0

Using the azurerm_linux_web_app has been a pain lately, every time I deploy a simple .net core app on linux using azurerm_linux_web_app it tries to replace the resource, I'm using the CI/CD pipelines to deploy the resources. But when I deploy the same app service using azurerm_app_service , I don't see any error (it only updates the resource)

This is a single resource, wherever the webapp is associated, it replaces everywhere with the new principal_id. Can someone see what is wrong?

# azurerm_role_assignment.acrpulladmin must be replaced
-/+ resource "azurerm_role_assignment" "acrpulladmin" {
      ~ id                               = "/subscriptions/***" -> (known after apply)
      ~ name                             = "1dcdvgbtg-ccdcdvfv-bh6543gs" -> (known after apply)
      ~ principal_id                     = "ccdcdvfv-1dcdvgbtg-ccdcdvfv" -> (known after apply) # forces replacement
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
devopsseeker
  • 19
  • 1
  • 6

1 Answers1

0

It could be one of the known issues with Azure azurerm_role_assignment

I would suggest you to use latest Terraform azurerm provider with container_registry_use_managed_identity option in site_config for azurerm_linux_web_app. See here

data "azurerm_resource_group" "example" {
  name = "example-rg"
}

resource "azurerm_app_service_plan" "example" {
  name                = "example-service-plan"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  kind                = "linux"
  reserved            = true

  sku {
    size = "B3"
    tier = "Basic"
  }

  lifecycle {
    ignore_changes = [
      tags
    ]
  }
}

resource "azurerm_container_registry" "example" {
  name                = "example-acr"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  sku                 = "Basic"

  lifecycle {
    ignore_changes = [
      tags
    ]
  }
}

resource "azurerm_role_assignment" "pull_image" {
  role_definition_name = "AcrPull"
  scope                = azurerm_container_registry.example.id
  principal_id         = azurerm_app_service.example.identity[0].principal_id
}



resource "azurerm_linux_web_app" "example" {
  name                = "example-app-service"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  service_plan_id     = azurerm_app_service_plan.example.id
  https_only          = true

  identity {
    type = "SystemAssigned"
  }

  site_config {
    always_on                               = "true"
    container_registry_use_managed_identity = "true"
  }

  app_settings = {
    DOCKER_REGISTRY_SERVER_URL = "https://${azurerm_container_registry.example.login_server}"
  }

  lifecycle {
    ignore_changes = [
      site_config.0.scm_type,
      app_settings,
      tags
    ]
  }
}
Andriy Bilous
  • 2,337
  • 1
  • 5
  • 16