-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_function_app is not allowing AzureWebJobsStorage app setting to pull from Azure Key Vault #8977
Comments
Is that the correct syntax for key vault references? I'm using the following and it's working "fine"
*fine isn't really fine - there's a separate issue where changes to the secret values changes the URI and causes an "inconsistent final plan" error when setting the function app config. |
I think so, I don’t recall where I had originally found it in the Microsoft Docs, I’ll have to check my notes. The other two app settings (NextIterationLogicAppAddreas and WEB_HOST) use the same syntax and are working as expected, though. I forgot to mention, the App Config that it shows for AzureWebJobsStorage is correct, but it contains a key which is why we would prefer that it show only the KeyVault connection and pull from there. I think if syntax were incorrect, it would just show the incorrect string which makes me think that the function app is overwriting it after it has been set by Terraform. |
Indeed, that syntax is fine according to https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references You may be right that the AzureWebJobsStorage is being overwritten. If you reveal the hidden value, is it the full config string or the key vault reference? |
If the function app is in consumption or premium plan, also the app setting WEBSITE_CONTENTAZUREFILECONNECTIONSTRING is automatically created with the storage account connection string as app config. It would also be nice to allow this app setting to be a key vault reference. This app setting is not even recognized in the state, it is marked as new on any apply. |
is this still a bug? or is this an unintentional feature?
still hope that this will be changed. |
Hope this can be change to use KeyVault Reference, as this is exposing the storage connection string in the Application Settings. |
An update: |
This actually works with |
@lonegunmanb But, can azurerm_windows_function_app/azurerm_linux_function_app be used for consumption plan functions? As per documentation, a requirement argument is |
Hi @kiranpradeep , I think a new issue would be better to ask for support for |
In my view, I was more pointing out that the comment made by @lonegunmanb on 13/Oct/2021, which suggested azurerm_windows_function_app/azurerm_linux_function_app as a workaround for this issue is not matching with the documentation. Maybe I am wrong. Eitherway, I followed that suggestion and had raised new issue at #15627. I raised in this thread itself so that others who follow this thread and see that suggestion, could save some hours by not following it for now. |
@BradAF Can you check if the property A Blob Storage SAS URL for a second storage account used for key storage. By default, Functions uses the account set in AzureWebJobsStorage. When using this secret storage option, make sure that AzureWebJobsSecretStorageType isn't explicitly set or is set to blob. To learn more, see Secret repositories. |
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.13.3
Affected Resource(s)
azurerm_function_app
Terraform Configuration Files
Expected Behavior
The AzureWebJobsStorage app setting should be configured to use the Azure Key Vault value, and be labeled as a 'Key Vault Reference'
Terraform should not try to overwrite the configuration unless it is changed.
Actual Behavior
The AzureWebJobsStorage app setting is configured locally, as an 'App Config' instead of 'Key Vault Reference'
Every subsequent deployment attempts to overwrite the AzureWebJobsStorage app setting with the correct Azure Key Vault setting.
Steps to Reproduce
terraform apply
Important Factoids
Other app settings configured to use the Azure Key Vault work as expected.
References
The text was updated successfully, but these errors were encountered: