cannot create function app slots with provider >= v2.70.0

[fgarcia-cnb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

• azurerm_2.70 and above (complete slot creation failure)
• azurerm_2.68 - 2.69 (partial slot creation failure)
• terraform v1.0.7

Setup

We have PremiumV2 function apps using private endpoint for inbound and vnet integration for outbound. We point the function apps to storage accounts that also use private endpoint. These are created just fine (tested with provider >=2.59)

Issue

When we try to create slots for these function apps, it works perfectly fine with provider v2.59 - v2.67

With provider 2.68 - 2.69, the slots are created but they error out with the following:

Error: Error updating Application Settings for Function App Slot "slot01" (Function App "fn-tp06o7j25tffnapp4" / Resource Group "dc06-prd-ftint-rg"): web.AppsClient#UpdateApplicationSettingsSlot: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible." Details=[{"Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"99022","Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.","MessageTemplate":"Creation of storage file share failed with: '{0}'. Please check if the storage account is accessible.","Parameters":["The remote server returned an error: (403) Forbidden."]}}]`

With any provider >= 2.70, the slots completely fail with:

Error: web.AppsClient#CreateOrUpdateSlot: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible." Details=[{"Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"99022","Message":"Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.","MessageTemplate":"Creation of storage file share failed with: '{0}'. Please check if the storage account is accessible.","Parameters":["The remote server returned an error: (403) Forbidden."]}}]

Initial Conclusion

I've done extensive testing on several provider versions. I highly doubt this is a network or authentication issue since everything works with provider v2.59 - 2.67.

Function app creation works in all providers >= 2.59. These function apps connect to the same storage the slots do.

It's only when we enable slots with provider >= 2.68 that things start to fail.

This is a big issue for us because we would like to use many of the newer features in the newer provider. We're forced to build things out in 2 phases: once with provider 2.67, then a second phase with >=2.70

[fgarcia-cnb]

any updates on this? its a big issue for us. i hope you can replicate on your end. any possible workarounds?

[fgarcia-cnb]

since no one is helping, i did a bit more troubleshooting. Turns out that provider >= 2.68 does create 2 file shares in the storage account, but earlier providers did not. Not sure why thats necessary for fnapp functionality. The other confusing part is why it cant use private endpoint to create the shares, when it can create related blob content for both the fnapp and slot.

the workaround was:

1. let tf plan/apply the fnapp and storage account normally, and then fail when creating the slot
2. run another plan that includes just the slot addition. do not apply
3. in the storage account, switch from "selected networks" to "all networks"
4. run an apply. slot should create successfully
5. switch storage account back to "selected networks"

[fgarcia-cnb]

we are not experiencing issues when swapping slots. because the new slots use a file share instead of blob. this seems to be an azure issue: Azure/Azure-Functions#2102

would it be possible to add an option to the fnapp resource to use the older blob method? it woukld solve a lot of these issues

[misterfoo]

I ran into this same issue today on provider version 3.47.0, and in my case the issue was failing to specify values for both storage_account_name and storage_account_access_key in the definition of the azurerm_windows_function_app_slot. Adding those allowed it to create the slot correctly. Perhaps that would work for you too?

[collins-benj]

I can confirm that this error is caused by following the base example in the documentation:

resource "azurerm_windows_function_app_slot" "example" {
  name                 = "example-slot"
  function_app_id      = azurerm_windows_function_app.example.id
  storage_account_name = azurerm_storage_account.example.name

  site_config {}
}

which does not contain storage_account_access_key. Is there anything stopping this from being a required field?