azurerm_function_app_host_keys is highly unstable

[ChristianSauer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform 0.14
azurerm: 2.40.0
codecentric/leanix: 1.0.0-rc4

Affected Resource(s)

• data azurerm_function_app_host_keys

Terraform Configuration Files

assume we have an app service plan, resource group etc.

data "archive_file" "functiondata" {
  type        = "zip"
  source_dir = abspath("${path.module}/../../functioncode")
  output_path = "${path.module}/files/function.zip"
}

resource "azurerm_storage_blob" "storageblob-function" {
  name                   = "deployments/${data.archive_file.functiondata.output_md5}.zip"
  storage_account_name   = azurerm_storage_account.storageacc.name
  storage_container_name = azurerm_storage_container.storagecontainer.name
  type                   = "Block"
  source                 = data.archive_file.functiondata.output_path
}

resource "azurerm_function_app" "func" {
  name                       = "func-${var.project_name}-${var.region}"
  location                   = azurerm_resource_group.rg.location
app_settings = {
        https_only = true
        FUNCTIONS_WORKER_RUNTIME = "node"
        WEBSITE_NODE_DEFAULT_VERSION = "~12"
        FUNCTION_APP_EDIT_MODE = "readonly"
        WEBSITE_RUN_FROM_PACKAGE = "https://${azurerm_storage_account.storageacc.name}.blob.core.windows.net/${azurerm_storage_container.storagecontainer.name}/${azurerm_storage_blob.storageblob-function.name}${data.azurerm_storage_account_sas.sas-function.sas}"
        
    }
}

data "azurerm_function_app_host_keys" "host_keys" {
  depends_on = [  azurerm_function_app.func]
  name                =  azurerm_function_app.func.name
  resource_group_name =  azurerm_resource_group.rg.name
}

resource "leanix_webhook_subscription" "events_azure" {
...
target_url    = "https://${azurerm_function_app.func.name}.azurewebsites.net/api/eventReceiver?code=${data.azurerm_function_app_host_keys.host_keys.default_function_key}"
}

Debug Output

Expected Behaviour

This should always work.

Actual Behaviour

Sometimes it stods working , apparently because tf reads the function key too early and damages the entire function app, e.g. host keys vanish from the function app in azure and we need to redeploy the whole function.

Output is:
Error: Error: AzureRM Function App "func-name" (Resource Group "rg-gi-name") was not found

on it-azure-module/func.tf line 96, in data "azurerm_function_app_host_keys" "host_keys":
96: data "azurerm_function_app_host_keys" "host_keys" {

The error is also incorrect because the function itself is still there, only the host keys are missing and terraform is unable to recover.
Honestly, I cannot recommend azurerm_function_app_host_keys at all, it would be better to remove it until it is stable enough for production usage.
as is, it randomly breaks deployments and needs a lot of manual work to recover.

Steps to Reproduce

Run an function deployment often enough, e.g. modify the function to zip.

[DovnarAlexander]

Having the same issue. Hoped that it will be fixed with more stable depends_on for data sources starting 0.13, but unfortunately having the same issue. Time resource upon the function recreation also works not well.

[tombuildsstuff]

hi @ChristianSauer

Thanks for opening this issue.

Taking a look through here this appears to be an issue with Terraform Core not enforcing the ordering correctly, rather than an issue with this Data Source directly (which assumes the Function App, and so it's keys are present at use time) - as such would you mind opening an issue on the Terraform Core repository where someone from the Terraform Core team should be able to take a look?

Thanks!

[DovnarAlexander]

I'd disagree, that it relates to the core layer. Instead, in my humble opinion it relates to Azure API more. Looks like the function reports that it's ready before it's actually ready.

[sschmeck]

@DovnarAlexander I guess you have to distinguish between the Function App creation and the deployment of the functions. See #8415.

[ChristianSauer]

Having the same issue. Hoped that it will be fixed with more stable depends_on for data sources starting 0.13, but unfortunately having the same issue. Time resource upon the function recreation also works not well.

@DovnarAlexander We are on 0.14, it did not help at all and got worse

[ChristianSauer]

@tombuildsstuff Even if it is, all references to this bug in the core where dismissed in the past. Since I want to use azurerm now and not in the distant future it would be great if all of azurerm would be usable right now. And this data source is highly dangerous and jsut does not work. The easiest (and fastest) solution would be for azurerm to make it a resource I guess.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!