CODEWITHSUNDEEP
terraformterraform-provider-azure
Anthony Klotz
Anthony Klotz

Reputation: 571

Terraform reports a change to Application Insights key on every plan that is run

I have several Azure resources that are created using the for_each property and then those resources have an Application Insights resource created using for_each as well.

Here is the code that creates the azurerm_application_insights:

resource "azurerm_application_insights" "applicationInsights" {
  for_each            = toset(keys(merge(local.appServices, local.functionApps)))
  name                = lower(join("-", ["wb", var.deploymentEnvironment, var.location, each.key, "ai"]))
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name
  application_type    = "web"
  lifecycle {
    ignore_changes = [tags]
  }
}

I've noticed that every time we run a terraform plan against some environments, we are always seeing Terraform report a "change" to the APPINSIGHTS_INSTRUMENTATIONKEY value. When I compare this value in the app settings key/value list to the actual AI instrumentation key that was created for it, it does match.

 Terraform will perform the following actions:
 
   # module.primaryRegion.module.functionapp["fnapp1"].azurerm_function_app.fnapp will be updated in-place
   ~ resource "azurerm_function_app" "fnapp" {
       ~ app_settings                   = {
           # Warning: this attribute value will be marked as sensitive and will
           # not display in UI output after applying this change
           ~ "APPINSIGHTS_INSTRUMENTATIONKEY" = (sensitive) 
             # (1 unchanged element hidden)

Is this a common issue with other people? I would think that the instrumentation key would never change especially since Terraform is what created all of these Application Insights resources and assigns it to each application.

This is how I associate each Application Insights resource to their appropriate application with a for_each property

module "webapp" {
  for_each              = local.appServices
  source                = "../webapp"
  name                  = lower(join("-", ["wb", var.deploymentEnvironment, var.location, each.key, "app"]))
  location              = var.location
  resource_group_name   = azurerm_resource_group.rg.name
  app_service_plan_id   = each.value.app_service_plan_id
  app_settings          = merge({"APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.applicationInsights[each.key].instrumentation_key}, each.value.app_settings)
  allowed_origins       = each.value.allowed_origins
  deploymentEnvironment = var.deploymentEnvironment
}

I'm wondering if the merge is just reordering the list of key/values in the app_settings for the app, and Terraform detects that as some kind of change and the value itself isn't changing. This is the only way I know how to assign a bunch of Application Insights resources to many web apps using for_each to reduce configuration code.

Upvotes: 2

Views: 1638

Answers (1)

SamirFarhat
SamirFarhat

Reputation: 79

Use only the Site_config block to solve the issue Example

resource "azurerm_windows_function_app" "function2" {
  provider = azurerm.private
  name                = local.private.functionapps.function2.name
  resource_group_name = local.private.rg.app.name
  location            = local.private.location

  storage_account_name       = local.private.functionapps.storageaccount.name
  storage_account_access_key = azurerm_storage_account.function_apps_storage.primary_access_key
  service_plan_id            = azurerm_service_plan.app_service_plan.id
  virtual_network_subnet_id = lookup(azurerm_subnet.subnets, "appservice").id
  https_only = true

  site_config  {
    application_insights_key = azurerm_application_insights.appinisghts.instrumentation_key
  }
}

Upvotes: 2

Related Questions