Does Terraform intend to ignore changes if arguments are omitted?

Question

Let's say I created an app service using azurerm_app_service with the bare minimum arguments. If I later go into Azure Portal and start creating IP restrictions and later run Terraform apply, it seems that Terraform doesn't detect drift and try to undo all of the IP restrictions. Is that working as intended? Is there Terraform documentation that says this is intended?

This behavior works in our favor, because it tells us that Terraform is OK with configuration drift so long as the argument or argument object is not defined in the configuration script. We intend to let Azure Portal users what is OK and not OK to modify in the portal without worrying about Terraform resetting it all.

Update: Accepted answer below and also received more feedback from Hashicorp's forum, https://discuss.hashicorp.com/t/terraform-not-detecting-drift-on-resources-intended-or-not/17547/4?u=terraform-man

Answer 1

This is called Desired State Vs Current State. If you create any resource using terraform and manually modify it, Terraform reverts it after next apply. Before Terraform Apply command, it fetches the current state into the statefile and then compares the current state vs desired state. If there is any manual change, it will make necessary changes to make it as Desired state.

Answer 2

It is going to depend on how the resource is implemented, the schema and what is changing. Typically with azurerm provider it should compute those changes even if they are optional. I would double check your terraform config and the portal resource you are modify are the same. You might need to run a refresh. In other words it is very common for changes in the portal to show up as drift when you run terraform.