allowed_applications of active_directory_v2 on azurerm_windows_function_app doesn't work

[fkpwolf]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.6

AzureRM Provider Version

3.101.0

Affected Resource(s)/Data Source(s)

azurerm_windows_function_app

Terraform Configuration Files

resource "azurerm_windows_function_app" "function" {
  name                          = var.function_app_name
  location                      = var.location
  resource_group_name           = var.resource_group_name
  service_plan_id               = azurerm_service_plan.function.id
  storage_account_name          = azurerm_storage_account.function.name
  storage_uses_managed_identity = true
  https_only                    = true
  virtual_network_subnet_id     = azurerm_subnet.function.id
  site_config {
    ftps_state                  = "FtpsOnly"
    minimum_tls_version         = "1.2"
    use_32_bit_worker           = false
    scm_use_main_ip_restriction = true
    always_on                   = true
  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.function.id
    ]
  }
  auth_settings_v2 {
    auth_enabled = true
    login {
      token_store_enabled = true
    }
    require_authentication = false
    unauthenticated_action = "AllowAnonymous"
    active_directory_v2 {
      client_id            = var.function_settings["FunctionMSIAppId"]
      tenant_auth_endpoint = "https://login.microsoftonline.com/xxxx"
      allowed_applications = [
        var.function_settings["ADFMSIClientId"] # hardcode ADF Managed Identity client ID
      ]
    }
  }
}

Debug Output/Panic Output

after deploy, in Azure portal, allowed_applications is empty.

Expected Behaviour

In Azure portal, I can see the allowed application which I have set.

Actual Behaviour

after deploy, in Azure portal, allowed_applications is empty.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[bw-adriangould]

This issue is also affecting our team and is exactly as described above.

Plan highlights the fact that allowed_applications will be updated, but Apply does not update the value.

Found this in the log files, if it's any help: -

2024-05-16T12:59:50.007Z [WARN] Provider "provider["registry.terraform.io/hashicorp/azurerm"]" produced an unexpected new value for module.function_app.azurerm_windows_function_app.function_app, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .auth_settings_v2[0].active_directory_v2[0].allowed_applications: element 0 has vanished

[stefanmd023]

+1 Also have an issue with this. (edit: but with linux function app)

However note, not sure if related

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#arguments-reference:~:text=Azure%20Active%20Directory.-,NOTE%3A,-This%20is%20configured

[bw-adriangould]

+1 Also have an issue with this.

However note, not sure if related

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#arguments-reference:~:text=Azure%20Active%20Directory.-,NOTE%3A,-This%20is%20configured

Thanks, but that note is related to a Linux function app and not a Windows function app.

[stefanmd023]

Interesting, so the issue is on both linux and windows function apps

[bw-adriangould]

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app.
My immediate issue is with the Windows function app.

[stefanmd023]

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app. My immediate issue is with the Windows function app.

I couldn't find any other way to set this using code, nor powershell nor az cli. It's possible the issue is the Azure API does not support it, and the note should be also on the Windows function app. That would be sad news.

[bw-adriangould]

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app. My immediate issue is with the Windows function app.

I couldn't find any other way to set this using code, nor powershell nor az cli. It's possible the issue is the Azure API does not support it, and the note should be also on the Windows function app. That would be sad news.

You can configure it via the Portal, and although Terraform identifies a change is necessary, but doesn't apply a change, it also doesn't undo a manual update via the Azure portal.

[stefanmd023]

Interesting, so the issue is on both linux and windows function apps

Interesting, or suspicious, that the "read-only" note is only shown on the Linux function app. My immediate issue is with the Windows function app.

I couldn't find any other way to set this using code, nor powershell nor az cli. It's possible the issue is the Azure API does not support it, and the note should be also on the Windows function app. That would be sad news.

You can configure it via the Portal, and although Terraform identifies a change is necessary, but doesn't apply a change, it also doesn't undo a manual update via the Azure portal.

Yes that is the same behaviour as for the Linux Function App.

[fkpwolf]

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

[stefanmd023]

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

I do not see any change in behaviour for me. What about @bw-adriangould ?

[bw-adriangould]

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

I do not see any change in behaviour for me. What about @bw-adriangould ?

I haven't tried yet but no change of behavior is expected without an update to the AzureRm provider module.
What version are you using @fkpwolf ?

I'm currently on hashicorp/azurerm v3.103.1

[bw-adriangould]

Looks it works now: after deployed, I can see it in Azure Portal UI. Means the "Allowed client applications" input now has values.

I do not see any change in behaviour for me. What about @bw-adriangould ?

No change and nothing in the AzureRm provider change log to indicate anything has changed.