terraform

Terraform AzureRM 3.0 Brings Enhanced Azure Function Support

AzureRM 3.0 brings significant parity between the Azure provider for Terraform and Azure services currently available. Review the breaking changes as you prepare to upgrade.

Over the past 18 months, practitioner adoption of the Terraform AzureRM provider has grown by 1,600%. Since the last major release in February 2020, HashiCorp and Microsoft have added approximately 40 new services and 381 resources, bringing the totals to 99 services and 761 resources as of mid March, 2022. HashiCorp is committed to delivering an ideal user experience for practitioners using this provider, as well as providing significant coverage for these new services and resources.

While we have been hard at work expanding the coverage in the provider, we needed to make space for significant changes and prepare for the next major release. Along with our partner Microsoft, we are happy to announce the release of version 3.0 of the Terraform AzureRM provider. It includes features and enhancements that will help simplify your configurations and improve the overall experience of using the provider. Major improvements include:

  • New data sources and resources for App Service/Function Apps and their supporting resources.
  • Key Vault: Soft Delete recovery/purging for certificates, deys, and secrets.
  • Switching to Microsoft Authentication Library (MSAL) instead of Azure Active Directory Authentication Library (ADAL), and migrating away from the deprecated Azure Active Directory (AAD) Graph API.
  • Updates to existing behaviors for Application Gateway, API Management, Resource Groups, Storage, and all resources with specific fields.

Let's dig into these big changes.

»New Data Sources and Resources for App Service/Function Apps

App Services and Function Apps in the Terraform Azure Provider were first available in 2017. Since then, the design and behavior of the App Service platform has changed dramatically. For AzureRM 3.0, we have completely rehauled these resources and data sources to reflect what is available in Azure today. You can see the list of affected resources and their statuses here.

»Key Vault Soft Delete

Previously, Soft Delete was available only for a Key Vault resource as a whole. Now, you’ll be able to soft delete the nested items within a Key Vault: certificates, keys, and secrets.

»Microsoft Graph

The AzureRM provider previously used the AAD Graph API to retrieve important information about the principal account it’s using to authenticate. Now that we have changed to using MSAL for authentication, and since Microsoft is deprecating the AAD Graph API, we’re no longer using this API in the AzureRM provider.

While using MSAL will cover most of your authentication needs, there may be circumstances where the AzureRM provider queries Microsoft Graph — the replacement for the deprecated AAD Graph API.

Note that when using the AzureRM Terraform Backend you will also need to update the backend Configuration to use MSAL, which can be configured in Terraform 1.1.

Note: Microsoft has indicated the AAD Graph API will be deprecated in the near future, therefore 2.x versions of the AzureRM provider will no longer function properly once Microsoft disables the legacy API. Migrating to AzureRM 3.0 will ensure that you do not run into authentication-related issues after the API is disabled. More information can be found in the upgrade guide.

»Updates to Existing Behaviors

  • Application Gateway: The behavior of nested items will now be unordered where required, meaning that the order of these items no longer matters. Note: if you're referencing these nested items within your Terraform configuration, this may require some code changes.

  • API Management: Terraform will now remove the Default API and Products when creating a new API Management instance, which is consistent with the behavior of other Terraform providers.

  • Resource Groups: Terraform will now check by default for resources nested within a Resource Group prior to deletion of the resource group. If any items are found, an error will be raised. This behavior can be turned off in the provider feature block (prevent_deletion_if_contains_resources = false).

  • Storage: The field allow_blob_public_access has been renamed to allow_nested_items_to_be_public to resolve confusion about what this field does. This field specifies whether items within the Storage Account (such as Containers and Blobs) can opt-in to being made public (for example at the Container or Blob level) — and not that all resources within this Storage Account are public by default.

  • Other behavioral changes:

    • All Resources: The Resource ID is now validated at import time to ensure the correct resource is being imported and return the expected format upon a mismatch. While we do this for most resources today, we’ll be doing this for everything going forward. This ensures that, for example, a Virtual Machine ID is specified rather than the VM Extension ID (which is nested under a Virtual Machine ID).
    • All Resources: Resource IDs are now generated by the provider rather than querying an API during creation, improving the provisioning time of large Terraform configurations and reducing the chance of hitting service-rate limits.
    • All Resources that use min_tls_version: Updated the default minimum TLS version to be 1.2.
    • Resources with an (Availability) Zones field: Updated the behavior to be consistent across the provider.
      • Availability Zones will be represented across all resources that support it using the field zones.
      • No-Zone and ZoneRedundant values have been removed in favor of being explicit.
      • Where this field was Optional and Computed: it will no longer be Computed. This means that if you wish to use the Availability Zone defaulted by Azure, you will need to use Terraform’s ignore_changes functionality to ignore changes to this field.
      • Where this field is Optional (and isn’t defaulted by Azure): omitting this field (or specifying a value of null) will deploy this without any Zones.
      • Where this field is required: there are no changes.
      • ZoneRedundant resources can be provisioned by specifying all of the Availability Zones for that particular Azure region.
    • Resources with a (Managed) Identity block: Behavior is now consistent across the provider:
      • The presence of an identity block means a Managed Identity should be assigned to this resource.
      • The omission of an identity block (or a null value) means that no Managed Identity should be assigned to this resource.

»Deprecations and Breaking Changes

Since the last major release, the AzureRM provider has accumulated fields that have been deprecated, renamed, or are no longer supported by Azure. As version 3.0 is a major release, we have removed a number of resources, data sources, and fields that have been deprecated over the course of the provider’s lifetime. A complete list of fields that will no longer be supported by the provider can be found in the AzureRM 3.0 upgrade guide.

Deprecated (remains available but feature-frozen, will be removed in a future release):

  • Azure SQL resources with names beginning with azurem_sql have been replaced by new resources using a more recent API in the azurerm_mssql namespace. Details on each resource are available in the AzureRM upgrade guide.
  • The azurerm_template_deployment resource has been deprecated and replaced by the azurerm_resource_group_template_deployment resource.
  • The azurerm_virtual_machine_scale_set resource has been replaced by the operating system specific linux_virtual_machine_scale_set and windows_virtual_machine_scale_set resources.
  • The traffic_manager_endpoint has been deprecated and split into the traffic_manager_azure_endpoint, traffic_manager_external_endpoint, and traffic_manager_nested_endpoint resources.

Deprecated and removed:

  • Service Fabric Mesh
  • DevSpace

Note: Version 3.0 and 3.x versions of the AzureRM provider will be the last versions compatible with Terraform 0.12 - 0.15.

»Upgrade Guide

In addition to the information above, the AzureRM provider team has put together an upgrade guide, with more information and examples of the changes discussed above.

»We’d Like Your Feedback

The AzureRM provider team has worked hard on these changes and is excited to bring you these new features. Please try this release out and share any bugs or enhancement requests with us via GitHub issues. We look forward to your feedback and want to thank you for being such a great community!

Sign up for the latest HashiCorp news