AzureRM 3.0 brings significant parity between the Azure provider for Terraform and Azure services currently available. Review the breaking changes as you prepare to upgrade.
Over the past 18 months, practitioner adoption of the Terraform AzureRM provider has grown by 1,600%. Since the last major release in February 2020, HashiCorp and Microsoft have added approximately 40 new services and 381 resources, bringing the totals to 99 services and 761 resources as of mid March, 2022. HashiCorp is committed to delivering an ideal user experience for practitioners using this provider, as well as providing significant coverage for these new services and resources.
While we have been hard at work expanding the coverage in the provider, we needed to make space for significant changes and prepare for the next major release. Along with our partner Microsoft, we are happy to announce the release of version 3.0 of the Terraform AzureRM provider. It includes features and enhancements that will help simplify your configurations and improve the overall experience of using the provider. Major improvements include:
Let's dig into these big changes.
App Services and Function Apps in the Terraform Azure Provider were first available in 2017. Since then, the design and behavior of the App Service platform has changed dramatically. For AzureRM 3.0, we have completely rehauled these resources and data sources to reflect what is available in Azure today. You can see the list of affected resources and their statuses here.
Previously, Soft Delete was available only for a Key Vault resource as a whole. Now, you’ll be able to soft delete the nested items within a Key Vault: certificates, keys, and secrets.
The AzureRM provider previously used the AAD Graph API to retrieve important information about the principal account it’s using to authenticate. Now that we have changed to using MSAL for authentication, and since Microsoft is deprecating the AAD Graph API, we’re no longer using this API in the AzureRM provider.
While using MSAL will cover most of your authentication needs, there may be circumstances where the AzureRM provider queries Microsoft Graph — the replacement for the deprecated AAD Graph API.
Note that when using the AzureRM Terraform Backend you will also need to update the backend Configuration to use MSAL, which can be configured in Terraform 1.1.
Note: Microsoft has indicated the AAD Graph API will be deprecated in the near future, therefore 2.x versions of the AzureRM provider will no longer function properly once Microsoft disables the legacy API. Migrating to AzureRM 3.0 will ensure that you do not run into authentication-related issues after the API is disabled. More information can be found in the upgrade guide.
Application Gateway: The behavior of nested items will now be unordered where required, meaning that the order of these items no longer matters. Note: if you're referencing these nested items within your Terraform configuration, this may require some code changes.
API Management: Terraform will now remove the Default API and Products when creating a new API Management instance, which is consistent with the behavior of other Terraform providers.
Resource Groups: Terraform will now check by default for resources nested within a Resource Group prior to deletion of the resource group. If any items are found, an error will be raised. This behavior can be turned off in the provider feature block (
prevent_deletion_if_contains_resources = false).
Storage: The field
allow_blob_public_access has been renamed to
allow_nested_items_to_be_public to resolve confusion about what this field does. This field specifies whether items within the Storage Account (such as Containers and Blobs) can opt-in to being made public (for example at the Container or Blob level) — and not that all resources within this Storage Account are public by default.
Other behavioral changes:
min_tls_version: Updated the default minimum TLS version to be 1.2.
ZoneRedundant values have been removed in favor of being explicit.
ignore_changes functionality to ignore changes to this field.
ZoneRedundant resources can be provisioned by specifying all of the Availability Zones for that particular Azure region.
Resources with a (Managed) Identity block: Behavior is now consistent across the provider:
Since the last major release, the AzureRM provider has accumulated fields that have been deprecated, renamed, or are no longer supported by Azure. As version 3.0 is a major release, we have removed a number of resources, data sources, and fields that have been deprecated over the course of the provider’s lifetime. A complete list of fields that will no longer be supported by the provider can be found in the AzureRM 3.0 upgrade guide.
Deprecated (remains available but feature-frozen, will be removed in a future release):
azurem_sql have been replaced by new resources using a more recent API in the
azurerm_mssql namespace. Details on each resource are available in the AzureRM upgrade guide.
azurerm_template_deployment resource has been deprecated and replaced by the
azurerm_virtual_machine_scale_set resource has been replaced by the operating system specific
traffic_manager_endpoint has been deprecated and split into the
Deprecated and removed:
Note: Version 3.0 and 3.x versions of the AzureRM provider will be the last versions compatible with Terraform 0.12 - 0.15.
In addition to the information above, the AzureRM provider team has put together an upgrade guide, with more information and examples of the changes discussed above.
The AzureRM provider team has worked hard on these changes and is excited to bring you these new features. Please try this release out and share any bugs or enhancement requests with us via GitHub issues. We look forward to your feedback and want to thank you for being such a great community!
17 new Terraform integrations from 14 partners provide more options to automate and secure cloud infrastructure management.
The latest Terraform Cloud and Enterprise enhancements help users leverage high-quality modules, monitor their workspace health, minimize management overhead, and more.
Learn the installation and verification workflow for any Linux distribution that does not include HashiCorp software in its package repository.