azurerm_windows_web_app_slot, azurerm_windows_function_app_slot - Fix error 500/409 when using virtual network subnet

[Apokalypt]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

Since the release 3.88.0, Azure reject the creation of web app slot and function app slot when there is a virtual network subnet. Initially the API rejects all calls with an error 500 but since this morning the error is clearer and validate analysis perform by few users in the issue linked :

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.

I could only run local test and not acceptance tests see below the explanation...

Testing

Sorry, but I couldn't run acceptance tests because I don't have enough permissions in my team to make them run properly. However, some tests were run manually and some checks/tests were run directly with the API to make sure everything worked despite my technical limitations.

One thing to note is that a acceptance test is failing TestAccWindowsWebAppSlot_completeUpdate but this fail comes from another change since the test fails without my code!

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_windows_web_app_slot - Force "serverFarmId" to be set when "virtualNetworkSubnetId" is set as requested by Azure API Creating azurerm_windows_web_app_slot with virtual_network_subnet_id specified results in Internal server error (500) #24618
• azurerm_windows_function_app_slot - Force "serverFarmId" to be set when "virtualNetworkSubnetId" is set as requested by Azure API Creating azurerm_windows_web_app_slot with virtual_network_subnet_id specified results in Internal server error (500) #24618

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #24618

[xiaxyi]

Thanks @Apokalypt for the PR, can we please hold adding the serverFarmId in the request as I'm trying to confirm with the app service team to see if it's required. I will update the thread once I have a progress, thanks for your understanding!

[Apokalypt]

Thanks @Apokalypt for the PR, can we please hold adding the serverFarmId in the request as I'm trying to confirm with the app service team to see if it's required. I will update the thread once I have a progress, thanks for your understanding!

Ok thanks. We will wait for your answer @xiaxyi .
If you need it for your discussion with app service team, you can find the 2 cURL request used by me to verify the error and the solution:

• Request without "serverFarmId" property --> Error 409 with body as shown in the PR description (before it was an error 500)

curl --location --request PUT 'https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Web/sites/<web-app-name>/slots/test-error-slot?api-version=2022-09-01' \
--header 'authorization: Bearer <token>' \
--header 'content-type: application/json' \
--data '{
    "location": "West Europe",
    "kind": "app",
    "properties": {
        "virtualNetworkSubnetId": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-vnet—name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>",
        "siteConfig": {}
    }
}'

• Request with "serverFarmId" property --> Slot successfully created

curl --location --request PUT 'https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Web/sites/<web-app-name>/slots/test-error-slot?api-version=2022-09-01' \
--header 'authorization: Bearer <token>' \
--header 'content-type: application/json' \
--data '{
    "location": "West Europe",
    "kind": "app",
    "properties": {
        "virtualNetworkSubnetId": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-vnet—name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>",
        "serverFarmId": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Web/serverfarms/<service-plan-name>",
        "siteConfig": {}
    }
}'

[xiaxyi]

Thanks @Apokalypt , I will let you know about any progress.

[Apokalypt]

@xiaxyi Have you had any news on this subject?

[sgnrl]

@xiaxyi Any updates?

[AndrewChastell]

It would be great to get this PR approved, thanks.

[SallyBirch1]

Also waiting on this PR to be approved to help unblock us.

[birenshah2]

Hi, also looking for an update on this...

[tdkeeley]

Thanks @Apokalypt for the PR, can we please hold adding the serverFarmId in the request as I'm trying to confirm with the app service team to see if it's required. I will update the thread once I have a progress, thanks for your understanding!

@xiaxyi were you able to confirm with the app service team? Dmitrii034, in the issue thread, says he confirmed with Microsoft: #24618 (comment)

saveler says a similar thing but with the specific change: #24618 (comment)

Based on the curl examples provided by @Apokalypt, serverFarmId not included, it fails, serverFarmId included, it works. The solution seems pretty clear. What else do we need in order to feel like this is an appropriate fix? This has been a blocker for a lot of us since January...

[tdkeeley]

#24618 (comment)

@tdkeeley Sorry, we did not get much else from that investigation. They recommended us to specify the parameter ourselves, but it is currently not possible due to validation on the provider. The only other thing of note is that they told us that they would make the resulting error clearer. This is probably why the new error now states that the parameter is missing. Not sure what is the reason for the current delay.

@xiaxyi what are your feelings about this? Sounds like Dmitrii034 from the issue thread was advised to specify the serverFarmId.

[xiaxyi]

Thanks everyone for your patience, we just got some updates from the service team, but still in the discussion about the api behavior, will update once we confirmed the final action

[mistyflip]

Eagerly awaiting this fix. Do you have an idea when we would have an action? Will Microsoft need to release an update as a dependency? Thankyou!

[saveler]

Hello @xiaxyi

Do you have any idea when it will be merged?
We are blocked due to this issue, and we are waiting for the fix.

Thank you!

[xiaxyi]

@stephybun the code change looks good to me, tests are good, failed ones are not related.

• For windows web app slot:
  
• For windows function app slot:
  

More information about the api behavior:
Confirmed that the serverFarmId is required when creating the slot with a vNet integrated as the api needs to check whether the vNet can be enabled based on the sku level, it's just the api doesn't take the parent app service's serverFarm as the default serverFarm for its slot currently (Not sure about the future api change...).

Even the service_plan_id is not a required field in the Terraform schema, however, adding the serverFarmId in the api payload won't be a breaking change to those users who are not specifying the service_plan_id in their config as Terraform check the parent app service's serverFarm and use it as the default severFarm for the slot.

Would you mind taking another look and let me know if you have any other concerns?

[stephybun]

Thanks @Apokalypt, thanks @xiaxyi LGTM 💯

[github-actions]

This functionality has been released in v3.105.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.