terraform-provider-azurerm: azurerm_frontdoor breaks on modification in 2.20

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform: 0.12.29 AzureRM: 2.20 and newer

Affected Resource(s)

  • azurerm_frontdoor

Terraform Configuration Files

  ~ resource "azurerm_frontdoor" "fd" {
        backend_pools_send_receive_timeout_seconds   = 60
        cname                                        = "fdissue35brc.azurefd.net"
        enforce_backend_pools_certificate_name_check = true
        header_frontdoor_id                          = "3fc2d9e5-ed0f-49e8-abd3-28bf664a1be2"
        id                                           = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc"
        load_balancer_enabled                        = true
        location                                     = "global"
        name                                         = "fdissue35brc"
        resource_group_name                          = "issue-35-brc"
      ~ tags                                         = {
            "ASKID"             = "<ask id value>"
            "Assignment Group"  = "<assignment group>"
            "Component"         = "Front Door"
          ~ "Component Version" = "v0.0.1" -> "v0.0.2"
            "Division"          = "<division>"
            "Environment"       = "Sandbox"
            "GL Code"           = "<gl code>"
            "Portfolio"         = "Provider Engineering"
            "Product"           = "Dojo360"
        }

        <snip for brevity>

        frontend_endpoint {
            custom_https_provisioning_enabled       = false
            host_name                               = "fdissue35brc.azurefd.net"
            id                                      = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc/frontendendpoints/default"
            name                                    = "default"
            session_affinity_enabled                = false
            session_affinity_ttl_seconds            = 0
            web_application_firewall_policy_link_id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/fdissue35wafbrc"
        }
        frontend_endpoint {
            custom_https_provisioning_enabled       = true
            host_name                               = "issue-35.splunk-brc.o360.cloud"
            id                                      = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc/frontendendpoints/domain-name"
            name                                    = "domain-name"
            session_affinity_enabled                = false
            session_affinity_ttl_seconds            = 0
            web_application_firewall_policy_link_id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/fdissue35wafbrc"

            custom_https_configuration {
                certificate_source    = "FrontDoor"
                minimum_tls_version   = "1.2"
                provisioning_state    = "Enabled"
                provisioning_substate = "CertificateDeployed"
            }
        }

        <snip for brevity>
    }

Debug Output

This appears to be the relevant portion of the debug. I can send the entire debug if it is needed.

2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: POST /subscriptions/<redacted>/resourceGroups/issue-35-brc/providers/Microsoft.Network/frontDoors/fdissue35brc/frontendEndpoints/domain-name/enableHttps?api-version=2020-01-01 HTTP/1.1
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Host: management.azure.com
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: User-Agent: Go/go1.14.5 (amd64-darwin) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.1.0 frontdoor/2020-01-01 HashiCorp Terraform/0.12.24 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.20.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Length: 168
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Type: application/json; charset=utf-8
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Correlation-Request-Id: 1e5135ea-54c3-39f5-4621-a4e4e5dec63b
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Accept-Encoding: gzip
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: 
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: {"certificateSource":"FrontDoor","frontDoorCertificateSourceParameters":{"certificateType":"Dedicated"},"minimumTlsVersion":"1.2","protocolType":"ServerNameIndication"}
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/<redacted>/resourceGroups/issue-35-brc/providers/Microsoft.Network/frontDoors/fdissue35brc/frontendEndpoints/domain-name/enableHttps?api-version=2020-01-01: 
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: HTTP/2.0 400 Bad Request
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Length: 113
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Cache-Control: no-cache
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Language: en-US
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Type: application/json; charset=utf-8
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Date: Thu, 06 Aug 2020 20:10:42 GMT
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Expires: -1
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Pragma: no-cache
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Server: Microsoft-IIS/8.5
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Strict-Transport-Security: max-age=31536000; includeSubDomains
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Aspnet-Version: 4.0.30319
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Content-Type-Options: nosniff
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Client-Request-Id: 545c8845-480a-49c0-aac2-c923b3751fc4
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Correlation-Request-Id: 1e5135ea-54c3-39f5-4621-a4e4e5dec63b
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Request-Id: fe53e2f9-f64f-4b46-8759-37d7319b0c0f
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Routing-Request-Id: CENTRALUS:20200806T201043Z:c0c7bcf2-9bb4-4842-a98d-bb0e877df29d
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Powered-By: ASP.NET
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: 
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: {
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:   "error": {
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:     "code": "BadRequest",
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:     "message": "That action isn’t allowed in this profile."
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:   }
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: }

Expected Behavior

Front Door succeeds with modifications without error

Actual Behavior

This error is produced:

Error: unable to update Custom HTTPS configuration for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
unable to enable/update Custom Domain HTTPS for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
enabling Custom Domain HTTPS for Frontend Endpoint:
frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."

Steps to Reproduce

  1. Create a front door resource with custom HTTPS settings enabled
  2. Run the Terraform Triumvirate of, init, plan, and apply
  3. Modify the front door resource without destroying it. Like change a tag value.
  4. Run the Terraform Triumvirate again
  5. No profit.

References

  • There is a similar issue going on right now in #8036
  • In AzureRM 2.20, it including this change in #7498

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 49
  • Comments: 27 (1 by maintainers)

Commits related to this issue

Most upvoted comments

Slight improvement of the work-around from @JonKragh is to use the azurerm_frontdoor_custom_https_configuration instead of the inline https config. But you have to ignore changes of the resource group name (although it is not part of this resource config --> another bug?)

With this approach you can let the front door config as it is (without any lifecycle ignores). If you have any changes it initially fails but you then can simply retry the apply without any temporary code changes. It then successfully completes because the changes were already made during the first attempt.

resource "azurerm_frontdoor_custom_https_configuration" "example" {
  frontend_endpoint_id              = azurerm_frontdoor.example.frontend_endpoints["example"]
  custom_https_provisioning_enabled = true
  custom_https_configuration {
    certificate_source = "FrontDoor"
  }

  lifecycle { ignore_changes = [ resource_group_name ] }
} 

Using azurem 2.44.0, terraform: 0.12.23 -> I am having the same issue as well

I have a very similar setup, using FrontDoor as the certificate_source. On the first run, it succeeds. For all other runs that have a change, I get the error.

Custom Domain HTTPS for Frontend Endpoint: frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."
❯ terraform -v
Terraform v0.13.4
+ provider registry.terraform.io/hashicorp/azurerm v2.33.0

@bcline760 To put a long story short - the issue is a bit more complex. There’re a couple of PRs now with different proposals for a fix, but they don’t really fix the underlying issue, they are band-aids. We’re working with FD service team and among us to figure out a way to not to break what is there now all too much, but at the same time to try and fix this issue properly.

My apologies for the lengthy discussion on this. We are doing our best to address the problem at hand. I for one can feel the pain of the issue 😃 Please bear with us.

As a PSA for anyone who gets blocked by this issue. Here is our workflow to work around this issue today:

If we are not making any front door changes, we use this block in our front door tf script to allow us to modify other areas of our infra without being blocked.

lifecycle { ignore_changes = [ routing_rule, frontend_endpoint, backend_pool ] }

Then, if we need to make front door changes, we comment out the lifecycle block above, then we make the infra changes in terraform, then click apply.

This still shows the error below; however, the changes we need (routes, backends) all apply.

unable to enable/update Custom Domain HTTPS for Frontend Endpoint “platformFrontendEndpoint” (Resource Group “redacted”): enabling Custom Domain HTTPS for Frontend Endpoint: frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=0 – Original Error: Code=“BadRequest” Message="That action isn’t allowed in this profile.

After this error, we review front door and see our intended changes are in place.

Then we uncomment the lifecycle block above and can make other changes to our infa.

TLDR; Ignore front door in your terraform lifecycle if you are blocked. If you need changes, changes still seem to work but you get an error. Use the lifecycle to hack and get what you need.

@WodansSon Any update on the issue? its kinda roadblock to azure infrastructure deployment. can you provide any update on this?