fix: resolve FC1 (Flex Consumption) SKU plan drift for kind, capacity, and maximumElasticWorkerCount (#128)

lonegunmanb · Copilot · web-flow · commit dba0f540e181 · 2026-04-20T10:41:28.000-04:00
* fix: resolve FC1 (Flex Consumption) SKU plan drift for kind, capacity, and maximumElasticWorkerCount Fixes #125 Three root causes of perpetual plan drift with FC1 SKU: 1. kind: FC1 requires 'functionapp' but module always sent 'linux'/'windows' based on os_type. Azure returns 'functionapp' causing drift. 2. sku.capacity: FC1 capacity is managed by Azure (always 0), but module sent var.worker_count (default 3) causing capacity drift. 3. maximumElasticWorkerCount: FC1's value is managed by Azure (resets to 1). Using merge() to conditionally omit the property for FC1, relying on azapi's ignore_missing_property to prevent drift. Changes: - locals.tf: Add is_flex_consumption flag, fix kind for FC1, add sku_capacity local, include FC1 in elastic worker count regex - main.tf: Use merge() for properties to conditionally omit maximumElasticWorkerCount for FC1, use local.sku_capacity for capacity Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve WS SKU kind and elasticScaleEnabled drift, add multi_kind example - Fix WS (Workflow Standard) SKU kind drift: Azure returns 'elastic' but module was sending 'linux'/'windows' based on os_type - Fix WS SKU elasticScaleEnabled drift: Azure enforces true for WS SKUs but module was sending false (regex only matched EP/P) - Add examples/multi_kind/ to verify all kind variants (S1/P1v2/FC1/WS1) deploy without configuration drift Fixes #125 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: add .e2eignore for multi_kind example, fix P1v2 zone balancing - Add .e2eignore to skip APRL well-architected checks for multi_kind example (FC1/WS1 are specialized SKUs that can't pass 'standard or premium tier' check) - Set zone_balancing=true for P1v2 plan (best practice) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: replace .e2eignore with rego exception for multi_kind example Delete .e2eignore which skipped all conftest checks for multi_kind. Instead, add a targeted APRL exception for service_plan_use_standard_or_premium_tier since FC1 (Flex Consumption) and WS1 (Workflow Standard) are specialized SKUs that intentionally do not fall into standard/premium/isolated tier categories. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: set worker_count=3 for zone-redundant P1v2 in multi_kind example Azure enforces minimum capacity for zone-redundant App Service Plans. With worker_count=1 and zone_balancing=true, Azure adjusts capacity to 2, causing idempotency drift. Setting worker_count=3 (one per availability zone) avoids this drift. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: remove zone_balancing from P1v2 in multi_kind example P1v2 + Availability Zones is not reliably available in australiaeast. Zone balancing is already tested in the complete example. The multi_kind example focuses on testing different SKU kinds (S1/P1v2/FC1/WS1), not zone redundancy. Added migrate_service_plan_to_availability_zone_support to APRL exceptions since P1v2 with zone_balancing=false triggers it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/examples/multi_kind/README.md b/examples/multi_kind/README.md
@@ -0,0 +1,139 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- Code generated by terraform-docs. DO NOT EDIT. -->
+# Multi-kind example
+
+This example deploys multiple App Service Plans with different SKU kinds to verify that the module correctly handles the `kind` property for each SKU type without configuration drift.
+
+The following plan types are tested:
+
+- **Standard (S1)**: Linux, kind = `"linux"`
+- **Premium (P1v2)**: Windows, kind = `"windows"`
+- **Flex Consumption (FC1)**: Linux, kind = `"functionapp"`, capacity managed by Azure
+- **Workflow Standard (WS1)**: Windows, kind = `"elastic"`, elasticScaleEnabled forced true
+
+```hcl
+terraform {
+  required_version = ">= 1.9, < 2.0"
+
+  required_providers {
+    azapi = {
+      source  = "Azure/azapi"
+      version = "~> 2.4"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.5.0, < 4.0.0"
+    }
+  }
+}
+
+provider "azapi" {}
+
+resource "random_integer" "region_index" {
+  max = length(local.test_regions) - 1
+  min = 0
+}
+
+## End of section to provide a random Azure region for the resource group
+
+# This ensures we have unique CAF compliant names for our resources.
+module "naming" {
+  source  = "Azure/naming/azurerm"
+  version = "0.4.2"
+}
+
+# This is required for resource modules
+# Hardcoding location due to quota constraints
+resource "azapi_resource" "resource_group" {
+  location               = "australiaeast"
+  name                   = module.naming.resource_group.name_unique
+  type                   = "Microsoft.Resources/resourceGroups@2024-03-01"
+  response_export_values = []
+}
+
+# Deploy multiple App Service Plans with different SKU kinds
+module "test" {
+  source   = "../.."
+  for_each = local.plans
+
+  location               = azapi_resource.resource_group.location
+  name                   = "${module.naming.app_service_plan.name_unique}-${each.key}"
+  os_type                = each.value.os_type
+  parent_id              = azapi_resource.resource_group.id
+  enable_telemetry       = var.enable_telemetry
+  sku_name               = each.value.sku_name
+  worker_count           = each.value.worker_count
+  zone_balancing_enabled = each.value.zone_balancing
+}
+```
+
+<!-- markdownlint-disable MD033 -->
+## Requirements
+
+The following requirements are needed by this module:
+
+- <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (>= 1.9, < 2.0)
+
+- <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) (~> 2.4)
+
+- <a name="requirement_random"></a> [random](#requirement\_random) (>= 3.5.0, < 4.0.0)
+
+## Resources
+
+The following resources are used by this module:
+
+- [azapi_resource.resource_group](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) (resource)
+- [random_integer.region_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)
+
+<!-- markdownlint-disable MD013 -->
+## Required Inputs
+
+No required inputs.
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### <a name="input_enable_telemetry"></a> [enable\_telemetry](#input\_enable\_telemetry)
+
+Description: This variable controls whether or not telemetry is enabled for the module.  
+For more information see <https://aka.ms/avm/telemetryinfo>.  
+If it is set to false, then no telemetry will be collected.
+
+Type: `bool`
+
+Default: `true`
+
+## Outputs
+
+The following outputs are exported:
+
+### <a name="output_plan_names"></a> [plan\_names](#output\_plan\_names)
+
+Description: Names of the deployed app service plans
+
+### <a name="output_plan_resource_ids"></a> [plan\_resource\_ids](#output\_plan\_resource\_ids)
+
+Description: Resource IDs of the deployed app service plans
+
+## Modules
+
+The following Modules are called:
+
+### <a name="module_naming"></a> [naming](#module\_naming)
+
+Source: Azure/naming/azurerm
+
+Version: 0.4.2
+
+### <a name="module_test"></a> [test](#module\_test)
+
+Source: ../..
+
+Version:
+
+<!-- markdownlint-disable-next-line MD041 -->
+## Data Collection
+
+The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
+<!-- END_TF_DOCS -->
diff --git a/examples/multi_kind/_footer.md b/examples/multi_kind/_footer.md
@@ -0,0 +1,4 @@
+<!-- markdownlint-disable-next-line MD041 -->
+## Data Collection
+
+The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
diff --git a/examples/multi_kind/_header.md b/examples/multi_kind/_header.md
@@ -0,0 +1,10 @@
+# Multi-kind example
+
+This example deploys multiple App Service Plans with different SKU kinds to verify that the module correctly handles the `kind` property for each SKU type without configuration drift.
+
+The following plan types are tested:
+
+- **Standard (S1)**: Linux, kind = `"linux"`
+- **Premium (P1v2)**: Windows, kind = `"windows"`
+- **Flex Consumption (FC1)**: Linux, kind = `"functionapp"`, capacity managed by Azure
+- **Workflow Standard (WS1)**: Windows, kind = `"elastic"`, elasticScaleEnabled forced true
diff --git a/examples/multi_kind/exceptions/aprl.rego b/examples/multi_kind/exceptions/aprl.rego
@@ -0,0 +1,15 @@
+package Azure_Proactive_Resiliency_Library_v2
+
+import rego.v1
+
+# FC1 (Flex Consumption) and WS1 (Workflow Standard) are specialized SKUs
+# that do not fall into standard/premium/isolated tier categories.
+# This exception is required for the multi_kind example which intentionally
+# tests these non-standard SKU types.
+#
+# Zone redundancy is not tested in this example (it is covered by the
+# complete example). The APRL zone check only applies to Premium/Isolated
+# tiers, so P1v2 with zone_balancing=false would trigger it.
+exception contains rules if {
+  rules = ["service_plan_use_standard_or_premium_tier", "migrate_service_plan_to_availability_zone_support"]
+}
diff --git a/examples/multi_kind/locals.tf b/examples/multi_kind/locals.tf
@@ -0,0 +1,39 @@
+## Section to provide a random Azure region for the resource group
+# This allows us to randomize the region for the resource group.
+locals {
+  plans = {
+    linux_standard = {
+      os_type        = "Linux"
+      sku_name       = "S1"
+      worker_count   = 1
+      zone_balancing = false
+    }
+    windows_premium = {
+      os_type        = "Windows"
+      sku_name       = "P1v2"
+      worker_count   = 1
+      zone_balancing = false
+    }
+    flex_consumption = {
+      os_type        = "Linux"
+      sku_name       = "FC1"
+      worker_count   = 0
+      zone_balancing = false
+    }
+    workflow_standard = {
+      os_type        = "Windows"
+      sku_name       = "WS1"
+      worker_count   = 1
+      zone_balancing = false
+    }
+  }
+  test_regions = [
+    "centralus",
+    "southcentralus",
+    "canadacentral",
+    "eastus",
+    "eastus2",
+    "westus2",
+    "westus3"
+  ]
+}
diff --git a/examples/multi_kind/main.tf b/examples/multi_kind/main.tf
@@ -0,0 +1,53 @@
+terraform {
+  required_version = ">= 1.9, < 2.0"
+
+  required_providers {
+    azapi = {
+      source  = "Azure/azapi"
+      version = "~> 2.4"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.5.0, < 4.0.0"
+    }
+  }
+}
+
+provider "azapi" {}
+
+resource "random_integer" "region_index" {
+  max = length(local.test_regions) - 1
+  min = 0
+}
+
+## End of section to provide a random Azure region for the resource group
+
+# This ensures we have unique CAF compliant names for our resources.
+module "naming" {
+  source  = "Azure/naming/azurerm"
+  version = "0.4.2"
+}
+
+# This is required for resource modules
+# Hardcoding location due to quota constraints
+resource "azapi_resource" "resource_group" {
+  location               = "australiaeast"
+  name                   = module.naming.resource_group.name_unique
+  type                   = "Microsoft.Resources/resourceGroups@2024-03-01"
+  response_export_values = []
+}
+
+# Deploy multiple App Service Plans with different SKU kinds
+module "test" {
+  source   = "../.."
+  for_each = local.plans
+
+  location               = azapi_resource.resource_group.location
+  name                   = "${module.naming.app_service_plan.name_unique}-${each.key}"
+  os_type                = each.value.os_type
+  parent_id              = azapi_resource.resource_group.id
+  enable_telemetry       = var.enable_telemetry
+  sku_name               = each.value.sku_name
+  worker_count           = each.value.worker_count
+  zone_balancing_enabled = each.value.zone_balancing
+}
diff --git a/examples/multi_kind/outputs.tf b/examples/multi_kind/outputs.tf
@@ -0,0 +1,9 @@
+output "plan_names" {
+  description = "Names of the deployed app service plans"
+  value       = { for k, v in module.test : k => v.name }
+}
+
+output "plan_resource_ids" {
+  description = "Resource IDs of the deployed app service plans"
+  value       = { for k, v in module.test : k => v.resource_id }
+}
diff --git a/examples/multi_kind/variables.tf b/examples/multi_kind/variables.tf
@@ -0,0 +1,9 @@
+variable "enable_telemetry" {
+  type        = bool
+  default     = true
+  description = <<DESCRIPTION
+This variable controls whether or not telemetry is enabled for the module.
+For more information see <https://aka.ms/avm/telemetryinfo>.
+If it is set to false, then no telemetry will be collected.
+DESCRIPTION
+}
diff --git a/locals.tf b/locals.tf
@@ -1,9 +1,19 @@
 locals {
-  # Elastic scale is only applicable to Elastic Premium and Premium SKUs
-  elastic_scale_enabled = can(regex("^(EP|P)", var.sku_name)) ? var.premium_plan_auto_scale_enabled : false
+  # Elastic scale: WS SKUs are always elastic (Azure enforces elasticScaleEnabled=true),
+  # EP/P SKUs are user-controllable, others are false.
+  # Reference: https://github.com/Azure/terraform-azurerm-avm-res-web-serverfarm/issues/125
+  elastic_scale_enabled = local.is_workflow_standard ? true : (can(regex("^(EP|P)", var.sku_name)) ? var.premium_plan_auto_scale_enabled : false)
+  # Flex Consumption (FC1) requires special handling for kind, capacity, and maximumElasticWorkerCount
+  is_flex_consumption = var.sku_name == "FC1"
+  # Workflow Standard (WS1/WS2/WS3) requires kind="elastic" and elasticScaleEnabled=true
+  is_workflow_standard = can(regex("^WS", var.sku_name))
   # Determine the kind property based on os_type and sku_name
   # Reference: https://github.com/Azure/app-service-linux-docs/blob/master/Things_You_Should_Know/kind_property.md
-  kind = var.os_type == "Linux" ? "linux" : "windows"
-  # Maximum elastic worker count is only applicable to Elastic Premium and WS SKUs
-  maximum_elastic_worker_count = can(regex("^(EP|WS)", var.sku_name)) ? var.maximum_elastic_worker_count : var.worker_count
+  # FC1 (Flex Consumption) always uses "functionapp" regardless of os_type
+  # WS (Workflow Standard) always uses "elastic" regardless of os_type
+  kind = local.is_flex_consumption ? "functionapp" : (local.is_workflow_standard ? "elastic" : (var.os_type == "Linux" ? "linux" : "windows"))
+  # Maximum elastic worker count is applicable to Elastic Premium, WS, and Flex Consumption SKUs
+  maximum_elastic_worker_count = can(regex("^(EP|WS|FC)", var.sku_name)) ? var.maximum_elastic_worker_count : var.worker_count
+  # FC1 capacity is managed by Azure (always 0), other SKUs use worker_count
+  sku_capacity = local.is_flex_consumption ? 0 : var.worker_count
 }
diff --git a/main.tf b/main.tf
@@ -19,7 +19,7 @@ resource "azapi_resource" "this" {
   type      = var.server_farm_resource_type
   body = {
     kind = local.kind
-    properties = {
+    properties = merge({
       asyncScalingEnabled       = null
       freeOfferExpirationTime   = null
       isCustomMode              = var.os_type == "WindowsManagedInstance"
@@ -29,7 +29,6 @@ resource "azapi_resource" "this" {
       elasticScaleEnabled       = local.elastic_scale_enabled
       hostingEnvironmentProfile = var.app_service_environment_id != null ? { id = var.app_service_environment_id } : null
       hyperV                    = var.os_type == "WindowsContainer"
-      maximumElasticWorkerCount = local.maximum_elastic_worker_count
       installScripts = var.os_type == "WindowsManagedInstance" && var.install_scripts != null ? [
         for script in var.install_scripts : {
           name = script.name
@@ -74,10 +73,15 @@ resource "azapi_resource" "this" {
       targetWorkerSizeId = null
       workerTierName     = null
       zoneRedundant      = var.zone_balancing_enabled
-    }
+      },
+      # FC1 (Flex Consumption) maximumElasticWorkerCount is managed by Azure; omit it so ignore_missing_property handles drift
+      local.is_flex_consumption ? {} : {
+        maximumElasticWorkerCount = local.maximum_elastic_worker_count
+      }
+    )
     sku = {
       name     = var.sku_name
-      capacity = var.worker_count
+      capacity = local.sku_capacity
       family   = null
       size     = null
       tier     = null
