Ignore Azure Functions application settings drift in Terraform
Reading time: 2 min
Last updated
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
<TLDR>
Add application settings causing configuration drift to ignore_changes
lifecycle hook in function app resource configuration in Terraform. </TLDR>
The problem
You define your cloud infrastructure as code with Terraform and provision all resources. One of the resources is a Function App, based on Linux running in Consumption plan.
You deploy your application code with Azure Functions Core Tools. It uses external package url deployment method behind the scenes. Essentially it will upload your code to Azure Blob storage account and will mount it as a read-only directory in the Function App at /home/site/wwwroot
.
You run terraform plan
or terraform apply
and you see there are changes in the remote resource: WEBSITE_RUN_FROM_PACKAGE
setting has now value similar to https://storageaccname.blob.core.windows.net/function-releases/2020...long-list-of-arguments
. That's the value set by the depoyment tool.
There's no point in importing it to Terraform state since it will change with every application code deployment.
It would be great if we could set WEBSITE_RUN_FROM_PACKAGE=1
application setting once and for all. It means deploy the package not to the remote storage, but to the function app host itself, and mount it to (again, read-only)/home/site/wwwroot
. But unfortunately it's not yet supported by Linux in Consumption plan.
What else can we do?
Solution
In your function app resource in Terraform, set application setting WEBSITE_RUN_FROM_PACKAGE=""
and tell Terraform to ignore any future changes of this setting in the remote state.
...
resource "azurerm_function_app" "function_app" {
...
app_settings = {
"WEBSITE_RUN_FROM_PACKAGE" = "",
...
}
lifecycle {
ignore_changes = [
app_settings["WEBSITE_RUN_FROM_PACKAGE"], # prevent TF reporting configuration drift after app code is deployed
]
}
}
That's it. Terraform will no longer warn you about the value of WEBSITE_RUN_FROM_PACKAGE
being changed. Hopefully Function Apps in Linux Consumption plan will support WEBSITE_RUN_FROM_PACKAGE=1
setting soon and we won't need this workaround.
If you like this type of content you can follow me on Twitter for the latest updates.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
Next: Restrict Azure Functions to API Management with Terraform