Terraform-provider-azurerm: ignore_changes in Function app app_settings is ignored

@katbyte any news?

Can you try:

resource "azurerm_function_app" "my_function_app" {

# other settings

  app_settings = {
    WEBSITE_RUN_FROM_PACKAGE = "ThisWillBeSetToAnURLByAzureDevOpsDeploy" # Must be not empty
  }

# other settings

# Attempt to ignore the WEBSITE_RUN_FROM_PACKAGE property, since it is managed by Azure DevOps deploy!
lifecycle { ignore_changes = [ app_settings["WEBSITE_RUN_FROM_PACKAGE"] ] }
}

Worked for me on:
Terraform 0.12.19
AzureRM Provider 1.36

looks like this has worked for me too. thanks for posting.

The description mentions that #1966 didn't work but https://github.com/terraform-providers/terraform-provider-azurerm/issues/1966#issuecomment-530262368 mentions the same solution as https://github.com/terraform-providers/terraform-provider-azurerm/issues/4321#issuecomment-576691106. The additional context in https://github.com/terraform-providers/terraform-provider-azurerm/issues/1966#issuecomment-530262368 was helpful for me (re: the placeholders).

I don't see how I can simply ignore all app_settings for an azure function provisioned using tf. It must be a pretty basic use case where app settings are set as part of a CI/CD pipeline. Any suggestions?

I am looking for something like:

  lifecycle {
    ignore_changes = [
      "app_settings[*]"
    ]
  }

Best workaround I found so far is to just ignore changes to the function app completely and if I require changes do it manually:
```
lifecycle {
ignore_changes = [ all ]
}

I don't see how I can simply ignore all app_settings for an azure function provisioned using tf. It must be a pretty basic use case where app settings are set as part of a CI/CD pipeline. Any suggestions?

This should work if I understand your setup correctly:

  lifecycle {
    ignore_changes = [
      app_settings
    ]
  }

This issue has caused a production system outage for us so +1
Azure DevOps + functiontools is used for deploying the actual function app but the infra is provisioned with TF.

Ok, so here's where I think the disconnect is: it appears that Terraform will only allow you to ignore specific app_settings if they were originally created from within Terraform. That means that if Azure DevOps created the App Setting (for example, the WEBSITE_RUN_FROM_PACKAGE one) and Terraform is only seeing it after the fact, even if you manually add it by way of ignore_changes = [ app_settings["WEBSITE_RUN_FROM_PACKAGE"] ], Terraform doesn't see or understand it for some reason and wants to change it anyways.

Conversely, if you first create the WEBSITE_RUN_FROM_PACKAGE app_setting to literally any setting from within Terraform, and then added ignore_changes = [ app_settings["WEBSITE_RUN_FROM_PACKAGE"] ], it would be correctly ignored when Azure DevOps made any changes to the settings

@katbyte is it possible to modify the functionality of the ignore_changes check to simply compare the list of existing app_settings with the ones being requested to ignore?

Specifically, I believe it's a problem with https://github.com/hashicorp/terraform/blob/c05127c2895d003c62d1ed8d76356a1d07682037/terraform/eval_diff.go#L573 - it's looking only to "Managed" lines which is a problem since at least one major use case of ignoring changes is ignoring those changes that are made outside of Terraform. Just because they're managed outside of Terraform does not mean we don't know about them, and we'd like to be able to specify that they should not be touched by Terraform.

And I don't think I was super clear in my last post - we want the ability to ignore some changes while allowing the management of other changes, and right now, that kind of granularity is not available to us. Either Terraform can be set to ignore all changes, changes it created itself, or no changes at all. We're looking for the ability to ignore changes that we (the Terraform coder) know about, that Terraform may/should not.