App Service Auth v2 stuff won't let anything through (many issues in arm doc generated)

[drdamour]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.2

AzureRM Provider Version

3.48.0

Affected Resource(s)/Data Source(s)

azurerm_windows_function_app, azurerm_windows_linux_app

Terraform Configuration Files

auth_settings_v2 {

    login {
      token_store_enabled = true

      # TODO: create azurerm github issue to clarify if the tf default of 72 or the azure default of 0 is correct
      # currently we can't have 0 here
      token_refresh_extension_time = 1
    }

    default_provider = "azureactivedirectory"
    auth_enabled = true
    require_authentication = true
    runtime_version = "~1"

    active_directory_v2 {
      client_id = azuread_application.main.application_id
      allowed_audiences = []
      tenant_auth_endpoint = "https://login.microsoftonline.com/<actuall tenant redacted>/v2.0"
      client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"

      login_parameters = {
         # see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#send-the-sign-in-request for options
      prompt = "select_account"

      # offline_access allows getting of refresh token
      # see https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#refresh-auth-tokens
      scope = "openid profile email offline_access"
      }
    }
  }

Debug Output/Panic Output

none

Expected Behaviour

there's quite a few issues with the v2 stuff. they all are around the fact that it creates an arm doc that explicitly sets some values that it shouldn't be setting unless they are explicitly set in the terraform (the data model is like pre built to bad defaults)

i determined these by diffing the arm docs between it working through enabling in portal and applying terraform to it which broken it.

the first major problem is that client_secret_certificate_thumbprint defaults in the arm doc as "" the empty string, which no cert will match. Instead this value should be excluded from the arm doc

left is broken from TF right is working from portal

the next set of problems are around the jwt claim checks. the provider is defaulting to [] for both allowed lists, which means nothing is allowed. as coded you would have to explicitly define the allows...but that's not the intended behaviour...it's supposed to be allow all and then if you opt into it explicit allow/implicit deny. sames left and right

the behaviour should be that not supplying values for jwt_allowed_groups or jwt_allowed_client_applications should leave the jwtClaimChecks to {} supplying 1 or the other should only add that node in the doc, not both.

the next set is the allowed rules for auth policy against left is tf broken, right is portal working

same thing by filling in the doc event when omitted from TF it's going into an implicit deny mode and there's no way to stay in the implicit allow mode since these are specified.

same story all 3 of these configs when omitted from the hcl should not show up in the arm doc. and only the individual nodes should appear as values are set.

Actual Behaviour

leveraging authv2 breaks your auth at many different points listed in expected behaviour. even fixing 1 or 2 still causes further problems, so it's effectively unusable for the most common cases. you would have to use client certs, and setup explicit allow rules for every singe optional value to get it to succeed.

Steps to Reproduce

No response

Important Factoids

No response

References

this all stems from #20449 but i suspect the SAME issues exist from the recently merged #20722 and we'll have same problems there.

so cc @jackofallops

we also encountered the much less severe #21006 and #21066

#20913 reports some of theses same problems but not all the ones listed here

[epomatti]

Same problems here. Anyone having issues check #20913 as I provided a workaround that worked for me.

[xiaxyi]

Thanks @drdamour for raising this issue, we are working on this and will update once this is any progress.

[Sanorikos]

Hi,
we had the same issue, that an working azurerm_windows_function_app, with auth settings set via portal, dosnt work anymore, after adding the auth_settings_v2 settings to the current settings, shwon in terrafomr plan.

Terraform Version
1.4.2

AzureRM Provider Version
3.48.0

Terraform plan shows a wrong configuration change, because the token_store_enabled is true.
If i make an apply, and change these setting, i see no changes on the resource, but the Authentication dosnt work anymore.
A sencond plan, shows the same changes in the auth_settings_v2.login configuration.

~ auth_settings_v2 {
            # (9 unchanged attributes hidden)

 

          ~ login {
              ~ token_store_enabled               = false -> true

My only way to prevent this authentication provider to get broken, is an ignore_changes for auth_settings_v2[0].login[0].token_store_enabled seen in my exampl code.

Example function App Code:

resource "azurerm_windows_function_app" "api" {
  name                        = "${var.customer}-${var.project}-${var.environment}-func-${var.cfg_function_api["general"]["name_suffix"]}"
  location                    = azurerm_resource_group.appApi.location
  resource_group_name         = azurerm_resource_group.appApi.name
  service_plan_id             = module.appServicePlanapi.app_service_plan_id
  storage_account_name        = azurerm_storage_account.asStrgapi.name
  storage_account_access_key  = azurerm_storage_account.asStrgapi.primary_access_key
  functions_extension_version = var.cfg_function_api["general"]["functions_extension_version"]
  client_certificate_mode     = var.cfg_function_api["general"]["client_certificate_mode"]
  https_only                  = var.cfg_function_api["general"]["https_only"]
  virtual_network_subnet_id   = local.function_api_subnet_id

  site_config {
    ftps_state                             = var.cfg_function_api["site_config"]["ftps_state"]
    always_on                              = var.cfg_function_api["site_config"]["always_on"]
    minimum_tls_version                    = var.cfg_function_api["site_config"]["minimum_tls_version"]
    vnet_route_all_enabled                 = var.cfg_function_api["site_config"]["vnet_route_all_enabled"]
    application_insights_connection_string = module.insights.connection_string
    application_insights_key               = module.insights.instrumentation_key
  }

  identity {
    type = var.cfg_function_api["identity"]["type"]
  }

  app_settings = var.cfg_function_api["app_settings"]

  auth_settings_v2 {
    auth_enabled             = true
    default_provider         = "azureactivedirectory"
    excluded_paths           = []
    forward_proxy_convention = "NoProxy"
    http_route_api_prefix    = "/.auth"
    require_authentication   = true
    require_https            = true
    runtime_version          = "~1"
    unauthenticated_action   = "RedirectToLoginPage"

    active_directory_v2 {
      allowed_applications            = []
      allowed_audiences               = []
      allowed_groups                  = []
      allowed_identities              = []
      client_id                       = "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
      client_secret_setting_name      = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
      jwt_allowed_client_applications = []
      jwt_allowed_groups              = []
      login_parameters                = {}
      tenant_auth_endpoint            = "https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/v2.0"
      www_authentication_disabled     = false
    }

    login {
      allowed_external_redirect_urls    = []
      cookie_expiration_convention      = "FixedTime"
      cookie_expiration_time            = "08:00:00"
      nonce_expiration_time             = "00:05:00"
      preserve_url_fragments_for_logins = false
      token_refresh_extension_time      = 72
      token_store_enabled               = true
      validate_nonce                    = true
    }
  }

  connection_string {
    name  = var.cfg_function_api["connection_string_DataContext"]["name"]
    type  = var.cfg_function_api["connection_string_DataContext"]["type"]
    value = "${var.cfg_function_api["connection_string_DataContext"]["connection_string_prefix"]}${var.cfg_function_api["connection_string_DataContext"]["data_source"]};Initial Catalog=${module.mssqlDb01.database_name}${var.cfg_function_api["connection_string_DataContext"]["persistent_security_info"]};User ID=${local.function_api_mssql_db01_user};Password=${local.function_api_mssql_db01_pw};MultipleActiveResultSets=${var.cfg_function_api["connection_string_DataContext"]["multiple_active_result_sets"]};Encrypt=${var.cfg_function_api["connection_string_DataContext"]["encrypt"]};TrustServerCertificate=${var.cfg_function_api["connection_string_DataContext"]["trust_server_certificate"]};Connection Timeout=${var.cfg_function_api["connection_string_DataContext"]["connection_timeout"]}"
  }

  lifecycle {
    ignore_changes = [
      app_settings["MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"],
      tags["hidden-link: /app-insights-conn-string"],
      tags["hidden-link: /app-insights-instrumentation-key"],
      tags["hidden-link: /app-insights-resource-id"],
      auth_settings_v2[0].login[0].token_store_enabled,
      sticky_settings,
    ]
  }
}

[drdamour]

as @Sanorikos mentions, there is another bug. TF is always reading enable token store as false, even when it's true. not sure why. so TF always wants to apply that. in his case when he applies it does the other bad things described here, by ignoring that bug, the uneeded apply is skipped and he has no issues.

a colleague was supposed to open a separate issue for the always detecting token store enabled as false bug

[github-actions]

This functionality has been released in v3.49.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.