terraform-provider-azapi icon indicating copy to clipboard operation
terraform-provider-azapi copied to clipboard
verified publisher icon Azure

azapi_resource_action: Microsoft.Web/sites config does not detect changes

Open phatcher opened this issue 1 year ago • 7 comments

As the app service terraform provider does not yet support setting the minimum TLS cipher suite I had a go at setting it via azapi, something like this

data "azapi_resource_id" "config" {
  type      = "Microsoft.Web/sites/config@2023-12-01"
  parent_id = azurerm_app_service.this.id
  name      = "web"
}

resource "azapi_resource_action" "config" {
  type        = "Microsoft.Web/sites/config@2023-12-01"
  resource_id = data.azapi_resource_id.config.id
  method      = "PATCH"

  body = {
    name = "web"
    properties = {
      minTlsCipherSuite = local.min_tls_ciphersuite
    }
  }
}

This works, but if the value is modified via the portal and I re-apply the terraform, no change is applied i.e. it keeps the portal setting.

Is this expected behaviour?

phatcher avatar Jul 22 '24 18:07 phatcher

hey @phatcher this may be better implemented through azapi_update_resource? Since that is made for this sort of behavior in a CRUD-friendly manner.

stemaMSFT avatar Jul 23 '24 22:07 stemaMSFT

Yes, the azapi_resource_action is only used to trigger an HTTP request, it doesn't monitor the resource's state. If the minTlsCipherSuite could be updated by PUT method, it's recommended to use azapi_update_resource, because it monitors the state, and will show diff if the value is modified by other client tools.

ms-henglu avatar Jul 24 '24 02:07 ms-henglu

@stemaMSFT Thanks that is working, there's a schema issue with the VSCode extension as it wants to assign "web" to the name, but the it appears to be the base name of the site.

If I leave it as web it always show a change that never actually sticks

phatcher avatar Jul 25 '24 13:07 phatcher

@phatcher are you still running into that issue with the extension? That does sound strange.

stemaMSFT avatar Jul 29 '24 17:07 stemaMSFT

@phatcher are you still running into that issue with the extension? That does sound strange.

Hi @stemaMSFT,

I believe this is the issue mentioned by @phatcher :

image

I think the cause is bad swagger, the generated document says that the name field only supports a list of allowed values: image

ms-henglu avatar Jul 30 '24 07:07 ms-henglu

What I wasn't sure is whether the schema was correct and the API playing up or vice versa :-)

phatcher avatar Jul 30 '24 14:07 phatcher

the problem with using azapi_update_resource is that it doesnt use PATCH, it uses PUT, so it replaces the entire appsettings config. azapi_resource_action with methog PATCH does proeprly merge key value pairs with existing values, but does not detect changes

fgarcia-cnb avatar Aug 27 '24 09:08 fgarcia-cnb