azurerm_app_service v2 how to enable auth setting for v2

Question

I have created an azure app service using terraform, default it picks old style AUTH setting. As Microsoft suggest, old settings will be removed at end of this year, we would want to migrate to new AUTH setting. I don't see any documentation around it. When I manually upgraded AUTH settings for one of the app service, terraform cant update the given app service any more

Below the code snippet i am using to create App service. This creates app service with AUTH Version1.

  resource "azurerm_app_service" "as" {
  for_each            = var.appservice
  name                = lookup(each.value, "appservice_name")
  location            = var.location
  resource_group_name = var.resource_group_name
  app_service_plan_id = var.app_service_plan_id
  https_only          = lookup(each.value, "https_only", null)
  client_cert_enabled = lookup(each.value, "client_cert_enabled", false)
  tags                = var.standard_tags

  dynamic "site_config" {
    for_each = lookup(each.value, "site_config",[])
    content {
      always_on                 =  lookup(site_config.value, "always_on", true)
      app_command_line          =  lookup(site_config.value, "app_command_line", null)
      auto_swap_slot_name       =  lookup(site_config.value, "auto_swap_slot_name", null)
  
      dynamic "cors" {
        for_each = lookup(site_config.value, "cors", [])
        content {
          allowed_origins     = lookup(cors.value, "allowed_origins", null)
          support_credentials = lookup(cors.value, "support_credentials", null)
        }
      }

      default_documents         = lookup(site_config.value, "default_documents", ["index.html", "hostingstart.html"])
      dotnet_framework_version  = lookup(site_config.value, "dotnet_framework_version", null)
      ftps_state                = lookup(site_config.value, "ftps_state", "FtpsOnly")
      http2_enabled             = lookup(site_config.value, "http2_enabled", true)
      health_check_path         = lookup(site_config.value, "health_check_path", null)     

      java_container            = lookup(site_config.value, "java_container", null)
      java_container_version    = lookup(site_config.value, "java_container_version", null)
      java_version              = lookup(site_config.value, "java_version", null)
      linux_fx_version          = lookup(site_config.value, "linux_fx_version", null)
      local_mysql_enabled       = lookup(site_config.value, "local_mysql_enabled", null)
      managed_pipeline_mode     = lookup(site_config.value, "managed_pipeline_mode", null)
      min_tls_version           = lookup(site_config.value, "min_tls_version", "1.2")
      php_version               = lookup(site_config.value, "php_version", null)
      python_version            = lookup(site_config.value, "python_version", null)
      remote_debugging_enabled  = lookup(site_config.value, "remote_debugging_enabled", null)
      remote_debugging_version  = lookup(site_config.value, "remote_debugging_version", null)
      scm_type                  = lookup(site_config.value, "scm_type", "VSTSRM")
      use_32_bit_worker_process = lookup(site_config.value, "use_32_bit_worker_process", null)
      websockets_enabled        = lookup(site_config.value, "websockets_enabled", null)
      windows_fx_version        = lookup(site_config.value, "windows_fx_version", null)
    
    }
  }
  app_settings = merge(lookup(each.value, "app_settings", {}), var.custom_app_settings)
  auth_settings  {
      enabled = true
      default_provider = "AzureActiveDirectory"
      issuer = "https://login.microsoftonline.com/XXXXXX/v2.0/"   
      unauthenticated_client_action = "RedirectToLoginPage"
      active_directory  {
          client_id = var.as_client_id
          client_secret = var.as_client_secret
          allowed_audiences = [
            "https://${lookup(each.value, "appservice_name")}.azurewebsites.net"
          ]
      }   
  }

Answer 1

I'd recommend not updating this Auth v2 in the Azure Portal - otherwise it will break your original code and put you in a very awkward position

Message="Cannot execute the request for site YourAzureWebApp because the site is running on auth version v2." Details=[{"Message":"Cannot execute the request for site YourAzureWebApp because the site is running on auth version v2."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"04534","Message":"Cannot execute the request for site YourAzureWebApp because the site is running on auth version v2.","MessageTemplate":"Cannot execute the request for site {0} because the site is running on auth version {1}.","Parameters":["YourAzureWebApp","v2"]}}

Answer 2

In my case, I accidently updated the auth version from portal.

I have found a way for downgrading the function app's configVersion using Azure CLI. (Although I am not sure if Az Powershell equivalent exist while writing this answer.):

az webapp auth config-version revert --subscription <subscription-id> --resource-group myrg --name my-fx-app

az webapp auth config-version show --subscription <subscription-id> --resource-group myrg --name my-fx-app

Answer 3

Unfortunately, Using Terraform for migrating the Auth API version V1 to V2 is not possible for now. It can be only done from Portal for now .

But as per Terraform-Provider-azurerm release announcement of version 3.0, it is mentioned that the legacy API will be moved to new API which will use MSAL auth instead of ADAL.

Feature details: Switching to use MSAL for authentication instead of ADAL

Authentication to APIs such as Resource Manager is currently performed using the ADAL library which yields legacy v1 authentication tokens. We’ll move to use v2 tokens in version 3.0 of the provider. In practice this change will not yield any noticeable behavioral differences; however, since this underpins the way the provider authenticates to Azure services, we’ll be making this change in a major release.

You can refer Release Announcement for Terraform-provider-azurerm for more details on the upcoming changes for azurerm version 3.0.