Terraform Azure function app deployment with auth_settings_v2 is configuring Microsoft (V1)

Question

I am trying to deploy an Azure Linux function app via Terraform. This function app using Microsoft based authentication. Inside my function app resource template I have this block for authentication:

"auth_settings_v2" {
    content {
        auth_enabled           = true
        require_authentication = true
        microsoft_v2 {
            client_id                  = var.app_registration_client_id
            client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
            allowed_audiences          = ["api://${var.app_registration_client_id}"]
        }
        login {}
    }
}

I also specify an app_setting named MICROSOFT_PROVIDER_AUTHENTICATION_SECRET. I verified in Azure Portal that the authentication does get enabled, but it shows "Microsoft (V1)". I also verified the app setting was added with the correct secret value.

I am using hashicorp/azurerm = 3.104.2. Why is this enabling V1 auth instead of V2?

Answer 1

The Terraform AzureRM provider version you're using mainly focusses on the ADAL library for authentication. Check that you have upgraded the terraform version properly to the latest releases.

If still the issue persists, try adding the runtime_version property under auth_settings_v2 block as shown in the below code.

runtime_version = "~2"

But after I have tried multiple times to enable microsoft_v2 but every time it was deploying v1. It seems like it's a bug in the document.

As a workaround, you can use active_directory_V2 authentication provider instead of microsoft_v2.

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.104.2"
    }
  }
}
provider "azurerm" {
  features {}
}

data "azurerm_resource_group" "example" {
  name     = "Jahnavi"
}

resource "azurerm_storage_account" "example" {
  name                     = "functionappsajnew"
  resource_group_name      = data.azurerm_resource_group.example.name
  location                 = data.azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_service_plan" "example" {
  name                = "jahplannew"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  os_type             = "Linux"
  sku_name            = "Y1"
}

resource "azurerm_linux_function_app" "example" {
  name                = "exampleappjnew"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location

  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
  service_plan_id            = azurerm_service_plan.example.id
   site_config {}
  app_settings = {
  "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" = var.client_secret
  }
  auth_settings_v2 {
    auth_enabled             = true
    runtime_version = "~2"
    default_provider         = "aad"
    require_authentication   = true
    require_https            = true
    unauthenticated_action   = "RedirectToLoginPage"
    active_directory_v2 {
      client_id                   = var.client_Id
      client_secret_setting_name  = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
      tenant_auth_endpoint = "https://login.microsoftonline.com/tenant_ID/v2.0/"
    }
    login{}
  }
} 

Output: