terraform-provider-azurerm: azurerm_frontdoor breaks on modification in 2.20

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform: 0.12.29 AzureRM: 2.20 and newer

Affected Resource(s)

azurerm_frontdoor

Terraform Configuration Files

  ~ resource "azurerm_frontdoor" "fd" {
        backend_pools_send_receive_timeout_seconds   = 60
        cname                                        = "fdissue35brc.azurefd.net"
        enforce_backend_pools_certificate_name_check = true
        header_frontdoor_id                          = "3fc2d9e5-ed0f-49e8-abd3-28bf664a1be2"
        id                                           = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc"
        load_balancer_enabled                        = true
        location                                     = "global"
        name                                         = "fdissue35brc"
        resource_group_name                          = "issue-35-brc"
      ~ tags                                         = {
            "ASKID"             = "<ask id value>"
            "Assignment Group"  = "<assignment group>"
            "Component"         = "Front Door"
          ~ "Component Version" = "v0.0.1" -> "v0.0.2"
            "Division"          = "<division>"
            "Environment"       = "Sandbox"
            "GL Code"           = "<gl code>"
            "Portfolio"         = "Provider Engineering"
            "Product"           = "Dojo360"
        }

        <snip for brevity>

        frontend_endpoint {
            custom_https_provisioning_enabled       = false
            host_name                               = "fdissue35brc.azurefd.net"
            id                                      = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc/frontendendpoints/default"
            name                                    = "default"
            session_affinity_enabled                = false
            session_affinity_ttl_seconds            = 0
            web_application_firewall_policy_link_id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/fdissue35wafbrc"
        }
        frontend_endpoint {
            custom_https_provisioning_enabled       = true
            host_name                               = "issue-35.splunk-brc.o360.cloud"
            id                                      = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc/frontendendpoints/domain-name"
            name                                    = "domain-name"
            session_affinity_enabled                = false
            session_affinity_ttl_seconds            = 0
            web_application_firewall_policy_link_id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/fdissue35wafbrc"

            custom_https_configuration {
                certificate_source    = "FrontDoor"
                minimum_tls_version   = "1.2"
                provisioning_state    = "Enabled"
                provisioning_substate = "CertificateDeployed"
            }
        }

        <snip for brevity>
    }

Debug Output

This appears to be the relevant portion of the debug. I can send the entire debug if it is needed.

2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: POST /subscriptions/<redacted>/resourceGroups/issue-35-brc/providers/Microsoft.Network/frontDoors/fdissue35brc/frontendEndpoints/domain-name/enableHttps?api-version=2020-01-01 HTTP/1.1
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Host: management.azure.com
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: User-Agent: Go/go1.14.5 (amd64-darwin) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.1.0 frontdoor/2020-01-01 HashiCorp Terraform/0.12.24 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.20.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Length: 168
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Type: application/json; charset=utf-8
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Correlation-Request-Id: 1e5135ea-54c3-39f5-4621-a4e4e5dec63b
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Accept-Encoding: gzip
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: 
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: {"certificateSource":"FrontDoor","frontDoorCertificateSourceParameters":{"certificateType":"Dedicated"},"minimumTlsVersion":"1.2","protocolType":"ServerNameIndication"}
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/<redacted>/resourceGroups/issue-35-brc/providers/Microsoft.Network/frontDoors/fdissue35brc/frontendEndpoints/domain-name/enableHttps?api-version=2020-01-01: 
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: HTTP/2.0 400 Bad Request
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Length: 113
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Cache-Control: no-cache
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Language: en-US
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Type: application/json; charset=utf-8
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Date: Thu, 06 Aug 2020 20:10:42 GMT
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Expires: -1
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Pragma: no-cache
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Server: Microsoft-IIS/8.5
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Strict-Transport-Security: max-age=31536000; includeSubDomains
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Aspnet-Version: 4.0.30319
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Content-Type-Options: nosniff
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Client-Request-Id: 545c8845-480a-49c0-aac2-c923b3751fc4
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Correlation-Request-Id: 1e5135ea-54c3-39f5-4621-a4e4e5dec63b
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Request-Id: fe53e2f9-f64f-4b46-8759-37d7319b0c0f
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Routing-Request-Id: CENTRALUS:20200806T201043Z:c0c7bcf2-9bb4-4842-a98d-bb0e877df29d
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Powered-By: ASP.NET
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: 
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: {
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:   "error": {
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:     "code": "BadRequest",
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:     "message": "That action isn’t allowed in this profile."
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:   }
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: }

Expected Behavior

Front Door succeeds with modifications without error

Actual Behavior

This error is produced:

Error: unable to update Custom HTTPS configuration for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
unable to enable/update Custom Domain HTTPS for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
enabling Custom Domain HTTPS for Frontend Endpoint:
frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."

Steps to Reproduce

Create a front door resource with custom HTTPS settings enabled
Run the Terraform Triumvirate of, init, plan, and apply
Modify the front door resource without destroying it. Like change a tag value.
Run the Terraform Triumvirate again
No profit.

References

There is a similar issue going on right now in #8036
In AzureRM 2.20, it including this change in #7498

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 49
Comments: 27 (1 by maintainers)

Commits related to this issue

fixes #9153 #8039 #10661 #9075 #11287 #7613 #7208 #6351 * Fix for Frontdoor out of order * Remove all FE mods from AFD add faux ID to HTTPS * Block custom HTTPS values in main AFD resource *... — committed to hashicorp/terraform-provider-azurerm by WodansSon 3 years ago
fixes #9153 #8039 #10661 #9075 #11287 #7613 #7208 #6351 * Fix for Frontdoor out of order * Remove all FE mods from AFD add faux ID to HTTPS * Block custom HTTPS values in main AFD resource *... — committed to gro1m/terraform-provider-azurerm by WodansSon 3 years ago

Most upvoted comments

Slight improvement of the work-around from @JonKragh is to use the azurerm_frontdoor_custom_https_configuration instead of the inline https config. But you have to ignore changes of the resource group name (although it is not part of this resource config --> another bug?)

With this approach you can let the front door config as it is (without any lifecycle ignores). If you have any changes it initially fails but you then can simply retry the apply without any temporary code changes. It then successfully completes because the changes were already made during the first attempt.

resource "azurerm_frontdoor_custom_https_configuration" "example" {
  frontend_endpoint_id              = azurerm_frontdoor.example.frontend_endpoints["example"]
  custom_https_provisioning_enabled = true
  custom_https_configuration {
    certificate_source = "FrontDoor"
  }

  lifecycle { ignore_changes = [ resource_group_name ] }
}

LoW0lf on Mar 24, 2021

Using azurem 2.44.0, terraform: 0.12.23 -> I am having the same issue as well

Frayion on Jan 27, 2021

I have a very similar setup, using FrontDoor as the certificate_source. On the first run, it succeeds. For all other runs that have a change, I get the error.

Custom Domain HTTPS for Frontend Endpoint: frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."

❯ terraform -v
Terraform v0.13.4
+ provider registry.terraform.io/hashicorp/azurerm v2.33.0

kingsleyadam on Nov 4, 2020

@bcline760 To put a long story short - the issue is a bit more complex. There’re a couple of PRs now with different proposals for a fix, but they don’t really fix the underlying issue, they are band-aids. We’re working with FD service team and among us to figure out a way to not to break what is there now all too much, but at the same time to try and fix this issue properly.

My apologies for the lengthy discussion on this. We are doing our best to address the problem at hand. I for one can feel the pain of the issue 😃 Please bear with us.

favoretti on Mar 12, 2021

As a PSA for anyone who gets blocked by this issue. Here is our workflow to work around this issue today:

If we are not making any front door changes, we use this block in our front door tf script to allow us to modify other areas of our infra without being blocked.

lifecycle { ignore_changes = [ routing_rule, frontend_endpoint, backend_pool ] }

Then, if we need to make front door changes, we comment out the lifecycle block above, then we make the infra changes in terraform, then click apply.

This still shows the error below; however, the changes we need (routes, backends) all apply.

unable to enable/update Custom Domain HTTPS for Frontend Endpoint “platformFrontendEndpoint” (Resource Group “redacted”): enabling Custom Domain HTTPS for Frontend Endpoint: frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=0 – Original Error: Code=“BadRequest” Message="That action isn’t allowed in this profile.

After this error, we review front door and see our intended changes are in place.

Then we uncomment the lifecycle block above and can make other changes to our infa.

TLDR; Ignore front door in your terraform lifecycle if you are blocked. If you need changes, changes still seem to work but you get an error. Use the lifecycle to hack and get what you need.

JonKragh on Mar 2, 2021

@WodansSon Any update on the issue? its kinda roadblock to azure infrastructure deployment. can you provide any update on this?

Samridhigupta786 on Dec 22, 2020