azure - 即使存在ignore_changes开关，Terraform也会清除Azure应用程序配置设置

Question

我在一个应用服务计划中拥有三个网络应用。一个应用程序是前端，另一个是 API，第三个是功能应用程序。所有这些都包含在 Linux 应用服务计划中。

我在这三个应用程序中有很多应用程序配置设置。我注意到的是，如果我输入:

 lifecycle {
    ignore_changes = [
      "auth_settings",
      "app_settings"
    ]
  }

每次应用后，terraform 都会继续从其中一个应用程序重写应用程序配置。如果我注释掉其中一个应用程序的 app_settings 以重新部署应用程序配置，则另一个应用程序将被清除。

这是 Terraform 中的错误还是其他问题？我正在使用 AzureRM 提供程序 2.0

代码如下所示:

module "name_app_service_plan" {
  version              = "~> 3.0"
  source               = "contoso.com/names/azurerm"
  providers            = { azurerm = azurerm, random = random }
  resource_environment = var.project.environment.name
  resource_location    = var.location
  resource_name        = var.project.name
}

module "name_app_service_api" {
  version              = "~> 3.0"
  source               = "contoso.com/names/azurerm"
  providers            = { azurerm = azurerm, random = random }
  resource_environment = var.project.environment.name
  resource_location    = module.resourcegroup.resource_group.location
  resource_name        = format("%s-api", var.project.name)
}

module "name_app_service_fe" {
  version              = "~> 3.0"
  source               = "contoso.com/names/azurerm"
  providers            = { azurerm = azurerm, random = random }
  resource_environment = var.project.environment.name
  resource_location    = module.resourcegroup.resource_group.location
  resource_name        = format("%s-fe", var.project.name)
}

module "name_function_app" {
  version              = "~> 3.0"
  source               = "contoso.com/names/azurerm"
  providers            = { azurerm = azurerm, random = random }
  resource_environment = var.project.environment.name
  resource_location    = module.resourcegroup.resource_group.location
  resource_name        = format("%s-01", var.project.name)
}

resource "azurerm_app_service_plan" "default" {
  resource_group_name = module.resourcegroup.resource_group.name
  location            = module.resourcegroup.resource_group.location
  name                = module.name_app_service_plan.location.app_service_plan.name_unique
  kind                = "Linux"
  reserved            = true
  sku {
    tier = "PremiumV3"
    size = "P2v3"
  }
  tags = module.resourcegroup.resource_group.tags
}

API应用程序

resource "azurerm_app_service" "api" {
  location            = module.resourcegroup.resource_group.location
  resource_group_name = module.resourcegroup.resource_group.name
  tags                = local.tags

  app_service_plan_id = azurerm_app_service_plan.default.id
  name                = module.name_app_service_api.location.app_service.name_unique
  identity { type = "SystemAssigned" }
  site_config {
    always_on                 = true
    app_command_line          = ""
    default_documents         = []
    dotnet_framework_version  = "v4.0"
    ftps_state                = "AllAllowed"
    health_check_path         = ""
    http2_enabled             = true
    linux_fx_version          = "DOTNETCORE|3.1"
    local_mysql_enabled       = false
    managed_pipeline_mode     = "Integrated"
    min_tls_version           = "1.2"
    python_version            = "3.4"
    remote_debugging_enabled  = false
    remote_debugging_version  = "VS2019"
    use_32_bit_worker_process = false
    windows_fx_version        = ""
    websockets_enabled        = true
    cors {
      allowed_origins     = [format("https://%s", azurerm_app_service.fe.default_site_hostname)]
      support_credentials = true
    }
  }

  app_settings = {
    "WEBSITE_DNS_SERVER"                    = "168.63.129.16"
    "WEBSITE_VNET_ROUTE_ALL"                = "1"
    "WEBSITE_ENABLE_SYNC_UPDATE_SITE"       = "true"
    "APPINSIGHTS_INSTRUMENTATIONKEY"        = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-default-api-instrumentation-key)", module.key-vault.key_vault.self.name)
    "APPLICATIONINSIGHTS_CONNECTION_STRING" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-api-connection-string)", module.key-vault.key_vault.self.name)
    "applicationStorage"                    = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
    "frontendappid"                         = format("@Microsoft.KeyVault(VaultName=%s;SecretName=frontendappid)", module.key-vault.key_vault.self.name)
    "webapiappid"                           = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapiappid)", module.key-vault.key_vault.self.name)
    "clientsecret"                          = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Webapp-API-Secret)", module.key-vault.key_vault.self.name)
    "webapiappuri"                          = format("https://contoso.onmicrosoft.com/api-%s-%s", var.project.name, var.project.environment.name)
    "functionappid"                         = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionappid)", module.key-vault.key_vault.self.name)
    "functionappuri"                        = format("https://contoso.onmicrosoft.com/func-%s-%s", var.project.name, var.project.environment.name)
    "funcappsecret"                         = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Function-App-Secret)", module.key-vault.key_vault.self.name)
    "frontendhost"                          = format("@Microsoft.KeyVault(VaultName=%s;SecretName=frontendhost)", module.key-vault.key_vault.self.name)
    "functionhost"                          = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionhost)", module.key-vault.key_vault.self.name)
    "webapihost"                            = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapihost)", module.key-vault.key_vault.self.name)
    "cosmosIntegrationConnection"           = format("@Microsoft.KeyVault(VaultName=%s;SecretName=CosmosDB-PrimaryKey-ConnectionString)", module.key-vault.key_vault.self.name)
    "cosmosIntegrationContainer"            = "cosmosdb_container"
    "cosmosIntegrationDatabase"             = "cosmosdb_db"
    "tokenauthority"                        = format("https://login.microsoftonline.com/%s", data.azurerm_client_config.default.tenant_id)
  }

  lifecycle {
    ignore_changes = [
      auth_settings,
      app_settings
    ]
  }
}

API 应用程序的 VNET 集成

resource "azurerm_app_service_virtual_network_swift_connection" "api" {
  app_service_id = azurerm_app_service.api.id
  subnet_id      = module.virtualnetwork["centralus"].virtual_network.subnets["webapp"].id
}

API 应用程序的 Pvt 端点

module "privateendpoint_api" {
  # registry
  version = "~> 10.0.0"
  source  = "contoso.com/virtual-network/azurerm//modules/privateendpoint"
  # metas
  providers = { azurerm = azurerm, azurerm.hub = azurerm.hub, random = random }
  # arguments
  hub_resource_group_name               = var.project.hub.resourcegroup.name
  resource_group_name                   = module.resourcegroup.resource_group.name
  private_endpoint_location             = module.resourcegroup.resource_group.location
  private_endpoint_environment          = var.project.environment.name
  private_endpoint_name                 = format("api-webapp-%s", var.project.name)
  private_endpoint_resource_type        = "appservice"
  private_endpoint_resource_subresource = "sites"
  private_endpoint_subnet_id            = module.virtualnetwork["centralus"].virtual_network.subnets["general"].id
  private_endpoint_resource_id          = azurerm_app_service.api.id
}

FE 网络应用

resource "azurerm_app_service" "fe" {
  location            = module.resourcegroup.resource_group.location
  resource_group_name = module.resourcegroup.resource_group.name
  tags                = local.tags

  app_service_plan_id = azurerm_app_service_plan.default.id
  name                = module.name_app_service_fe.location.app_service.name_unique
  identity { type = "SystemAssigned" }
  auth_settings {
    enabled                        = true
    default_provider               = "AzureActiveDirectory"
    issuer                         = format("https://sts.windows.net/%s/", data.azurerm_client_config.default.tenant_id)
    runtime_version                = "~1"
    token_store_enabled            = true
    unauthenticated_client_action  = "RedirectToLoginPage"
    allowed_external_redirect_urls = module.application_webapp_fe.application.self.reply_urls
    additional_login_params = {
      "response_type" = "code id_token",
      "resource"      = module.application_webapp_fe.application.self.application_id
    }
    active_directory {
      client_id         = module.application_webapp_fe.application.self.application_id
      client_secret     = module.application_webapp_fe.service_principal.secret.value
      allowed_audiences = []
    }
  }

  site_config {
    always_on                = true
    app_command_line         = ""
    default_documents        = []
    dotnet_framework_version = "v4.0"
    ftps_state               = "Disabled"
    health_check_path        = ""
    http2_enabled            = true
    linux_fx_version         = "STATICSITE|1.0"
    local_mysql_enabled      = false
    managed_pipeline_mode    = "Integrated"
    min_tls_version          = "1.2"
    #pre_warmed_instance_count = 0
    python_version            = "3.4"
    remote_debugging_enabled  = false
    remote_debugging_version  = "VS2019"
    use_32_bit_worker_process = false
    websockets_enabled        = false
    windows_fx_version        = ""
    cors {
      allowed_origins     = []
      support_credentials = false
    }
  }

  app_settings = {
    "WEBSITE_DNS_SERVER"                       = "168.63.129.16"
    "WEBSITE_VNET_ROUTE_ALL"                   = "1"
    "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Webapp-FE-Secret)", module.key-vault.key_vault.self.name)
    "APPINSIGHTS_INSTRUMENTATIONKEY"           = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-default-fe-instrumentation-key)", module.key-vault.key_vault.self.name)
    "APPLICATIONINSIGHTS_CONNECTION_STRING"    = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-fe-connection-string)", module.key-vault.key_vault.self.name)
    "webapiappid"                              = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapiappid)", module.key-vault.key_vault.self.name)
    "webapiappsecret"                          = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Webapp-API-Secret)", module.key-vault.key_vault.self.name)
  }

  lifecycle {
    ignore_changes = [
      auth_settings,
      app_settings
    ]
  }
}

fe 应用的 VNET 集成

resource "azurerm_app_service_virtual_network_swift_connection" "fe" {
  app_service_id = azurerm_app_service.fe.id
  subnet_id      = module.virtualnetwork["centralus"].virtual_network.subnets["webapp"].id
}

Fe 应用程序的 Pvt 端点

module "privateendpoint_fe" {
  # registry
  version = "~> 10.0.0"
  source  = "contoso.com/virtual-network/azurerm//modules/privateendpoint"
  # metas
  providers = { azurerm = azurerm, azurerm.hub = azurerm.hub, random = random }
  # arguments
  hub_resource_group_name               = var.project.hub.resourcegroup.name
  resource_group_name                   = module.resourcegroup.resource_group.name
  private_endpoint_location             = module.resourcegroup.resource_group.location
  private_endpoint_environment          = var.project.environment.name
  private_endpoint_name                 = format("fe-webapp-%s", var.project.name)
  private_endpoint_resource_type        = "appservice"
  private_endpoint_resource_subresource = "sites"
  private_endpoint_subnet_id            = module.virtualnetwork["centralus"].virtual_network.subnets["general"].id
  private_endpoint_resource_id          = azurerm_app_service.fe.id
}

功能应用

resource "azurerm_function_app" "default" {
  location            = module.resourcegroup.resource_group.location
  resource_group_name = module.resourcegroup.resource_group.name
  tags                = local.tags

  app_service_plan_id = azurerm_app_service_plan.default.id
  name                = module.name_function_app.location.function_app.name_unique
  version             = "~3"
  identity { type = "SystemAssigned" }
  os_type                    = "linux"
  storage_account_name       = module.storageaccount.storage_account.self.name
  storage_account_access_key = module.storageaccount.storage_account.self.primary_access_key

  auth_settings {
    enabled                       = true
    default_provider              = "AzureActiveDirectory"
    issuer                        = format("https://login.microsoftonline.com/%s/", data.azurerm_client_config.default.tenant_id)
    runtime_version               = "~1"
    token_store_enabled           = true
    unauthenticated_client_action = "RedirectToLoginPage"
    active_directory {
      client_id         = module.application_func_01.application.self.application_id
      client_secret     = module.application_func_01.service_principal.secret.value
      allowed_audiences = module.application_webapp_api.application.self.identifier_uris
    }
  }

  site_config {
    always_on                 = true
    ftps_state                = "Disabled"
    health_check_path         = ""
    http2_enabled             = true
    linux_fx_version          = "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-dotnet3-appservice"
    min_tls_version           = "1.2"
    pre_warmed_instance_count = 0
    use_32_bit_worker_process = false
    websockets_enabled        = false
    cors {
      allowed_origins     = []
      support_credentials = false
    }
  }

  app_settings = {
    "WEBSITE_DNS_SERVER"                    = "168.63.129.16"
    "WEBSITE_VNET_ROUTE_ALL"                = "1"
    "WEBSITE_ENABLE_SYNC_UPDATE_SITE"       = "true"
    "WEBSITE_RUN_FROM_PACKAGE"              = "1"
    "WEBSITES_ENABLE_APP_SERVICE_STORAGE"   = "true"
    "APPINSIGHTS_INSTRUMENTATIONKEY"        = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-default-func-instrumentation-key)", module.key-vault.key_vault.self.name)
    "APPLICATIONINSIGHTS_CONNECTION_STRING" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-func-connection-string)", module.key-vault.key_vault.self.name)
    "AzureWebJobsStorage"                   = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
    "AzureWebJobsDashboard"                 = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
    "cosmosIntegrationConnection"           = format("@Microsoft.KeyVault(VaultName=%s;SecretName=CosmosDB-PrimaryKey-ConnectionString)", module.key-vault.key_vault.self.name)
    "cosmosIntegrationContainer"            = "cosmosdb_container"
    "cosmosIntegrationDatabase"             = "cosmosdb_db"
    "functionappid"                         = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionappid)", module.key-vault.key_vault.self.name)
    "clientsecret"                          = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Function-App-Secret)", module.key-vault.key_vault.self.name)
    "webapihost"                            = format("@Microsoft.KeyVault(VaultName=%s;SecretName=webapihost)", module.key-vault.key_vault.self.name)
    "webapiappuri"                          = format("https://contoso.onmicrosoft.com/api-%s-%s", var.project.name, var.project.environment.name)
    "functionappuri"                        = format("https://contoso.onmicrosoft.com/func-%s-%s", var.project.name, var.project.environment.name)
    "functionhost"                          = format("@Microsoft.KeyVault(VaultName=%s;SecretName=functionhost)", module.key-vault.key_vault.self.name)
    "applicationStorage"                    = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
    "tokenauthority"                        = format("https://login.microsoftonline.com/%s", data.azurerm_client_config.default.tenant_id)
    "FUNCTIONS_EXTENSION_VERSION"           = "~3"

  }

  lifecycle {
    ignore_changes = [
      auth_settings,
      app_settings
    ]
  }
}

函数应用的 VNET 集成

resource "azurerm_app_service_virtual_network_swift_connection" "function-app" {
  app_service_id = azurerm_function_app.default.id
  subnet_id      = module.virtualnetwork["centralus"].virtual_network.subnets["webapp"].id
}

Func 应用程序的 Pvt 端点

module "privateendpoint_func" {
  # registry
  version = "~> 10.0.0"
  source  = "contoso.com/virtual-network/azurerm//modules/privateendpoint"
  # metas
  providers = { azurerm = azurerm, azurerm.hub = azurerm.hub, random = random }
  # arguments
  hub_resource_group_name               = var.project.hub.resourcegroup.name
  resource_group_name                   = module.resourcegroup.resource_group.name
  private_endpoint_location             = module.resourcegroup.resource_group.location
  private_endpoint_environment          = var.project.environment.name
  private_endpoint_name                 = format("func-%s", var.project.name)
  private_endpoint_resource_type        = "appservice"
  private_endpoint_resource_subresource = "sites"
  private_endpoint_subnet_id            = module.virtualnetwork["centralus"].virtual_network.subnets["general"].id
  private_endpoint_resource_id          = azurerm_function_app.default.id
}

我注意到 Terraform 仅尊重 Function App 的ignore_changes 值。对于 API 和 FE 应用程序，如果我注释掉 FE 的 app_settings 的ignore_changes，Terraform 还会清除 API 应用程序的 app_settings，只保留 VNET_ROUTE_ALL 设置。所有其他设置都被清除。

如果我注释掉 API 应用程序的ignore_changes 中的 app_settings 并取消注释 FE 应用程序的 app_settings，也会发生同样的情况。

Answer 1

正如评论中提到的，查看 tf plan 的输出非常重要。但鉴于您问题中的信息，我可以想到三个潜在的罪魁祸首:

• 如果重新创建或更改依赖资源，则可能需要重新创建应用，这会导致删除 app_settings(至少是通过门户添加的设置)。

• 您正在使用带有悲观约束"~> 3.0"的远程模块，因此如果有新版本(例如3.1)并且您正在部署在没有缓存的远程代理上或在本地使用 -upgrade 标志 Terraform 将重新部署模块以获得最新版本。

• 这不应该是问题，但值得一提:忽略一个对象及其内部其他对象的特定更改已经是 problematic in the past 。

• azurerm 2.0 似乎存在特定问题，当 app-settings 更改时，Terraform 会重新创建整个应用程序，这会使 ignore_changes 变得多余，这个问题应该在 2.1 版本中修复

也就是说，atm 资源已被弃用；所以升级似乎是最简单的解决办法。请参阅:deprecated 和 latest

对于任何试图重现此问题的人；这是使用 azurerm 提供的“2.48.0”和 tf 版本 1.3.9 的简单代码示例。此示例显示忽略门户或 Terraform 代码中所做的更改没有任何问题。

文件夹结构:

main.tf

# locals
locals {
  resource_environment = "dev"
  resource_location    = "westeurope"
  resource_name        = "stack" # name of the resource group

  resource_name_app      = "stack12345678" # needs to be unique
  resource_name_function = "stack87654321" # needs to be unique
  tags = {
    environment = local.resource_environment
    project     = local.resource_name
  }
}

terraform {
  required_version = ">= 0.13.0"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "= 2.48.0"
    }
    random = {
      source  = "hashicorp/random"
      version = ">= 2.0.0"
    }
  }
}

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "stack_test" {
  name     = local.resource_name
  location = local.resource_location
  tags     = local.tags
}

module "test_app_service2" {
  source    = "./module_app_service"
  providers = { azurerm = azurerm, random = random }
  #resource_environment = local.resource_environment
  resource_location   = local.resource_location
  resource_group_name = local.resource_name
  resource_name       = local.resource_name_app
  tags                = local.tags

  depends_on = [
    azurerm_resource_group.stack_test
  ]
}

module "test_function_app1" {
  source    = "./module_function_app"
  providers = { azurerm = azurerm, random = random }
  #resource_environment = local.resource_environment
  resource_location   = local.resource_location
  resource_group_name = local.resource_name
  resource_name       = local.resource_name_function
  tags                = local.tags

  depends_on = [
    azurerm_resource_group.stack_test
  ]
}

module_function.tf

variable "resource_location" {}
variable "resource_group_name" {}
variable resource_name {}
variable "tags" {}

resource "azurerm_app_service_plan" "default" {
  location            = var.resource_location
  resource_group_name = var.resource_group_name
  tags                = var.tags

  name     = "api-appserviceplan-pro"
  kind     = "Linux"
  reserved = true

  sku {
    tier = "Standard"
    size = "S1"
  }
}

resource "azurerm_storage_account" "example" {
  name                     = var.resource_name
  resource_group_name      = var.resource_group_name
  location                 = var.resource_location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_function_app" "default" {
  location            = var.resource_location
  resource_group_name = var.resource_group_name
  tags                = var.tags

  app_service_plan_id = azurerm_app_service_plan.default.id
  name                = var.resource_name
  version             = "~3"

  identity {
    type = "SystemAssigned"
  }

  os_type                    = "linux"
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key

  auth_settings {
    enabled                       = true
  }

  site_config {
    always_on                 = true
    ftps_state                = "Disabled"
    health_check_path         = ""
    http2_enabled             = true
    linux_fx_version          = "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-dotnet3-appservice"
    min_tls_version           = "1.2"
    pre_warmed_instance_count = 0
    use_32_bit_worker_process = false
    websockets_enabled        = false
  }

  app_settings = {
    something = "new"
    name_service_plan =  azurerm_app_service_plan.default.name
    new = "this"}

  lifecycle {
    ignore_changes = [
      auth_settings,
      app_settings
    ]
  }
}

module_app_service.tf

variable "resource_location" {}
variable "resource_group_name" {}
variable resource_name {}
variable "tags" {}

resource "azurerm_app_service_plan" "default" {
  location            = var.resource_location
  resource_group_name = var.resource_group_name
  tags                = var.tags 

  name     = "api-appserviceplan-pro"
  kind     = "Linux"
  reserved = true

  sku {
    tier = "Standard"
    size = "S1"
  }

}

resource "azurerm_app_service" "api" {
  location            = var.resource_location
  resource_group_name = var.resource_group_name
  tags                = var.tags

  app_service_plan_id = azurerm_app_service_plan.default.id
  name                = var.resource_name
  identity { type = "SystemAssigned" }
  site_config {
    always_on                 = true
    app_command_line          = ""
    default_documents         = []
    dotnet_framework_version  = "v4.0"
    ftps_state                = "AllAllowed"
    health_check_path         = ""
    http2_enabled             = true
    linux_fx_version          = "DOTNETCORE|3.1"
    local_mysql_enabled       = false
    managed_pipeline_mode     = "Integrated"
    min_tls_version           = "1.2"
    python_version            = "3.4"
    remote_debugging_enabled  = false
    remote_debugging_version  = "VS2019"
    use_32_bit_worker_process = false
    windows_fx_version        = ""
    websockets_enabled        = true

    cors {
      allowed_origins     = []
      support_credentials = false
    }
  }

  app_settings = {
    something = "some thing"
    name_service_plan =  azurerm_app_service_plan.default.name
    new = "this"}

  lifecycle {
    ignore_changes = [
      auth_settings,
      app_settings
    ]
  }
}

另请参阅:

Terraform, "ignore_changes" and sub-blocks

How to ignore change of an attribute in block

https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes