Introduction
When upgrading the AzureRM provider to version 4.0 or later, you may encounter an error related to the vnet_image_pull_enabled attribute for function app resources running in an App Service Environment. This article explains the cause of this error and provides the solution.
Problem
After upgrading the AzureRM provider, running a terraform plan or terraform apply fails with the following error message:
Error: vnet_image_pull_enabled cannot be disabled for app running in an app service environment
Prerequisites
This issue affects configurations that meet the following criteria:
- You are upgrading the AzureRM provider from a version earlier than v4.0 (e.g., v3.x).
- Your configuration includes one or more of the following resources deployed in an App Service Environment:
azurerm_linux_function_appazurerm_linux_function_app_slotazurerm_windows_function_appazurerm_windows_function_app_slot
Cause
Version 4.0 of the AzureRM provider introduced a new required argument, vnet_image_pull_enabled, for function app resources. If the function app is running in an App Service Environment, this argument must be explicitly set to true. The provider upgrade guide notes this change, and failing to add this argument to existing resources will cause the plan to fail.
Solution
To resolve this error, you must update the configuration for the affected function app resources to include the vnet_image_pull_enabled = true setting within the site_config block.
For example, update your azurerm_linux_function_app resource configuration as shown below.
resource "azurerm_linux_function_app" "example" {
## ... other arguments
site_config {
## ... other site_config arguments
vnet_image_pull_enabled = true
}
}Outcome
After adding vnet_image_pull_enabled = true to the configuration of all affected resources, terraform plan and terraform apply will execute successfully without returning the error.
Additional Information
For more details on this change, please refer to the official provider documentation.