Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

public_network_access_enabled not updating on azurerm_linux_web_app #24878

Open
1 task done
emilypie opened this issue Feb 13, 2024 · 6 comments
Open
1 task done

public_network_access_enabled not updating on azurerm_linux_web_app #24878

emilypie opened this issue Feb 13, 2024 · 6 comments
Labels
service/app-service v/3.x

Comments

@emilypie
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.0

AzureRM Provider Version

3.86.0

Affected Resource(s)/Data Source(s)

azurerm_linux_web_app

Terraform Configuration Files

resource "azurerm_linux_web_app" "app_service" {
  name                      = "test-linux-web-app"
  resource_group_name       = azurerm_resource_group.example.name
  location                  = azurerm_resource_group.example.location
  service_plan_id           = azurerm_app_service_plan.example.id
  virtual_network_subnet_id = azurerm_subnet.example1.id
  https_only                = true
  identity {
    type = "SystemAssigned"
  }
  public_network_access_enabled   = true
  site_config {
    ip_restriction {
      name                      = "Access From FrontDoor"
      action                    = "Allow"
      priority                  = "100"
      virtual_network_subnet_id = null
      ip_address                = null
      service_tag               = "AzureFrontDoor.Backend"
      headers                   = null
    }
    always_on = true
    vnet_route_all_enabled = true
  }
}

resource "azurerm_private_endpoint" "private_endpoint" {
  name                              = "test-appservice-private-endpoint"
  location                          = azurerm_resource_group.example.location
  resource_group_name               = azurerm_resource_group.example.name
  subnet_id                         = azurerm_subnet.example2.id
  custom_network_interface_name     = "test-private-endpoint-nic"

  private_service_connection {
    name                            = "test-appservice-private-service-connection"
    is_manual_connection            = false
    private_connection_resource_id  = var.app_service_id
    subresource_names               = ["sites"]
  }

  timeouts {}
}

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.environment.module.claimant_portal_api.module.private_endpoint[0].azurerm_private_endpoint.private_endpoint will be created
  + resource "azurerm_private_endpoint" "private_endpoint" {
      + custom_dns_configs            = (known after apply)
      + custom_network_interface_name = "test-private-endpoint-nic"
      + id                            = (known after apply)
      + location                      = "eastus"
      + name                          = "test-appservice-private-endpoint"
      + network_interface             = (known after apply)
      + private_dns_zone_configs      = (known after apply)
      + resource_group_name           = "example"
      + subnet_id                     = "/subscriptions/redacted/resourceGroups/redacted/providers/Microsoft.Network/virtualNetworks/redacted/subnets/redacted"

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = "test-appservice-private-service-connection"
          + private_connection_resource_id = "/subscriptions/redacted/resourceGroups/redacted/providers/Microsoft.Web/sites/redacted"
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "sites",
            ]
        }

      + timeouts {}
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Expected Behaviour

Under Inbound traffic configuration, Public network access should be Enabled, because the terraform config says to explicitly override the default behavior.

Additionally, clicking on the linked text should show the radio button Enabled from select virtual networks and IP addresses selected.

Actual Behaviour

Under Inbound traffic configuration, Public network access is Disabled (Using default behavior).

Additionally, clicking on the linked text shows none of the 3 radio buttons under Public Network Access are selected.

Steps to Reproduce

  1. Copy/paste the app service terraform
  2. terraform plan
  3. terraform apply
  4. Copy/paste the private endpoint terraform
  5. terraform plan
  6. terraform apply
  7. Visit the app service in Azure Portal
  8. Click Networking on the left

Important Factoids

No response

References

It seems like this is an issue with more than just azurerm_linux_web_app:
@pauldotknopf
Copy link

pauldotknopf commented Apr 29, 2024
edited
Loading

I'm starting to get conflict errors related to this change:

performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","Target":null,"Details":[{"Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."],"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."}}],"Innererror":null}

/cc @jackofallops

@mitcheman
Copy link

I'm starting to get conflict errors related to this change:

performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","Target":null,"Details":[{"Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."],"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."}}],"Innererror":null}

/cc @jackofallops

Also receiving a new conflict error for site/siteConfig properties

SiteConfig.VnetRouteAllEnabled cannot be modified. Please modify the Site.VnetRouteAllEnabled property.

@dpickeringjudge
Copy link

we're also seeing the exact same issue ^

@mrk9676
Copy link

mrk9676 commented May 2, 2024
edited
Loading

I'm starting to get conflict errors related to this change:

performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property.","Target":null,"Details":[{"Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"01020","MessageTemplate":"There was a conflict. {0}","Parameters":["SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."],"Code":"BadRequest","Message":"There was a conflict. SiteConfig.PublicNetworkAccess cannot be modified. Please modify the Site.PublicNetworkAccess property."}}],"Innererror":null}

/cc @jackofallops

Also receiving a new conflict error for site/siteConfig properties

SiteConfig.VnetRouteAllEnabled cannot be modified. Please modify the Site.VnetRouteAllEnabled property.

Hello all,

We are getting below issue since last 2 days for Azure App Service VNET configuration. It's behaving very odd. Enabling vnet_route_all_enabled is throwing the conflict. If I remove this setting, VNET Routing is getting enabled by default in few subscriptions. In few subscriptions it is not enabling. Please let me know if there is any solution or workaround.

Error:: Code="BadRequest" Message="There was a conflict. SiteConfig.VnetRouteAllEnabled cannot be modified. Please modify the Site.VnetRouteAllEnabled property."

@skillbuilderzone
Copy link

Any update on this ?

@xiaxyi
Copy link
Contributor

xiaxyi commented May 14, 2024

@mrk9676 I think the api is not throwing the error now? Do you mind double check to see if you are still getting the 400 error?
@skillbuilderzone Are you still getting the 400 error?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/app-service v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@pauldotknopf @emilypie @skillbuilderzone @mitcheman @mrk9676 @xiaxyi @dpickeringjudge