Terraform-provider-azurerm: Function App configuration - key vault references fail on secret update with "inconsistent final plan"
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
- Terraform v0.12.3
- 2.20.0
Affected Resource(s)
azurerm_key_vault_secretazurerm_function_app
Terraform Configuration Files
resource "azurerm_function_app" "fa" {
name = "${var.prefix}-FA-${var.app_name}"
location = var.location
resource_group_name = var.resourcegroup
app_service_plan_id = azurerm_app_service_plan.asp.id
storage_account_name = azurerm_storage_account.sa.name
storage_account_access_key = azurerm_storage_account.sa.primary_access_key
identity {
type = "SystemAssigned"
}
app_settings = {
"FUNCTIONS_WORKER_RUNTIME" = "dotnet"
"FUNCTIONS_EXTENSION_VERSION" = "~3"
"secretkey" = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.secretkey.id})"
}
tags = {
environment = var.environment
app_name = var.app_name
}
}
resource "azurerm_key_vault" "kv" {
name = "${var.prefix}-KV-${var.app_name}"
location = var.location
resource_group_name = var.resourcegroup
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_enabled = true
purge_protection_enabled = false
tags = {
environment = var.environment
app_name = var.app_name
}
}
resource "azurerm_key_vault_secret" "secretkey" {
name = "secretkey"
value = "__secretkey__"
key_vault_id = azurerm_key_vault.kv.id
tags = {
environment = var.environment
app_name = var.app_name
}
}
Debug Output
https://gist.github.com/nmanzi/d72245ef261a22af6de9c2c8155d318c
Panic Output
N/A
Expected Behavior
Function App Configuration should be updated with new secret URI
Actual Behavior
Terraform apply fails
Steps to Reproduce
terraform apply- Modify azurerm_key_vault_secret value
terraform apply
nmanzi
All 3 comments
It seems this is caused by the 'id' property of a key vault secret changing if the value is changed. A change results in a new version with a new URI / ID.
If terraform apply is run after the secrets are changed and the ID is updated in state, it successfully applies changes to the function app configuration values.
nmanzi
on 23 Oct 2020
hi @nmanzi
Thanks for opening this issue :)
Taking a look through this appears to be a duplicate of #3129 - rather than having multiple issues open tracking the same thing I'm going to close this issue in favour of that one; would you mind subscribing to #3129 for updates?
Thanks!
tombuildsstuff
on 26 Oct 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 25 Nov 2020
Related issues
rolandjohann
·
3Comments
voyera
·
3Comments
pdeva
·
3Comments
sam-cogan
·
3Comments
akamalov
·
3Comments