azurerm_logic_app_standard does not have an argument for Microsoft.Web/sites/publicNetworkAccess

[condor47times]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.4

AzureRM Provider Version

3.108

Affected Resource(s)/Data Source(s)

azurerm_logic_app_standard

Terraform Configuration Files

resource "azurerm_resource_group" "example" {
  name     = "azure-functions-test-rg"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "functionsapptestsa"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_app_service_plan" "example" {
  name                = "azure-functions-test-service-plan"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  kind                = "elastic"


  sku {
    tier = "WorkflowStandard"
    size = "WS1"
  }
}

resource "azurerm_logic_app_standard" "example" {
  name                       = "test-azure-functions"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key

  app_settings = {
    "FUNCTIONS_WORKER_RUNTIME"     = "node"
    "WEBSITE_NODE_DEFAULT_VERSION" = "~18"
  }
}

Debug Output/Panic Output

na

Expected Behaviour

Using Terraform, I expect to be able to configure both Microsoft parameters described below. Especially since policy or best practice scanners may check both parameters.

Microsoft has 2 parameters regarding "publicNetworkAccess" for Logic App Standard:

1. "Microsoft.Web/sites/config" (properties.siteConfig.publicNetworkAccess)
2. "Microsoft.Web/sites" (properties.publicNetworkAccess)

Using Powershell: you can see the 2 parameters.
(get-azresource -id "/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxx/providers/Microsoft.Web/sites/xxxxxx").properties.siteConfig.publicNetworkAccess
(get-azresource -id "/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxx/providers/Microsoft.Web/sites/xxxxxx").properties.publicNetworkAccess

AND

Examination of the JSON exported template from a LogicApp in Azure Portal will also show these 2 parameters.

1. Microsoft.Web/sites/config "publicNetworkAccess"
2. Microsoft.Web/sites "publicNetworkAccess"

UNFORTUNATELY,
I could not find a way to see 'both' parameters with Azure CLI
This AZ CLI command only shows #1, properties.siteConfig.publicNetworkAccess, it does not give us #2, properties.publicNetworkAccess.
Get-AzWebApp -ResourceGroupName "xxxxxx" -Name "xxxxxx"

ALSO,
Looking in Azure Portal > Logic app > settings > Networking > Inbound traffic configuration | Public network access
This configuration setting seems to be related only to #2, "Microsoft.Web/sites" (properties.publicNetworkAccess). NOT #1.
because when I changed the value here in portal, the deployment JSON shows:
"value": "Microsoft.Web/sites/write",
"localizedValue": "Update website"

Actual Behaviour

azurerm_logic_app_standard currently only has 1 argument, and it is for "Microsoft.Web/sites/config" exposed inside the site_config block. It does not have an argument for "Microsoft.Web/sites/"

Steps to Reproduce

terraform apply

Important Factoids

na

References

na

[ziyeqf]

Hi @condor47times, thanks for opening this issue.

These two publicNetworkAccess should have the same values, no matter which is changed, it will sync to another. If your scanner works on Azure resources, it should be ok.

For the duplicate keys, we have an in-progress working to turn to use Microsoft.Web/publicNetworkAccess instead of Microsoft.Web/sites/publicNetworkAccess. motivation could be found on document
However this will take some more time since we need to upgrade the API version, to invovle Microsoft.Web/publicNetworkAccess property.

Foy any other questions please leave comments.
Thanks

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.