Hello,
We’re using azurerm_resource_group_template_deployment to configure IpSecurityRestrictions on an Azure Function.
We’d like to better understand how azurerm_resource_group_template_deployment works because we noticed that it is modified everytime we run terraform plan / apply even if the actual IP hasn’t changed.
This is how we use it
resource “azurerm_resource_group_template_deployment” “criteriaapiapimipwhitelist” {
name = “criteriaapi-apim-ipwhitelist”
resource_group_name = azurerm_resource_group.rg.name
deployment_mode = “Incremental”
template_content = <<TEMPLATE
{
“schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"_force_terraform_to_always_redeploy": "{timestamp()}”
},
“resources”: [{
“type”:“Microsoft.Web/sites/config”,
“apiVersion”:“2018-11-01”,
“name”:"{azurerm_function_app.criteriaapi.name}/web",
"location":"[resourceGroup().location]",
"properties":{
"IpSecurityRestrictions":[
{
"ipAddress":"{local.apimIp}",
“action”:“Allow”,
“tag”:“Default”,
“priority”:1,
“name”:“Shared API Management Instance”,
“description”:“Allow access from Shared API Management Instance”
}
]
}
}
]
}
TEMPLATE
}
Also I have looked for documentation surrounding _force_terraform_to_always_redeploy but couldn’t find any.
Our concern is that the IP restriction is removed and added during terraform apply which might create a small downtime window.
Can you please clarify how the code above works?
P.S. - we’re using this approach because we basically weren’t able to use https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ip_restriction. For some reason terraform ignored the ip_restriction array.
Thank you,
Cosmin