c#asp.net-core cors asp.net-core-webapi azure-bicep

ASP.NET Core CORS Setup Stops Working After Bicep Deployment

We have an ASP.NET Core Web API solution deployed in an Azure Web App. We deploy the ASP.NET Core project to Azure and everything works as expected. When we redeploy the Bicep infrastructure scripts for creating the web app, however, the CORS configuration seems to be lost and the API starts rejecting cross site requests.

Restarting the web app does not help, but redeploying it does. We tried triggering this break by restarting/start/stopping the web app, but that does not break the cors configuration.

Any ideas as to how an arm template can break ASP.NET Core CORS? There is no cors configured for the web app.

We use the following CORS configuration in our API:

(...)
var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";

builder.Services.AddCors(options =>
{
    List<string> allowedOrigins = ["url"];

    options.AddPolicy(name: MyAllowSpecificOrigins,
                      policy =>
                      {
                          policy
                            .WithOrigins([.. allowedOrigins])
                            .AllowAnyMethod()
                            .AllowAnyHeader();
                      });
});
(...)

var app = builder.Build();

app.UseExceptionHandler();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseCors(MyAllowSpecificOrigins);

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers()
    .RequireAuthorization();

app.Run();

And here is the bicep template for the web app:

resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = {
  name: appServicePlanName
  location: location
  properties: {
    reserved: false
  }
  sku: {
    ...
  }
}

resource apiService 'Microsoft.Web/sites@2023-01-01' = {
  name: apiAppName
  location: location
  identity: {
    type: 'SystemAssigned'
  }  
  properties: {
    httpsOnly: true
    serverFarmId: appServicePlan.id
    siteConfig: {
      alwaysOn: true
      http20Enabled: true
      appSettings:[
        {
          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
          value: applicationInsights.properties.ConnectionString
        }
        {
          name: 'ApplicationInsightsAgent_EXTENSION_VERSION'
          value: '~2'
        }
      ]
    } 
  }
}

resource apiServiceSiteConfig 'Microsoft.Web/sites/config@2023-01-01' = {
  parent: apiService
  name: 'web'
  properties: {
    cors: null
    netFrameworkVersion: 'v8.0'
    use32BitWorkerProcess: false
    webSocketsEnabled: true
    alwaysOn: true
    managedPipelineMode: 'Integrated'
    http20Enabled: true
    minTlsVersion: '1.2'
    scmMinTlsVersion: '1.2'
    ftpsState: 'FtpsOnly'
    localMySqlEnabled: false
  }
}

Solution

In your bicep file, there are only two app settings defined. Every time you run the bicep file, the deployment will remove all other app settings that may cause your web app to stop working properly.

You can have a look at this SO post if you want to keep the appsettings that are not defined through bicep:

Is there a workaround to keep app settings which not defined in Bicep template?