ignore_changes in Function app app_settings is ignored

[androidand]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We are using Azure DevOps to deploy services to Azure.
In this case it's an Azure Function App running on a Linux Consumption Plan.
We want to run apply terraform script for the infrastructure and then deploy the code. This would work, if code is always deployed with the Azure function deploy step. The issue is that Azure DevOps sets the app setting WEBSITE_RUN_FROM_PACKAGE to the url of the package to be run by the function app. Without this, the service will be unavailable with a 503 response.
I am having a hard time getting Terraform to ignore this property, see below.

Terraform (and AzureRM Provider) Version

Terraform 0.12.7
AzureRM Provider 1.28.0

Affected Resource(s)

• azurerm_function_app

Terraform Configuration Files

resource "azurerm_function_app" "my_function_app" {

# other settings

  app_settings = {
    WEBSITE_RUN_FROM_PACKAGE = "ThisWillBeSetToAnURLByAzureDevOpsDeploy" # Must be not empty
  }

# other settings

# Attempt to ignore the WEBSITE_RUN_FROM_PACKAGE property, since it is managed by Azure DevOps deploy!
lifecycle { ignore_changes = [ app_settings.WEBSITE_RUN_FROM_PACKAGE ] }
}

Debug Output

Panic Output

Expected Behavior

No changes should take place!

Actual Behavior

          ~ "WEBSITE_RUN_FROM_PACKAGE"        = "https://sensitive.blob.core.windows.net/azure-pipelines-deploy/package_1111111111111.zip?st=aDatesomethingrandom=aDatesomethingrandom=r&sv=aDate&sr=somethingrandom" -> "ThisWillBeSetToAnURLByAzureDevOpsDeploy"

Steps to Reproduce

1. terraform plan

Important Factoids

References

I have tried the workaround described in the below issue, it kind of worked once, it's not a sustainable or reliable solution.

• Function app unexpected update in place #1966

[androidand]

@katbyte any news?

[mwwski]

Can you try:

resource "azurerm_function_app" "my_function_app" {

# other settings

  app_settings = {
    WEBSITE_RUN_FROM_PACKAGE = "ThisWillBeSetToAnURLByAzureDevOpsDeploy" # Must be not empty
  }

# other settings

# Attempt to ignore the WEBSITE_RUN_FROM_PACKAGE property, since it is managed by Azure DevOps deploy!
lifecycle { ignore_changes = [ app_settings["WEBSITE_RUN_FROM_PACKAGE"] ] }
}

Worked for me on:
Terraform 0.12.19
AzureRM Provider 1.36

[bytejunkie]

looks like this has worked for me too. thanks for posting.

[gabrieljoelc]

The description mentions that #1966 didn't work but #1966 (comment) mentions the same solution as #4321 (comment). The additional context in #1966 (comment) was helpful for me (re: the placeholders).

[pijemcolu]

I don't see how I can simply ignore all app_settings for an azure function provisioned using tf. It must be a pretty basic use case where app settings are set as part of a CI/CD pipeline. Any suggestions?

I am looking for something like:

  lifecycle {
    ignore_changes = [
      "app_settings[*]"
    ]
  }

Best workaround I found so far is to just ignore changes to the function app completely and if I require changes do it manually:

  lifecycle {
    ignore_changes = [ all ]
  }

[phekmat]

I don't see how I can simply ignore all app_settings for an azure function provisioned using tf. It must be a pretty basic use case where app settings are set as part of a CI/CD pipeline. Any suggestions?

This should work if I understand your setup correctly:

  lifecycle {
    ignore_changes = [
      app_settings
    ]
  }

[zsolt-halo]

This issue has caused a production system outage for us so +1
Azure DevOps + functiontools is used for deploying the actual function app but the infra is provisioned with TF.

[nexxai]

Ok, so here's where I think the disconnect is: it appears that Terraform will only allow you to ignore specific app_settings if they were originally created from within Terraform. That means that if Azure DevOps created the App Setting (for example, the WEBSITE_RUN_FROM_PACKAGE one) and Terraform is only seeing it after the fact, even if you manually add it by way of ignore_changes = [ app_settings["WEBSITE_RUN_FROM_PACKAGE"] ], Terraform doesn't see or understand it for some reason and wants to change it anyways.

Conversely, if you first create the WEBSITE_RUN_FROM_PACKAGE app_setting to literally any setting from within Terraform, and then added ignore_changes = [ app_settings["WEBSITE_RUN_FROM_PACKAGE"] ], it would be correctly ignored when Azure DevOps made any changes to the settings

@katbyte is it possible to modify the functionality of the ignore_changes check to simply compare the list of existing app_settings with the ones being requested to ignore?

[nexxai]

Specifically, I believe it's a problem with https://github.com/hashicorp/terraform/blob/c05127c2895d003c62d1ed8d76356a1d07682037/terraform/eval_diff.go#L573 - it's looking only to "Managed" lines which is a problem since at least one major use case of ignoring changes is ignoring those changes that are made outside of Terraform. Just because they're managed outside of Terraform does not mean we don't know about them, and we'd like to be able to specify that they should not be touched by Terraform.

And I don't think I was super clear in my last post - we want the ability to ignore some changes while allowing the management of other changes, and right now, that kind of granularity is not available to us. Either Terraform can be set to ignore all changes, changes it created itself, or no changes at all. We're looking for the ability to ignore changes that we (the Terraform coder) know about, that Terraform may/should not.

[favoretti]

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report on current versions of terraform and provider if this is still relevant. Thank you.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.