terraform-provider-azurerm: azurerm_frontdoor breaks on modification in 2.20
Community Note
- Please vote on this issue by adding a đ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave â+1â or âme tooâ comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
Terraform: 0.12.29 AzureRM: 2.20 and newer
Affected Resource(s)
azurerm_frontdoor
Terraform Configuration Files
~ resource "azurerm_frontdoor" "fd" {
backend_pools_send_receive_timeout_seconds = 60
cname = "fdissue35brc.azurefd.net"
enforce_backend_pools_certificate_name_check = true
header_frontdoor_id = "3fc2d9e5-ed0f-49e8-abd3-28bf664a1be2"
id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc"
load_balancer_enabled = true
location = "global"
name = "fdissue35brc"
resource_group_name = "issue-35-brc"
~ tags = {
"ASKID" = "<ask id value>"
"Assignment Group" = "<assignment group>"
"Component" = "Front Door"
~ "Component Version" = "v0.0.1" -> "v0.0.2"
"Division" = "<division>"
"Environment" = "Sandbox"
"GL Code" = "<gl code>"
"Portfolio" = "Provider Engineering"
"Product" = "Dojo360"
}
<snip for brevity>
frontend_endpoint {
custom_https_provisioning_enabled = false
host_name = "fdissue35brc.azurefd.net"
id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc/frontendendpoints/default"
name = "default"
session_affinity_enabled = false
session_affinity_ttl_seconds = 0
web_application_firewall_policy_link_id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/fdissue35wafbrc"
}
frontend_endpoint {
custom_https_provisioning_enabled = true
host_name = "issue-35.splunk-brc.o360.cloud"
id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoors/fdissue35brc/frontendendpoints/domain-name"
name = "domain-name"
session_affinity_enabled = false
session_affinity_ttl_seconds = 0
web_application_firewall_policy_link_id = "/subscriptions/<redacted>/resourcegroups/issue-35-brc/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/fdissue35wafbrc"
custom_https_configuration {
certificate_source = "FrontDoor"
minimum_tls_version = "1.2"
provisioning_state = "Enabled"
provisioning_substate = "CertificateDeployed"
}
}
<snip for brevity>
}
Debug Output
This appears to be the relevant portion of the debug. I can send the entire debug if it is needed.
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: POST /subscriptions/<redacted>/resourceGroups/issue-35-brc/providers/Microsoft.Network/frontDoors/fdissue35brc/frontendEndpoints/domain-name/enableHttps?api-version=2020-01-01 HTTP/1.1
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Host: management.azure.com
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: User-Agent: Go/go1.14.5 (amd64-darwin) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.1.0 frontdoor/2020-01-01 HashiCorp Terraform/0.12.24 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.20.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Length: 168
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Type: application/json; charset=utf-8
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Correlation-Request-Id: 1e5135ea-54c3-39f5-4621-a4e4e5dec63b
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Accept-Encoding: gzip
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:
2020-08-06T13:10:43.285-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: {"certificateSource":"FrontDoor","frontDoorCertificateSourceParameters":{"certificateType":"Dedicated"},"minimumTlsVersion":"1.2","protocolType":"ServerNameIndication"}
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/<redacted>/resourceGroups/issue-35-brc/providers/Microsoft.Network/frontDoors/fdissue35brc/frontendEndpoints/domain-name/enableHttps?api-version=2020-01-01:
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: HTTP/2.0 400 Bad Request
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Length: 113
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Cache-Control: no-cache
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Language: en-US
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Content-Type: application/json; charset=utf-8
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Date: Thu, 06 Aug 2020 20:10:42 GMT
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Expires: -1
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Pragma: no-cache
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Server: Microsoft-IIS/8.5
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: Strict-Transport-Security: max-age=31536000; includeSubDomains
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Aspnet-Version: 4.0.30319
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Content-Type-Options: nosniff
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Client-Request-Id: 545c8845-480a-49c0-aac2-c923b3751fc4
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Correlation-Request-Id: 1e5135ea-54c3-39f5-4621-a4e4e5dec63b
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Request-Id: fe53e2f9-f64f-4b46-8759-37d7319b0c0f
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Ms-Routing-Request-Id: CENTRALUS:20200806T201043Z:c0c7bcf2-9bb4-4842-a98d-bb0e877df29d
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: X-Powered-By: ASP.NET
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5:
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: {
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: "error": {
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: "code": "BadRequest",
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: "message": "That action isnât allowed in this profile."
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: }
2020-08-06T13:10:43.769-0700 [DEBUG] plugin.terraform-provider-azurerm_v2.20.0_x5: }
Expected Behavior
Front Door succeeds with modifications without error
Actual Behavior
This error is produced:
Error: unable to update Custom HTTPS configuration for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
unable to enable/update Custom Domain HTTPS for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
enabling Custom Domain HTTPS for Frontend Endpoint:
frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isnât allowed in this profile."
Steps to Reproduce
- Create a front door resource with custom HTTPS settings enabled
- Run the Terraform Triumvirate of,
init
,plan
, andapply
- Modify the front door resource without destroying it. Like change a tag value.
- Run the Terraform Triumvirate again
- No profit.
References
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 49
- Comments: 27 (1 by maintainers)
Commits related to this issue
- fixes #9153 #8039 #10661 #9075 #11287 #7613 #7208 #6351 * Fix for Frontdoor out of order * Remove all FE mods from AFD add faux ID to HTTPS * Block custom HTTPS values in main AFD resource *... — committed to hashicorp/terraform-provider-azurerm by WodansSon 3 years ago
- fixes #9153 #8039 #10661 #9075 #11287 #7613 #7208 #6351 * Fix for Frontdoor out of order * Remove all FE mods from AFD add faux ID to HTTPS * Block custom HTTPS values in main AFD resource *... — committed to gro1m/terraform-provider-azurerm by WodansSon 3 years ago
Slight improvement of the work-around from @JonKragh is to use the
azurerm_frontdoor_custom_https_configuration
instead of the inline https config. But you have to ignore changes of the resource group name (although it is not part of this resource config --> another bug?)With this approach you can let the front door config as it is (without any lifecycle ignores). If you have any changes it initially fails but you then can simply retry the apply without any temporary code changes. It then successfully completes because the changes were already made during the first attempt.
Using azurem 2.44.0, terraform: 0.12.23 -> I am having the same issue as well
I have a very similar setup, using FrontDoor as the
certificate_source
. On the first run, it succeeds. For all other runs that have a change, I get the error.@bcline760 To put a long story short - the issue is a bit more complex. Thereâre a couple of PRs now with different proposals for a fix, but they donât really fix the underlying issue, they are band-aids. Weâre working with FD service team and among us to figure out a way to not to break what is there now all too much, but at the same time to try and fix this issue properly.
My apologies for the lengthy discussion on this. We are doing our best to address the problem at hand. I for one can feel the pain of the issue đ Please bear with us.
As a PSA for anyone who gets blocked by this issue. Here is our workflow to work around this issue today:
If we are not making any front door changes, we use this block in our front door tf script to allow us to modify other areas of our infra without being blocked.
lifecycle { ignore_changes = [ routing_rule, frontend_endpoint, backend_pool ] }
Then, if we need to make front door changes, we comment out the lifecycle block above, then we make the infra changes in terraform, then click apply.
This still shows the error below; however, the changes we need (routes, backends) all apply.
unable to enable/update Custom Domain HTTPS for Frontend Endpoint âplatformFrontendEndpointâ (Resource Group âredactedâ): enabling Custom Domain HTTPS for Frontend Endpoint: frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=0 â Original Error: Code=âBadRequestâ Message="That action isnât allowed in this profile.
After this error, we review front door and see our intended changes are in place.
Then we uncomment the lifecycle block above and can make other changes to our infa.
TLDR; Ignore front door in your terraform lifecycle if you are blocked. If you need changes, changes still seem to work but you get an error. Use the lifecycle to hack and get what you need.
@WodansSon Any update on the issue? its kinda roadblock to azure infrastructure deployment. can you provide any update on this?