Community Note
- Please vote on this issue by adding a
reaction to the original issue to help the community and maintainers prioritize this request - Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
$ terraform -v
Terraform v1.0.5
on linux_amd64
Affected Resource(s)
azurerm_app_service- Using
azurerm_app_plantoo, but not sure bug is in that resource
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
module_main.tf
resource "azurerm_app_service_plan" "plan" {
name = local.app_service_plan.name
location = var.location
resource_group_name = var.resource_group_name
kind = local.app_service_plan.kind
# is_xenon = true
reserved = local.app_service_plan.reserved
sku {
tier = var.app_service_plan["sku_tier"]
size = var.app_service_plan["sku_size"]
}
}
resource "azurerm_app_service" "service" {
depends_on = [ azurerm_role_assignment.acr-pull ]
name = local.app_service.name
location = var.location
resource_group_name = var.resource_group_name
app_service_plan_id = azurerm_app_service_plan.plan.id
https_only = var.https_only
site_config {
windows_fx_version = local.fx_version.windows
linux_fx_version = local.fx_version.linux
websockets_enabled = true
dotnet_framework_version = "v4.0"
always_on = true
ftps_state = var.ftps_state
acr_use_managed_identity_credentials = var.enable_idenity
acr_user_managed_identity_client_id = var.enable_idenity ? azurerm_user_assigned_identity.acr_user_identity[0].client_id : ""
app_settings = merge({
"APPINSIGHTS_INSTRUMENTATIONKEY" = local.app_service.instrumentation_key
"WEBSITES_PORT" = tostring(var.appservices_port),
}, var.additional_app_settings)
dynamic "logs" {
for_each = var.logging
content {
application_logs {
azure_blob_storage {
level = logs.value["verbosity"]
sas_url = logs.value["sa_sas_url"]
retention_in_days = logs.value["retention_days"]
}
}
http_logs {
azure_blob_storage {
sas_url = logs.value["sa_sas_url"]
retention_in_days = logs.value["retention_days"]
}
}
}
}
dynamic "connection_string" {
for_each = var.connection_string
content {
name = connection_string.value["name"]
type = connection_string.value["type"]
value = connection_string.value["value"]
}
}
dynamic "identity" {
for_each = local.app_service.identity_ids
content {
type = "UserAssigned"
identity_ids = identity.value
}
}
auth_settings {
enabled = var.azure_ad_auth_setting.enabled
default_provider = "AzureActiveDirectory"
unauthenticated_client_action = "AllowAnonymous"
dynamic "active_directory" {
for_each = toset(var.azure_ad_auth_setting.ad_client_ids)
content {
client_id = active_directory.value
}
}
}
}
that is getting called from example_main.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.78.0"
}
random = {
source = "hashicorp/random"
version = "~>3.1.0"
}
}
required_version = ">=0.14.7"
}
provider "azurerm" {
features {}
}
data "azurerm_subscription" "current" {
}
module "windows-app-svc" {
source = "../../.."
kernel_type = "Windows"
location = "eastus2"
app_service_plan_name_override = "windows-container-app-svc-plan"
app_service_name_override = "windows-container-app-svc"
resource_group_name = var.resource_group_name
# subnet_id = var.subnet_id
appservices_port = 80
https_only = false
app_service_plan = {
kind = "app",
reserved = false
sku_tier = "PremiumV3"
sku_size = "P1v3"
}
docker_framework = {
user = var.image.registry.url
image = var.image.name
tag = var.image.tag
}
azure_ad_auth_setting = {
enabled = true
ad_client_ids = ["<my user object id>"]
}
additional_app_settings = {
"WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false,
"DOCKER_REGISTRY_SERVER_USERNAME" = var.image.registry.username,
"DOCKER_REGISTRY_SERVER_PASSWORD" = var.image.registry.password,
"DOCKER_REGISTRY_SERVER_URL" = var.image.registry.url
}
enable_idenity = false
}
Debug Output
Panic Output
Terraform apply passes but app service in azure wont start up.
Expected Behaviour
I deployed my windows app once by hand and once by terraform. When doing it by hand, the type of the app service was set to app,container,windows but when I do it in terraform I can only pick one, and container is not an option as well. The second difference between the manual app service and terraform deployed one is that hyperV is enabled on manual but I see no option anywhere to enable it for terraform deployments. The last thing that I noticed is that the manual one, under configuration in the app service, doesnt have a documents tab to set default document, but the terrafrom deployed one does.
I have compared JSONs of the manual deployment and terraform based ones for several days and have determined these differences but nothing ive tried seems to work. I also tried to deploy a Linux App Service w/ACR and that worked as expected. So any advice/tips people have for me would be great.
Actual Behaviour
Terraform plan passes
Terraform apply passes
Go to portal and click app service browse button
Website says: “You do not have permission to view this directory or page.”
Steps to Reproduce
- Copy code
terraform initterraform apply- Go to azure and browse app service
Important Factoids
- Pulling from private ACR
- Windows image
References
The error is so vague that it is hard to determine what is actually failing. Happy to provide more details for those who have questions. Thanks everyone!