Bug: Duplicate registry server url in image name when doing an update

[pacorreia]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.6

AzureRM Provider Version

3.17.0

Affected Resource(s)/Data Source(s)

azurerm_linux_function_app

Terraform Configuration Files

resource "azurerm_resource_group" "rg" {
  name     = "rg-func-app-docker-issue"
  location = "westeurope"
}

resource "azurerm_container_registry" "acr" {
  name                = "acrfuncappdockerissue"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  sku                 = "Basic"
  admin_enabled       = true
}

resource "azurerm_role_assignment" "acr_role_assignment" {
  scope                = azurerm_container_registry.acr.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_linux_function_app.func.identity[0].principal_id
}

resource "azurerm_service_plan" "asp" {
  name                = "asp-func-app-docker-issue"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  os_type             = "Linux"
  sku_name            = "B1"
}

resource "azurerm_storage_account" "func_storage" {
  name                     = "storfuncappdockerissue"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_kind             = "Storage"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  min_tls_version          = "TLS1_2"
  network_rules {
    bypass         = ["AzureServices"]
    default_action = "Allow"
    ip_rules       = []
  }

}
resource "azurerm_linux_function_app" "func" {
  name                       = "func-app-docker-issue"
  resource_group_name        = azurerm_resource_group.rg.name
  location                   = azurerm_resource_group.rg.location
  service_plan_id            = azurerm_service_plan.asp.id
  storage_account_name       = azurerm_storage_account.func_storage.name
  storage_account_access_key = azurerm_storage_account.func_storage.primary_access_key
  identity {
    type = "SystemAssigned"
  }

  site_config {
    application_stack {
      docker {
        image_name   = "repo/function-app"
        image_tag    = "latest"
        registry_url = azurerm_container_registry.acr.login_server
      }

    }
    container_registry_use_managed_identity = true
  }

  lifecycle {
    ignore_changes = [
      site_config[0].application_stack[0].docker[0].image_name,
      site_config[0].application_stack[0].docker[0].image_tag,
      site_config[0].application_stack[0].docker[0].registry_url
    ]
  }

  timeouts {}
}

output "func_details" {
  value = {
    linux_fx_version = azurerm_linux_function_app.func.site_config[0].linux_fx_version
    docker = {
      image_name   = azurerm_linux_function_app.func.site_config[0].application_stack[0].docker[0].image_name
      image_tag    = azurerm_linux_function_app.func.site_config[0].application_stack[0].docker[0].image_tag
      registry_url = azurerm_linux_function_app.func.site_config[0].application_stack[0].docker[0].registry_url
    }
  }
}

Debug Output/Panic Output

https://gist.github.com/pacorreia/b6515dde9f72f3851235803dde7142bf

Expected Behaviour

The docker image name, tag and registry url should have remained intact with ignore_changes setup:

Actual Behaviour

image name is set to https imagetag gets the registry url prefixed to original image name like "//someacr.azureact.io/repo/image"

Steps to Reproduce

For this case no actual docker image needs to be present!

1. terraform apply
2. change anything in your function app (comment/uncomment the app setting block to trigger a change)
3. terraform apply again
4. Go to Azure Portal and check in deployment center that image name and image tag got changed in wrong way.

Also noticed that, when we don't ignore changes to docker properties, and we edit in Azure Portal, Terraform reports that there was a change, e.g.:

1. In terraform we set registry url without https
2. We go to Azure Portal and update a tag
3. Run terraform plan and registry_url shows a drift, reads https:// and when applying will remove it
4. Same happens for image name, we set it without registry url prefix, and after a change in portal, terraform reports it as having registry url as part for image name.

@james-bjss might provide more info on code analysis we did to azurerm provider.

Important Factoids

No response

References

No response

[pacorreia]

Hey team,

for some reason this issue was removed the bug label, and one got eyes into this, is a bit of concerning issue, please do the triage

[dcd000]

Hi. It seems solved in the last Azurerm provider version v3.42.0

[pacorreia]

@dcd000 part of yes, but I've noticed another thing as described in this issue:

Also noticed that, when we don't ignore changes to docker properties, and we edit in Azure Portal, Terraform reports that there was a change, e.g.:

In terraform we set registry url without https We go to Azure Portal and update a tag Run terraform plan and registry_url shows a drift, reads https:// and when applying will remove it Same happens for image name, we set it without registry url prefix, and after a change in portal, terraform reports it as having registry url as part for image name.

I don't get it why this issue was not being monitored and related as well

[dcd000]

I think that as of version v3.42 registry_url must use https because it is directly used to populate the DOCKER_REGISTRY_SERVER_URL app setting and this must include the protocol Try with registry_url = https://azurerm_container_registry.acr.login_server

[johnbailey-transactcampus]

We're seeing this same behaviour but in a azurerm_linux_web_app. Specifically, when the docker/private registry values are set inside of the application_stack block, the server's name is being added to the image name (e.g.: Full Image Name and Tag field in Azure).

What this translates to is the Web App trying to pull host/host/image:tag, which is failing (because it should be host/image:tag), and the application is crashing.

The only work-around we have, currently, is to set the appropriate values via Az CLI (e.g.: az webapp config container set) and these values are respected (notably: it looks like DOCKER_CUSTOM_IMAGE_NAME is the value respected).

Looking at the audit trail in Azure, it is evident that the double-host value is being applied to the linuxFxVersion field; however, we are not modifying anything in the Web App configuration (in terraform) to trigger this change. In fact, the terraform plan notes that the application stack has no changes.

We have reproduced this on 3.83.0 and 3.103.1 (latest at the time of this comment) of the AzureRM provider in terraform.

[pacorreia]

This sounds a core issue, with significant impact and that needs a through review in the code, and for these reasons, a priority.

[baffelli]

This is indeed a "minor" but annoying issue. Due to the "nonstandard" behavior, I can't just pass $CI_REGISTRY_IMAGE from my GitLab CI pipeline since I will end up with the host twice in the configured image name. Again, it's not an unsurmountable issue, but it require variable repetition to get around