auth_settings_v2 on azurerm_linux_web_app requires client secret

[eric-gonzalez-tfs]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.9

AzureRM Provider Version

3.45.0

Affected Resource(s)/Data Source(s)

azurerm_linux_web_app

Terraform Configuration Files

resource "azurerm_linux_web_app" "app_service" {
  provider = azurerm.GSS_pay_as_you_go
  name = module.common.resource_name
  resource_group_name = module.common.resource_name
  location = data.azurerm_service_plan.app_service_plan.location
  service_plan_id = data.azurerm_service_plan.app_service_plan.id
  https_only = true
  tags = local.tags
  auth_settings_v2 {
    auth_enabled = true
    default_provider = "aad"
    runtime_version = "~1"
    unauthenticated_action = "RedirectToLoginPage"
    active_directory_v2{
      client_id = local.ad_app_id
      login_parameters = {}
      tenant_auth_endpoint = "https://login.microsoftonline.com/${module.common.ad_tenant_id}"
      www_authentication_disabled  = false
    }
    login{
      token_store_enabled = true
    }
  }
  site_config {}
}

Debug Output/Panic Output

╷
│ Error: Invalid combination of arguments
│ 
│   with azurerm_linux_web_app.app_service,
│   on main.tf line 37, in resource "azurerm_linux_web_app" "app_service":
│   37:     active_directory_v2{
│ 
│ "auth_settings_v2.0.active_directory_v2.0.client_secret_setting_name": one of
│ `auth_settings_v2.0.active_directory_v2.0.client_secret_certificate_thumbprint,auth_settings_v2.0.active_directory_v2.0.client_secret_setting_name` must be specified
╵
╷
│ Error: Invalid combination of arguments
│ 
│   with azurerm_linux_web_app.app_service,
│   on main.tf line 37, in resource "azurerm_linux_web_app" "app_service":
│   37:     active_directory_v2{
│ 
│ "auth_settings_v2.0.active_directory_v2.0.client_secret_certificate_thumbprint": one of
│ `auth_settings_v2.0.active_directory_v2.0.client_secret_certificate_thumbprint,auth_settings_v2.0.active_directory_v2.0.client_secret_setting_name` must be specified
╵

Expected Behaviour

The provider should not require that a secret in the auth_settings_v2.active_directory_v2 block.

Actual Behaviour

A validation error occurred and I was unable to apply the changes.

Steps to Reproduce

Perform a terraform apply

Other notes:

After I encountered this error, I manually upgraded my app service to auth_settings_v2 in the Azure UI. I then removed the auth_settings_v2 block and performed a terraform plan to compare the output to my terraform code.

The auth settings output did not show a secret in the configuration. Here is the output (with some details redacted):

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_linux_web_app.app_service will be updated in-place
  ~ resource "azurerm_linux_web_app" "app_service" {
        id                                = "/subscriptions/---"
        name                              = "---"
         ...
      - auth_settings_v2 {
          - auth_enabled             = true -> null
          - default_provider         = "aad" -> null
          - excluded_paths           = [] -> null
          - forward_proxy_convention = "NoProxy" -> null
          - http_route_api_prefix    = "/.auth" -> null
          - require_authentication   = true -> null
          - require_https            = true -> null
          - runtime_version          = "~1" -> null
          - unauthenticated_action   = "RedirectToLoginPage" -> null

          - active_directory_v2 {
              - allowed_applications            = [] -> null
              - allowed_audiences               = [] -> null
              - allowed_groups                  = [] -> null
              - allowed_identities              = [] -> null
              - client_id                       = "---" -> null
              - jwt_allowed_client_applications = [] -> null
              - jwt_allowed_groups              = [] -> null
              - login_parameters                = {} -> null
              - tenant_auth_endpoint            = "https://login.microsoftonline.com/---" -> null
              - www_authentication_disabled     = false -> null
            }

          - apple_v2 {
              - login_scopes = [] -> null
            }

          - facebook_v2 {
              - login_scopes = [] -> null
            }

          - github_v2 {
              - login_scopes = [] -> null
            }

          - google_v2 {
              - allowed_audiences = [] -> null
              - login_scopes      = [] -> null
            }

          - login {
              - allowed_external_redirect_urls    = [] -> null
              - cookie_expiration_convention      = "FixedTime" -> null
              - cookie_expiration_time            = "08:00:00" -> null
              - nonce_expiration_time             = "00:05:00" -> null
              - preserve_url_fragments_for_logins = false -> null
              - token_refresh_extension_time      = 72 -> null
              - token_store_enabled               = false -> null
              - validate_nonce                    = true -> null
            }

          - microsoft_v2 {
              - allowed_audiences = [] -> null
              - login_scopes      = [] -> null
            }

          - twitter_v2 {}
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Important Factoids

No response

References

No response

[jackofallops]

Thanks for this issue @eric-gonzalez-tfs - I've re-checked this and the Service always needs the client_secret_setting_name as far as I can tell. If you add the Auth mechanism via the Portal, the setting is added containing the secret for the SPN used stored in MICROSOFT_PROVIDER_AUTHENTICATION_SECRET in app_settings. In your example case above, do you see this in app_settings also?

[mmacai]

Thanks for this issue @eric-gonzalez-tfs - I've re-checked this and the Service always needs the client_secret_setting_name as far as I can tell. If you add the Auth mechanism via the Portal, the setting is added containing the secret for the SPN used stored in MICROSOFT_PROVIDER_AUTHENTICATION_SECRET in app_settings. In your example case above, do you see this in app_settings also?

That is true in case you right away create a provider. In the Azure Portal it is possible to set just the Client ID and set Client Secret to an empty value which will trigger the implicit flow. Which in my case causes an issue, because pipeline refuses empty string in the AAD block in Terraform.

[pregress]

If you setup the authentication flow with Azure AD you can clear the value afterwards in the portal, so I do think this validation should be removed:

Sample config:

auth_settings_v2 {
    auth_enabled           = true
    unauthenticated_action = "Return401"
    require_authentication = true
    require_https          = true

    active_directory_v2 {
      client_id = azuread_application.example.application_id
      client_secret_setting_name = "AzureAdClientSecret" # This should be allowed optional
      tenant_auth_endpoint       = "https://sts.windows.net/${data.azuread_client_config.current.tenant_id}/v2.0"
      allowed_audiences          = ["api://example"]
    }

    login {
      token_store_enabled = true
    }
  }

I think these ExactlyOneOf should be removed:

• terraform-provider-azurerm/internal/services/appservice/helpers/auth_v2_schema.go

  Line 733 in d0962f5

  ExactlyOneOf: []string{

• terraform-provider-azurerm/internal/services/appservice/helpers/auth_v2_schema.go

  Line 744 in d0962f5

  ExactlyOneOf: []string{

• Docs should be updated: https://github.com/search?q=repo%3Ahashicorp%2Fterraform-provider-azurerm+%22**NOTE%3A**+One+of+%60client_secret_setting_name%60+or+%60client_secret_certificate_thumbprint%60+must+be+specified.%22&type=code

[xiaxyi]

Thanks guys for the discussion here and thanks @pregress for making the PR! Your PR looks good, I included your code and added more tests and documentations against the change, you can check the linked pr and feel free to let me know if you have anu questions.

[matthiashuygelentillit]

This is exactly what i need, when will this be reviewed/merged?

[ilmax]

Any chance this can be picked up? The PR is there just the documentation needs to be updated and this is blocking me since few months now /cc @jackofallops

[mihasajko]

Hello @jackofallops, is this possible to achieve with Terraform? When adding the auth mechanism via the protal the secret is automatically configured and, I assume, rotated. Currently it's not configured if only client_id is provided.

Thanks for this issue @eric-gonzalez-tfs - I've re-checked this and the Service always needs the client_secret_setting_name as far as I can tell. If you add the Auth mechanism via the Portal, the setting is added containing the secret for the SPN used stored in MICROSOFT_PROVIDER_AUTHENTICATION_SECRET in app_settings. In your example case above, do you see this in app_settings also?

[mihasajko]

My bad, it was a typo in tenant_auth_endpoint that caused it not to work. Auth with existing app registration works out of the box!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.