CODEWITHSUNDEEP
functionterraformterraform-provider-azure
kism3t
kism3t

Reputation: 1361

Azure Function "Host keys" not created with Terraform

if I create a Azure Function manually through portal App Keys are created: enter image description here

If I try the same through terraform:

The Function App

  resource "azurerm_function_app" "resize_images" {
    name                      = format("%s%s%s%s", module.subscription_prefix.prefix, "pfunctionapp", lower(local.environment), "0001")
    location                  = azurerm_resource_group.azure_functions.location
    resource_group_name       = azurerm_resource_group.azure_functions.name
    app_service_plan_id       = module.app_service_plan.id
  
    # AzureRM 1.x needs this
    #storage_connection_string = local.azure_functions_storage_account_primary_connection_string
  
    # AzureRM 2.x needs this
    storage_account_name       = data.azurerm_storage_account.resize_storage.name
    storage_account_access_key = data.azurerm_storage_account.resize_storage.primary_access_key
  
    app_settings = {
      AzureWebJobsDashboard          = data.azurerm_storage_account.resize_storage.primary_connection_string
      AzureWebJobsStorage            = data.azurerm_storage_account.resize_storage.primary_connection_string
      BLOB_STORAGE_CONNECTION_STRING = data.azurerm_storage_account.resize_storage.primary_connection_string
      CONTAINER_NAME = "images"
      FUNCTIONS_EXTENSION_VERSION = "~3"
      WEBSITE_HTTPLOGGING_RETENTION_DAYS = "3"
      WEBSITE_RUN_FROM_PACKAGE = "1"
    }
  
    version = "~3"
  
    tags = local.tags
  }

No App Keys are create: enter image description here

Within Terraform documentation there is nothing how to create those keys, but you can read them as data.

Could anyone point me to a correct direction how the keys where created?!

Upvotes: 9

Views: 5522

Answers (5)

Inua
Inua

Reputation: 51

For me the issue was that a function app with the same name had been deleted from the resource group earlier, and the old keys in the storage account were "blocking" the new keys from being created and/or found. Deleting the old keys from the storage and recreating the function app through Terraform fixed the issue.

Upvotes: 1

JMC
JMC

Reputation: 38

We had this bug and were still seeing it on the latest version of azurerm (2.54), and for us reverting to version = "~1" wasnt an option. The app keys are being created in blob storage but the generated v3 Function App cant find them. We had to delete the old blob containing the encrypted keys and add this to the function app App Settings CONTAINER_NAME = "azure-webjobs-secrets" in terraform

The entire app_settings for the Terraformed Function app are as follows

   app_settings = {
     AzureWebJobsDashboard          = data.azurerm_storage_account.sg.primary_connection_string
     AzureWebJobsStorage            = data.azurerm_storage_account.sg.primary_connection_string
     CONTAINER_NAME = "azure-webjobs-secrets"
     FUNCTIONS_EXTENSION_VERSION = "~3"
     WEBSITE_HTTPLOGGING_RETENTION_DAYS = "3"
   }

This fixed it for us

Upvotes: 2

Luis
Luis

Reputation: 45

I've came across the same issue, and in my case what made the difference was to remove the version parameter:

version = "~3"

Removing it makes the keys to be generated again.

Upvotes: 0

Jamie Jonas
Jamie Jonas

Reputation: 11

I'm not entirely sure this is the full fix for the problem, I still receive it after removing this app_setting.

For me this looks like a timing issue, terraform creates the functions then I'm asking for the keys but there are no keys, terraform fails, I wait less than a minute and the keys are there, re-run apply and all works...

Really struggling to find a fix on this one.

UPDATE: So Azure provider 2.45.1 timeouts on retrieving keys. Provider 2.51.0 however does not...

Seems the timeout has been fixed on the latest provider.

Upvotes: 1

Nancy Xiong
Nancy Xiong

Reputation: 28234

By default, keys are stored in a Blob storage container in the account provided by the AzureWebJobsStorage setting. In your code, the keys indeed were auto-generated on that associated storage account but did not display on the Azure Function app UI.

After my validation, if you remove the WEBSITE_RUN_FROM_PACKAGE = "1" in the app_settings, then you will see default App keys in your Function app. When you add a WEBSITE_RUN_FROM_PACKAGE setting to your function app settings, it enables your function app to run from a package. I think this overrides the default Azure function deployment behavior more or less. Read this for more detials.

Upvotes: 5

Related Questions