Share via

Azure App Service: how to inventory and safely restore application settings wiped by an incomplete Terraform app_settings apply

Grant Augustin 0 Reputation points
2026-05-28T02:39:24.9266667+00:00

Service

Azure App Service (Linux, .NET), configured partly through Terraform (azurerm provider) and partly through settings that were set outside Terraform. Some settings are Key Vault references; others are plain values. Secrets live in Azure Key Vault.

Scenario

A Terraform apply ran with an incomplete app_settings block. Because Terraform treats app_settings as authoritative, the apply overwrote the live App Service configuration and deleted roughly a dozen application settings that were not represented in the Terraform code (for example: SendGrid, Xero, Shopify, payment provider, blob storage, and several SCM/build flags). The damage was not visible until a later restart.

Result

Many application settings are now missing from the App Service. The app starts but features depending on the missing settings fail. I need to (a) reliably identify everything that was removed, and (b) restore it cleanly without repeating the same overwrite next time Terraform runs.

Troubleshooting / what I have considered so far

  • I have a partial manual record of the previous settings in internal documentation, but I am not confident it is complete.
  • Reverting the Terraform code does not help, because the older code also lacks the missing settings and Terraform's state now reflects the reduced set.

My question

What is the recommended, supported way to recover the full set of App Service application settings that existed before a destructive Terraform apply? Specifically:

  • Is there any Azure-side history, activity log entry, audit record, or backup that captures the previous appsettings/siteConfig so I can see exactly which keys and values were removed?
  • And what is the recommended pattern to prevent Terraform's app_settings block from silently deleting out-of-band settings on future applies (e.g. lifecycle ignore_changes, or another approach)?
Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 29,846 Reputation points Volunteer Moderator
    2026-05-29T16:30:31.7133333+00:00

    Hello Grant Augustin,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having Azure App Service configuration loss issues after a Terraform deployment overwrite removed existing App Settings and Key Vault references.

    The fact is that Terraform treats the app_settings block as an authoritative configuration state. During deployment, any App Settings not explicitly defined in Terraform were removed from the Azure App Service configuration, which resulted in deleted application settings, broken Key Vault references, configuration drift, and runtime failures after the application restart.

    What you can do to fix is to:

    • Immediately stop all Terraform apply or CI/CD deployment operations to prevent additional configuration overwrites
    • Export the current App Service configuration before making changes using: 
        az webapp config appsettings list \
  --resource-group <resource-group-name> \
  --name <app-service-name>
    • Recover deleted App Settings from the most reliable available source, preferably:
      • Azure App Service Backups
      • ARM/Bicep deployment history
      • Terraform repository history
      • Pipeline artifacts
      • Azure Key Vault secret inventory
    • Restore missing settings and Key Vault references safely using Azure CLI: 
        az webapp config appsettings set \
  --resource-group <resource-group-name> \
  --name <app-service-name> \
  --settings KEY=value
    • Validate Managed Identity access, Key Vault resolution, startup logs, and application health before restarting or redeploying the application
    • Redesign the Terraform deployment model so Terraform fully manages all App Settings and Key Vault references, or intentionally exclude dynamic settings using: 
        lifecycle {
  ignore_changes = [
  app_settings
  ]

    After restoring the missing App Settings and implementing a controlled Terraform configuration management strategy, the Azure App Service configuration becomes stable again, prevents future destructive overwrites, and restores normal application runtime behavior.

    Use the below resource links for more reading and implementation guidance:

    Configure App Settings in Azure App Service

    Back up and restore Azure App Service

    Terraform AzureRM Linux Web App Documentation

    Terraform Lifecycle Meta-Arguments Documentation

    Azure Resource Manager Deployment History Documentation

    Azure Key Vault Secrets Overview

    I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.