az containerapp create --yaml: wipes our Service Connector Environment Variables #32012
Description
Describe the bug
We are using Terraform with the AzApi resource to configure a boiler plate container app with SQL Service Connector ( to manage connection strings securely via user assigned identity). This all works fine and dynamically creates an Environment variable for you as per its design.
However, when we deploy our application, with some other Env vars defined for the container using the yml schema: az containerapp update --resource-group some_rg --name some_container_name --yaml somefile.yml. It wipes out the dynamically created connection string environment variable created by the container app service connector.
The steps involved here are to
- Create a boilerplate container app via terraform using the
azapi_resourcewith the latest version of the Azure APIMicrosoft.App/containerApps@2025-02-02-preview - Create a Service Connector to Azure SQL DB using the
azapi_resourcewith the latest version of the ServiceLinker Azure APIMicrosoft.ServiceLinker/linkers@2024-04-01, for example:
resource "azapi_resource" "sql_connection" {
type = "Microsoft.ServiceLinker/linkers@2024-04-01"
name = azurerm_mssql_database.identity.name
parent_id = module.container_app.app.id
body = {
properties = {
scope = "main"
targetService = {
type = "AzureResource"
id = azurerm_mssql_database.identity.id
}
authInfo = {
authType = "userAssignedIdentity"
clientId = module.container_app.identity.client_id
subscriptionId = (provider::azurerm::parse_resource_id(module.container_app.identity.id))["subscription_id"]
}
configurationInfo = {
deleteOrUpdateBehavior = "ForcedCleanup"
additionalConnectionStringProperties = {
"Data Source" = "${azurerm_mssql_failover_group.identity.name}.database.windows.net,1433"
}
customizedKeys = {
AZURE_SQL_CONNECTIONSTRING = "ConnectionStrings__identityDb"
}
}
clientType = "dotnet"
}
}
}This all works fine and as expected and creates the connection string environment variable for the container app.
3. Deploy the application using az containerapp update --resource-group some_rg --name some_container_name --yaml somefile.yml with the following example yml:
# yaml-language-server: $schema=https://www.schemastore.org/azure-containerapp-template.json
---
properties:
environmentId: '${CONTAINER_APP_ENVIRONMENT_ID}'
workloadProfileName: Consumption
configuration:
activeRevisionsMode: Single
registries:
- server: ${CONTAINER_REGISTRY}
identity: ${CONTAINER_REGISTRY_IDENTITY_ID}
runtime:
dotnet:
autoConfigureDataProtection: true
ingress:
targetPort: 8080
template:
revisionSuffix: ${REVISION_SUFFIX}
scale:
minReplicas: ${MIN_REPLICAS}
containers:
- image: ${CONTAINER_REGISTRY}/docker/${IMAGE_NAME}:${IMAGE_TAG}
name: main
env:
- name: ASPNETCORE_ENVIRONMENT
value: ${ASPNETCORE_ENVIRONMENT}
- name: AZURE_CLIENT_ID
value: ${CONTAINER_APP_CLIENT_ID}
probes:
- type: Liveness
httpGet:
path: /alive
port: 8080
scheme: HTTP
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
- type: Readiness
httpGet:
path: /health
port: 8080
scheme: HTTP
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1And the app deploy wiping out the connection string environment variable, thus breaking the container app.
Related command
az containerapp update --resource-group some_rg --name some_container_name --yaml somefile.yml
Errors
No errors, just wipes out existing Service Connector Environment variables, breaking the application
Issue script & Debug output
See description for issue flow
Expected behavior
Container app is deployed and existing Service Connector Environment variables respected and untouched when deploying via --yaml
Environment Summary
azure-cli 2.76.0
core 2.76.0
telemetry 1.1.0
Extensions:
azure-devops 1.0.2
Dependencies:
msal 1.33.0b1
azure-mgmt-resource 23.3.0
Python location '/opt/az/bin/python3'
Config directory '/home/runner/.azure'
Extensions directory '/opt/az/azcliextensions'
Python (Linux) 3.12.10 (main, Jul 29 2025, 09:28:48) [GCC 13.3.0]
Additional context
No response