Resource group template deployment downtime


We’re using azurerm_resource_group_template_deployment to configure IpSecurityRestrictions on an Azure Function.

We’d like to better understand how azurerm_resource_group_template_deployment works because we noticed that it is modified everytime we run terraform plan / apply even if the actual IP hasn’t changed.

This is how we use it
resource “azurerm_resource_group_template_deployment” “criteriaapiapimipwhitelist” {
name = “criteriaapi-apim-ipwhitelist”
resource_group_name =
deployment_mode = “Incremental”
template_content = <<TEMPLATE
schema": "", "contentVersion": "", "variables": { "_force_terraform_to_always_redeploy": "{timestamp()}”
“resources”: [{
“name”:"{}/web", "location":"[resourceGroup().location]", "properties":{ "IpSecurityRestrictions":[ { "ipAddress":"{local.apimIp}",
“name”:“Shared API Management Instance”,
“description”:“Allow access from Shared API Management Instance”

Also I have looked for documentation surrounding _force_terraform_to_always_redeploy but couldn’t find any.

Our concern is that the IP restriction is removed and added during terraform apply which might create a small downtime window.

Can you please clarify how the code above works?

P.S. - we’re using this approach because we basically weren’t able to use For some reason terraform ignored the ip_restriction array.

Thank you,