Getting access denied

[devopsidiot]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

• azurerm_app_service

Terraform Configuration Files

resource "azurerm_app_service_plan" "container_service_plan" {
  name                = "${var.builderName}"
  location            = "${azurerm_resource_group.rg.location}"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  kind                = "xenon"
  is_xenon            = true

  sku {
    tier = "PremiumContainer"
    size = "PC3"
  }
}

resource "azurerm_app_service" "container_service" {
  name                = "${var.builderName}"
  location            = "${azurerm_resource_group.rg.location}"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  app_service_plan_id = "${azurerm_app_service_plan.container_service_plan.id}"
  tags = "${local.commonTags}"   
  
  app_settings = {
    "DOCKER_REGISTRY_SERVER_URL" = "https://privateazurecontainerregistry.azurecr.io",
    "DOCKER_REGISTRY_SERVER_USERNAME" = "privateazurecontainerregistry_username",
    "DOCKER_REGISTRY_SERVER_PASSWORD" = "privateazurecontainerregistry_pw",
    "CONTAINER_MEMORY:" = 8000
  }

  site_config {
    windows_fx_version = "DOCKER|privateazurecontainerregistry.azurecr.io/app.1901:latest"
  }


}

Expected Behavior

Web App for container w/ Windows Container deployed into larger resource group

Actual Behavior

Error: web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The parameter WindowsFxVersion has an invalid value. Could not find the specified image name and tag
combination. For private registries, make sure you are prepending the image name with the server hostname. https://mcr.microsoft.com" Details=[{"Message":"The parameter WindowsFxVersion has an invalid value. Could not find t
he specified image name and tag combination. For private registries, make sure you are prepending the image name with the server hostname. https://mcr.microsoft.com"},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest"
,"ExtendedCode":"01007","Message":"The parameter WindowsFxVersion has an invalid value. Could not find the specified image name and tag combination. For private registries, make sure you are prepending the image name with th
e server hostname. https://mcr.microsoft.com","MessageTemplate":"The parameter {0} has an invalid value.","Parameters":["WindowsFxVersion"]}}]

Error: Error creating App Service "rdbuilder02" (Resource Group "rdbuilder02"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=401 -- Original Error: Code="Unauthorized" Message="Access is denied. Not auth
orized. latest" Details=[{"Message":"Access is denied. Not authorized. latest"},{"Code":"Unauthorized"},{"ErrorEntity":{"Code":"Unauthorized","ExtendedCode":"01001","Message":"Access is denied. Not authorized. latest","Messag
eTemplate":"Access is denied.","Parameters":[]}}]

Steps to Reproduce

1. terraform init
2. terraform apply

Important Factoids

The snippit is part of a much larger script, all of which deploys without issue.
Can deploy the web app windows container via AzureRM powershell and through console.
If I use a public app, it deploys successfully.

References

• #0000

[ewassef]

Any update on this? having the same error and cant find a solution

[cwiederspan]

I'm also seeing this problem when attempting to create an Azure Web App service that uses a Windows Container from a private registry. The problem seems to be the value of the windows_fx_version property.

My guess is that the provider is trying to create the App Service first, with the site_config setting, but not with the app_settings. And since the username and password for the private registry are within the app_settings, the App Service seems like it won't provision because it doesn't have the username/password, and the whole script dies.

[cwiederspan]

Ultimately, the azurerm provider is sending an API call with a body like this...

{
    "location": "westus",
    "properties": {
        "enabled": true,
        "serverFarmId": "/subscriptions/b9c770d1-cde9-4da3-ae40-95ce1a4fac0c/resourceGroups/cdw-winappcnt-20200410/providers/Microsoft.Web/serverfarms/cdw-winappcnt-20200410-plan",
        "siteConfig": {
            "defaultDocuments": [],
            "netFrameworkVersion": "v4.0",
            "phpVersion": "",
            "pythonVersion": "",
            "linuxFxVersion": "",
            "windowsFxVersion": "DOCKER|cdwms.azurecr.io/aspnethelloworld:latest",
            "remoteDebuggingEnabled": false,
            "remoteDebuggingVersion": "",
            "scmType": "None",
            "use32BitWorkerProcess": false,
            "webSocketsEnabled": false,
            "alwaysOn": true,
            "javaVersion": "",
            "javaContainer": "",
            "javaContainerVersion": "",
            "appCommandLine": "",
            "cors": {},
            "autoSwapSlotName": "",
            "localMySqlEnabled": false,
            "ipSecurityRestrictions": [],
            "http20Enabled": false
        },
        "httpsOnly": false
    },
    "tags": {}
}

... which fails. However, if it were to pass this...

{
    "location": "westus",
    "properties": {
        "enabled": true,
        "serverFarmId": "/subscriptions/b9c770d1-cde9-4da3-ae40-95ce1a4fac0c/resourceGroups/cdw-winappcnt-20200410/providers/Microsoft.Web/serverfarms/cdw-winappcnt-20200410-plan",
        "siteConfig": {
            "defaultDocuments": [],
            "netFrameworkVersion": "v4.0",
            "phpVersion": "",
            "pythonVersion": "",
            "linuxFxVersion": "",
            "windowsFxVersion": "DOCKER|cdwms.azurecr.io/aspnethelloworld:latest",
            "remoteDebuggingEnabled": false,
            "remoteDebuggingVersion": "",
            "scmType": "None",
            "use32BitWorkerProcess": false,
            "webSocketsEnabled": false,
            "alwaysOn": true,
            "javaVersion": "",
            "javaContainer": "",
            "javaContainerVersion": "",
            "appCommandLine": "",
            "cors": {},
            "autoSwapSlotName": "",
            "localMySqlEnabled": false,
            "ipSecurityRestrictions": [],
            "http20Enabled": false,
            "appSettings": [
                {
                    "name": "DOCKER_REGISTRY_SERVER_URL",
                    "value": "https://something.azurecr.io"
                },
                {
                    "name": "DOCKER_REGISTRY_SERVER_USERNAME",
                    "value": "something"
                },
                {
                    "name": "DOCKER_REGISTRY_SERVER_PASSWORD",
                    "value": "REDACTED"
                },
                {
                    "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
                    "value": "false"
                }
            ],
        },
        "httpsOnly": false
    },
    "tags": {}
}

... with the appsettings, then it works as expected.

[ewassef]

@cwiederspan you're on to something because the Schema for Site_config doesnt include the appsettings, its a sibling
https://github.com/terraform-providers/terraform-provider-azurerm/blob/1c3b771dac54b42bb48a587ba28118e087650b29/azurerm/helpers/azure/app_service.go#L637
I wonder if we add it in there in the .tf file if that would work

[ewassef]

Nope, validation stops it :
An argument named "app_settings" is not expected here.

[KennyEliasson]

Im also facing this issue. As a temporary workaround I set the windows_fx_version to a public image and changes it with azure cli or manually from the UI.

[aldrichang]

I'm having the same issue... is there any work around at the moment? @KennyEliasson doesn't it reset back to the public image when you reapply?

[KennyEliasson]

@aldrichang I've ignored windows_fx_version and I set the image via Azure CLI

[ahmddp]

We had the exact same issue and followed @KennyEliasson's method as the workaround. I used the nanoserver:1809 public image to initialize the appservice. Also, ignored some app_settings to avoid subsequent deployment overwrites.

resource "azurerm_app_service" "app" {
  <<<<<<<<<truncated for readability>>>>>>>>>>>>

  app_settings = {      
    "DOCKER_REGISTRY_SERVER_URL"      = "https://index.docker.io"
    "DOCKER_REGISTRY_SERVER_PASSWORD" = null
    "DOCKER_REGISTRY_SERVER_USERNAME" = null
  }

  site_config {
    windows_fx_version = join("", ["DOCKER|","mcr.microsoft.com/windows/nanoserver:1809"])
  }

  lifecycle {
    ignore_changes = [
      app_settings["DOCKER_REGISTRY_SERVER_URL"],
      app_settings["DOCKER_REGISTRY_SERVER_PASSWORD"],
      app_settings["DOCKER_REGISTRY_SERVER_USERNAME"],
      site_config["windows_fx_version"]
    ]
  }
}

[tombuildsstuff]

👋

We recently announced version 3.0 of the Azure Provider which introduces several new features, including new resources for App Service to better represent the service, including the azurerm_linux_web_app and azurerm_windows_web_app resources.

Since these resources better represent App Service in Terraform - we're introducing new functionality to those resources and encourage you to opt-into the Beta, try the new resources and provide feedback - as in version 3.0 these new resources will become GA and will supersede the existing resources. More information on the Beta can be found here.

Thanks!