-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Announcement: v3.0.0 of the Azure Provider (Now Available) #14193
Comments
Is there a discussion for |
@russellhart yeah we can potentially update the name for that field, although I'm still not sure that |
Along with the move to Sets for Application Gateway, can the same change be done for rules blocks inside Firewall Application/Network/NAT rule collection groups? Happy to assist with the work. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Thoughts on the mentioned That way, zones could be accessed using |
👋 Last week's release of the Azure Provider (v2.97) contains the ability to opt-into 3.0 Beta using a feature-flag, details can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/3.0-beta and the (WIP) upgrade guide can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/3.0-upgrade-guide |
Can you comment on the rationale behind changing the lists to sets for Application Gateway? I presume it's similar in nature to what's discussed here (in that case, with respect to the AWS provider, and specifically, that the backend API doesn't actually order those configuration items so having e.g., a zeroth item in a list doesn't make sense). Regardless, I feel like this is actually a step backwards; finding things in sets seems somewhat difficult and makes writing modules difficult. As an alternative, I propose #15745 which I realize might be difficult given the timelines and likely lack of any development towards that. If I thought I could contribute I would and may, but I won't be able to provide anything meaningful for a while. |
@djryanj see this issue for more context on the Application Gateway List to Set changes - #6896 As mentioned in #15745 unfortunately we can't split the Application Gateway components into their own Resources (due to the API behaviour/conflicts) - but we could look to add data sources for the various components if that'd be helpful? From memory you should be able to use Terraform Core's |
@tombuildsstuff - that makes sense, thanks for clarifying. I suppose the awkwardness of working with a Set is probably better than the alternative mentioned in those other issues. My primary issue is around later using a |
👋 hey folks Over the past few months we've been working to integrate the changes mentioned above into the Provider and we're now at a point where we've finished up all of the major changes needed for version 3.0 of the Azure Provider. Thanks for all of the feedback around 3.0 - both above and from the 3.0 and App Service Betas - it's been really helpful and (particularly with App Service) has helped inform the design and catch a number of bugs. Since this is a meta issue tracking the changes coming in 3.0 and those changes are now complete - I'm going to close this issue, however as this issue is assigned to the 3.0 Milestone when the 3.0 release is available a comment will be posted to let you know. Thanks! |
This functionality has been released in v3.0.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Announcement: Upcoming v3 of the Azure Provider
Version 3.0 of the Azure Provider will be a major release, this means this will include breaking changes - in addition to new features and enhancements available in regular releases.
During the development of v2.0 of the Azure Provider we used Feature Toggling to allow us to continue shipping releases (to support the many new capabilities of Azure) while working on major features and changes for the 2.0 release. This approach worked well, allowing us to iteratively add new features for 2.0 and subsequently allowing users to try these out - which provided invaluable feedback. Subsequently, we’re using the same approach for 3.0.
Opting into the Beta
The 3.0 Beta is now available! Complete instructions for opting in here.
Pinning your Provider Version
You can pin the version of the Provider using the
required_providers
block in Terraform 0.13 and later. Note: earlier versions of Terraform require a different approach; however, we’d recommend upgrading to Terraform 1.0... or to any 2.x release:
More information on how to pin the version of a Terraform Provider can be found on the Terraform Website.
What’s Planned for 3.0?
While there’s many features will make up v3 of the Azure Provider, we’re looking to add support for the following new major features:
In addition - since this is a major version of the Azure Provider - we intend to update some existing behaviors, including:
We’ll switch to using Resource Manager (management plane) for all resources.(the required APIs have not yet been updated)Switching to use AzureAD / Resource Manager for nested item configuration - this allows provisioning these when Private Link is enabled, however requires different permissions which are not granted by default.(the required APIs have not yet been updated)allow_blob_public_access
will be renamed toallow_nested_items_to_be_public
to resolve confusion about what this field does. This field specifies whether items within the Storage Account (such as Containers and Blobs) can opt-in to being made public (for example at the Container or Blob level) - and not that all resources within this Storage Account are public by default.min_tls_version
: updating the default minimum TLS version to be1.2
.zones
field: updating the behavior to be consistent across the Provider.zones
- in addition the valuesNo-Zone
andZoneRedundant
will be removed in favour of being explicit.ignore_changes
functionality to ignore changes to this field.null
) will deploy this without any Zones.Zone Redundant
resources can be provisioned by specifying all of the Availability Zones for that particular Azure Region. We’ll also introduce a newazurerm_availability_zones
data source to provide this information.identity
block: updating the behavior to be consistent across the Provider.identity
block means a Managed Identity should be assigned to this Resource - and the omission of anidentity
block (or anull
value) means that no Managed Identity should be assigned to this Resource.Feature details: New Data Sources / Resources for App Service & Function Apps
While it’s possible to provision App Services and Function Apps in Terraform today, the design and behavior of the App Service platform has changed over the years. These resources require some refinement.
Similar to the changes for Virtual Machines in v2.0 of the Azure Provider, we’re intending to introduce more granular resources for App Service to better represent the functionality available in Azure.
Some of these new Data Sources and Resources are available as an opt-in Beta today from version 2.79 of the Azure Provider onwards - and we encourage you to try them out.
While we don’t anticipate making changes to these resources at this time - since these are in Beta, it’s possible. As such, we recommend not using this Beta in a Production environment at this time.
More information on the specific changes for App Service / Function Apps can be found in the documentation
Feature details: Key Vault - Soft Delete Recovery/Purging for Certificates, Keys and Secrets
Previously, soft delete has only been available for a Key Vault resource as a whole. Now, you’ll be able to soft delete the nested items within a Key Vault: certificates, keys, and secrets.
Feature details: Switching to Microsoft Graph
The AzureRM provider needs to query the graph API in order to retrieve important information about the principal account it’s using to authenticate. We currently use the Azure Active Directory Graph API for this, but this API is deprecated and has been replaced by Microsoft Graph, so in version 3.0 of the provider we’ll be switching to the newer API. When using service principal authentication, this will require changes to API permissions that are granted to that principal and this will be covered in our upgrade guide.
We’ll also be enabling Microsoft Graph via an opt-in beta prior to version 3.0 and we encourage you to try this when it’s available, as part of your preparation for the new major version.
Feature details: Switching to use MSAL for authentication instead of ADAL
Authentication to APIs such as Resource Manager is currently performed using the ADAL library which yields legacy v1 authentication tokens. We’ll move to use v2 tokens in version 3.0 of the provider. In practice this change will not yield any noticeable behavioral differences; however, since this underpins the way the provider authenticates to Azure services, we’ll be making this change in a major release.
Frequently Asked Questions
Why is the behavior of Resource Groups changing?
Most resources in Azure are provisioned within a Resource Group, which (amongst other things) allows for easy grouping and allows scoping permissions to resources within this Resource Group.
The default behavior of the Azure Platform (and Terraform today) when deleting a Resource Group is to delete all of the items within this Resource Group.
While this feature makes it easy to clean-up any resources - since resources can be provisioned outside of Terraform, it means that these Resources are untracked by Terraform - and so Terraform is unable to show these Resources in the Plan during the deletion of the Resource Group.
Terraform has a feature-flag for this behavior available within the Features block today - which will check during the deletion of the Resource Group for any Resources within this Resource Group, and raise an error (stating these must be removed first) if any Resources are found. In v2.x versions of the Azure Provider this is disabled by default - however v3.0 will flip this default to be enabled by default.
This behavior can be configured using the features block as shown below, both in v2.x and v3.0 of the Azure Provider:
Setting this value to true will check for nested Resources during deletion of the Resource Group; setting this to false will skip this check.
When will v3 of the Azure Provider be available?
Version 3.0 of the Azure Provider is being built iteratively using Feature Toggles within the v2.x codebase. This means that functionality will be added over time until the 3.0 Release is completed.
This Feature Toggle approach has been used during the development of v2.0 of the Azure Provider and worked well - this allows users to opt-into functionality coming in v3.0 of the Provider in a 2.x release.
Since this is being worked on iteratively and the majority of behavior can be enabled prior release, v3.0 of the Azure Provider will launch when it’s features have been completed, tested, and sufficient time has pass to allow for feedback - currently we’re targeting early 2022 (however this is subject to change).
How can I opt into the Beta?
The 3.0 Beta is now available! Complete instructions for opting in here.
Note that functionality in the Beta is subject to change, including breaking changes - so while we’d appreciate your feedback, we’d recommend against using this in a production environment at this point in time.
Disclosures
The product-development initiatives in this document reflect HashiCorp's current plans and are subject to change and/or cancellation in HashiCorp's sole discretion.
The text was updated successfully, but these errors were encountered: