-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
App Service Auth v2 stuff won't let anything through (many issues in arm doc generated) #21021
Comments
Same problems here. Anyone having issues check #20913 as I provided a workaround that worked for me. |
Thanks @drdamour for raising this issue, we are working on this and will update once this is any progress. |
Hi, Terraform Version AzureRM Provider Version Terraform plan shows a wrong configuration change, because the
My only way to prevent this authentication provider to get broken, is an Example function App Code:
|
as @Sanorikos mentions, there is another bug. TF is always reading enable token store as false, even when it's true. not sure why. so TF always wants to apply that. in his case when he applies it does the other bad things described here, by ignoring that bug, the uneeded apply is skipped and he has no issues. a colleague was supposed to open a separate issue for the always detecting token store enabled as false bug |
This functionality has been released in v3.49.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Is there an existing issue for this?
Community Note
Terraform Version
1.4.2
AzureRM Provider Version
3.48.0
Affected Resource(s)/Data Source(s)
azurerm_windows_function_app, azurerm_windows_linux_app
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
there's quite a few issues with the v2 stuff. they all are around the fact that it creates an arm doc that explicitly sets some values that it shouldn't be setting unless they are explicitly set in the terraform (the data model is like pre built to bad defaults)
i determined these by diffing the arm docs between it working through enabling in portal and applying terraform to it which broken it.
the first major problem is that client_secret_certificate_thumbprint defaults in the arm doc as "" the empty string, which no cert will match. Instead this value should be excluded from the arm doc
left is broken from TF right is working from portal
the next set of problems are around the jwt claim checks. the provider is defaulting to [] for both allowed lists, which means nothing is allowed. as coded you would have to explicitly define the allows...but that's not the intended behaviour...it's supposed to be allow all and then if you opt into it explicit allow/implicit deny. sames left and right
the behaviour should be that not supplying values for jwt_allowed_groups or jwt_allowed_client_applications should leave the jwtClaimChecks to {} supplying 1 or the other should only add that node in the doc, not both.
the next set is the allowed rules for auth policy against left is tf broken, right is portal working
same thing by filling in the doc event when omitted from TF it's going into an implicit deny mode and there's no way to stay in the implicit allow mode since these are specified.
same story all 3 of these configs when omitted from the hcl should not show up in the arm doc. and only the individual nodes should appear as values are set.
Actual Behaviour
leveraging authv2 breaks your auth at many different points listed in expected behaviour. even fixing 1 or 2 still causes further problems, so it's effectively unusable for the most common cases. you would have to use client certs, and setup explicit allow rules for every singe optional value to get it to succeed.
Steps to Reproduce
No response
Important Factoids
No response
References
this all stems from #20449 but i suspect the SAME issues exist from the recently merged #20722 and we'll have same problems there.
so cc @jackofallops
we also encountered the much less severe #21006 and #21066
#20913 reports some of theses same problems but not all the ones listed here
The text was updated successfully, but these errors were encountered: