource "azurerm_storage_account" "func_storage" {
  name                     = "storfuncappdockerissue"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_kind             = "Storage"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  min_tls_version          = "TLS1_2"
  network_rules {
    bypass         = ["AzureServices"]
    default_action = "Allow"
    ip_rules       = []
  }

}
resource "azurerm_linux_function_app" "func" {
  name                       = "func-app-docker-issue"
  resource_group_name        = azurerm_resource_group.rg.name
  location                   = azurerm_resource_group.rg.location
  service_plan_id            = azurerm_service_plan.asp.id
  storage_account_name       = azurerm_storage_account.func_storage.name
  storage_account_access_key = azurerm_storage_account.func_storage.primary_access_key
  identity {
    type = "SystemAssigned"
  }

  site_config {
    application_stack {
      docker {
        image_name   = "repo/function-app"
        image_tag    = "latest"
        registry_url = azurerm_container_registry.acr.login_server
      }

    }
    container_registry_use_managed_identity = true
  }

  lifecycle {
    ignore_changes = [
      site_config[0].application_stack[0].docker[0].image_name,
      site_config[0].application_stack[0].docker[0].image_tag,
      site_config[0].application_stack[0].docker[0].registry_url
    ]
  }

  timeouts {}
}

output "func_details" {
  value = {
    linux_fx_version = azurerm_linux_function_app.func.site_config[0].linux_fx_version
    docker = {
      image_name   = azurerm_linux_function_app.func.site_config[0].application_stack[0].docker[0].image_name
      image_tag    = azurerm_linux_function_app.func.site_config[0].application_stack[0].docker[0].image_tag
      registry_url = azurerm_linux_function_app.func.site_config[0].application_stack[0].docker[0].registry_url
    }
  }
}

Debug Output/Panic Output

https://gist.github.com/pacorreia/b6515dde9f72f3851235803dde7142bf

Expected Behaviour

The docker image name, tag and registry url should have remained intact with ignore_changes setup:

Actual Behaviour

image name is set to https
imagetag gets the registry url prefixed to original image name like "//someacr.azureact.io/repo/image"

Steps to Reproduce

For this case no actual docker image needs to be present!

1. terraform apply
2. change anything in your function app (comment/uncomment the app setting block to trigger a change)
3. terraform apply again
4. Go to Azure Portal and check in deployment center that image name and image tag got changed in wrong way.

Also noticed that, when we don't ignore changes to docker properties, and we edit in Azure Portal, Terraform reports that there was a change, e.g.:

1. In terraform we set registry url without https
2. We go to Azure Portal and update a tag
3. Run terraform plan and registry_url shows a drift, reads https:// and when applying will remove it
4. Same happens for image name, we set it without registry url prefix, and after a change in portal, terraform reports it as having registry url as part for image name.

@james-bjss might provide more info on code analysis we did to azurerm provider.

Important Factoids

No response

References

No response

[pacorreia]

Hey team,

for some reason this issue was removed the bug label, and one got eyes into this, is a bit of concerning issue, please do the triage

[dcd000]

Hi.
It seems solved in the last Azurerm provider version v3.42.0

[pacorreia]

@dcd000 part of yes, but I've noticed another thing as described in this issue:

Also noticed that, when we don't ignore changes to docker properties, and we edit in Azure Portal, Terraform reports that there was a change, e.g.:

In terraform we set registry url without https
We go to Azure Portal and update a tag
Run terraform plan and registry_url shows a drift, reads https:// and when applying will remove it
Same happens for image name, we set it without registry url prefix, and after a change in portal, terraform reports it as having registry url as part for image name.

I don't get it why this issue was not being monitored and related as well

[dcd000]

I think that as of version v3.42 registry_url must use https because it is directly used to populate the DOCKER_REGISTRY_SERVER_URL app setting and this must include the protocol
Try with registry_url = https://azurerm_container_registry.acr.login_server