Updating azurerm_application_gateway fails with Duplicate address error

[Ashex]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.11

• provider.azurerm v1.22.0

Affected Resource(s)

• azurerm_application_gateway

Terraform Configuration Files

# Declare all our certificates at the top so they don't get lost
module "certificate" {
  source          = "../azure/azure_ssl_certificate"
  secret_name     = "certificate"
  key_vault_name  = "vault-centralus"
}

#Create a Public IP for the Application Gateway
resource "azurerm_public_ip" "widgets_public_ip" {
  name                = "widgets-ip"
  resource_group_name = "${data.azurerm_resource_group.rgroup.name}"
  location            = "${data.azurerm_resource_group.rgroup.location}"
  allocation_method   = "Dynamic"
}

# Create an application gateway
resource "azurerm_application_gateway" "widgets_tm_j" {
  name                   = "widgets"
  resource_group_name    = "${data.azurerm_resource_group.rgroup.name}"
  location               = "${data.azurerm_resource_group.rgroup.location}"
  disabled_ssl_protocols = [ "TLSv1_0" ]

  sku {
    name           = "Standard_Large"
    tier           = "Standard"
    capacity       = "8"
  }

  gateway_ip_configuration = [
    {
      name         = "ip-config"
      subnet_id    = "${data.terraform_remote_state.vnet.gateway_subnets[0]}"
    }
  ]

  frontend_port {
      name         = "http-port"
      port         = 80
  }

  frontend_port {
      name         = "https-port"
      port         = 443
  }

  frontend_ip_configuration {
      name         = "feip"
      public_ip_address_id = "${azurerm_public_ip.widgets_public_ip.id}"
  }

  backend_address_pool {
      name = "beap"
      ip_addresses = [
        "${data.terraform_remote_state.node1.private_ip}",
      ]
  }

  backend_http_settings {
      name                                = "backendhttp"
      cookie_based_affinity               = "Disabled"
      port                                = 80
      protocol                            = "Http"
      request_timeout                     = 60
      probe_name                          = "healthcheck"
      pick_host_name_from_backend_address = true
  }

  http_listener {
      name                           = "http-listener"
      frontend_ip_configuration_name = "feip"
      frontend_port_name             = "http-port"
      protocol                       = "Http"
  }

  request_routing_rule {
      name                       = "http-route-default"
      rule_type                  = "Basic"
      http_listener_name         = "http-listener"
      backend_address_pool_name  = "beap"
      backend_http_settings_name = "backendhttp"
  }

  probe {
      name                                      = "healthcheck"
      protocol                                  = "Http"
      path                                      = "/check"
      interval                                  = 6
      timeout                                   = 5
      unhealthy_threshold                       = 3
      pick_host_name_from_backend_http_settings = true
  }

#### Begin Certificate #####

  ssl_certificate {
      name                                    = "certificate"
      data                                    = "${module.certificate.secret_value}"
      password                                = "${module.certificate.secret_passphrase}"
    }


## api-staging.widgets.com

# Listener name should be https-{domain} where domain is the value that goes in host_name
  http_listener {
      name                                  = "https-api-staging.widgets.com"
      frontend_ip_configuration_name        = "feip"
      frontend_port_name                    = "https-port"
      protocol                              = "Https"
      ssl_certificate_name                  = "certificate"
      require_sni                           = true
      host_name                             = "api-staging.widgets.com"
    }
# Rule name should be https-route-{domain}
    request_routing_rule {
      name                       = "https-route-api-staging.widgets.com"
      rule_type                  = "Basic"
      http_listener_name         = "https-api-staging.widgets.com"
      backend_address_pool_name  = "beap"
      backend_http_settings_name = "backendhttp"
    }

### End Certificate ####


}

Debug Output

https://gist.github.com/Ashex/e52694f8b96599b5208f084adf6c9fe5

Expected Behavior

Updating any attribute of the azurerm_application_gateway should succeed or throw an error related to that attribute

Actual Behavior

All changes return the following error:

* azurerm_application_gateway.widgets_tm_j: Error Creating/Updating Application Gateway "widgets" (Resource Group "widgets-us-west"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ApplicationGatewayBackendAddressPoolCannotHaveDuplicateAddress" Message="Backend Address Pool /subscriptions/000000000/resourceGroups/widgets-us-west/providers/Microsoft.Network/applicationGateways/widgets/backendAddressPools/beap cannot have duplicate addresses 172.93.16.4." Details=[]

Indicating that the same address is being added to a single address pool twice, which is not happening here.

Steps to Reproduce

1. terraform apply to create application gateway
2. Modify application gateway resource attributes
3. terraform apply

Important Factoids

Downgrading the provider to 1.21 allows me to update the application gateway without encountering this error.

References

• #0000

[mdsills]

i've experienced similar output, and (although my requirements are slightly different) i think it's the same issue.

i have a backend address pool configured like this:

backend_address_pool {
    name = "${local.test_backend_address_pool_name}"
    fqdns = ["${local.test_fqdn}"]
}

terraform plan runs cleanly, but on updates terraform apply gives me a similar error to @Ashex

e.g. (edited to remove identifiers)

* azurerm_application_gateway.gateway: Error Creating/Updating Application Gateway "test-gateway" (Resource Group "test-gateway-rg"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ApplicationGatewayBackendAddressPoolCannotHaveDuplicateAddress" Message="Backend Address Pool /subscriptions/00000000/resourceGroups/test-gateway-rg/providers/Microsoft.Network/applicationGateways/test-gateway/backendAddressPools/test-gateway-test-pool cannot have duplicate addresses test-app.azurewebsites.net." Details=[]

as far as i can tell, this is related to the internal handling of BackendAddresses, Fqdns and FqdnList within the expand/flatten methods in azurerm/resource_arm_application_gateway.go. there are deprecations in play, it's possible that's a factor. the same internal variable is being used to populate both the 'old' and the 'new' keys:

output := map[string]interface{}{
    "fqdns":        fqdnList,
    "ip_addresses": ipAddressList,

    // TODO: deprecated - remove in 2.0
    "ip_address_list": ipAddressList,
    "fqdn_list":       fqdnList,
}

this led me to a possible workaround... if i also specify the fqdn_list, but with a dummy value, i can get a clean terraform apply. as follows:

backend_address_pool {
    name = "${local.test_backend_address_pool_name}"
    fqdns = ["${local.test_fqdn}"]
    fqdn_list = ["dummy"]
}

@Ashex similarly, you might have some luck with also setting ip_address_list in addition to ip_addresses. YMMV. (I'm assuming that the spelling "ip_addreses" in your original report is an unrelated typo.)

[mdsills]

update: the above workaround ran into issues for me with HTTPS backends :(

[fox918]

For me the only working workaround is to provide one or multiple ip adresses for ip_adresses that are not not deployed at the moment.

[bfleming-ciena]

Same dang problem. Thanks for the suggested work-arounds.

[Mobe1969]

Bugs like this makes it pretty hard to automate and lock down an environment. Adding the dummy does get me around a problem, but then I now have an invalid backend pool entry, so need to do two separate released to get it fixed.

I got it trying to fix an issue with fixing a probe and http setting to move to the "pick_host_name*' settings, and got this.

[alexeyklots]

Bugs like this makes it pretty hard to automate and lock down an environment. Adding the dummy does get me around a problem, but then I now have an invalid backend pool entry, so need to do two separate released to get it fixed.

I got it trying to fix an issue with fixing a probe and http setting to move to the "pick_host_name*' settings, and got this.

Stuck with the same....unfortunately....

[wozorio]

Trying to simply add tags to an application gateway and getting the same error.

[brenak]

Same here. My workaround was to set it to dummy like the above suggests. It did then have two fqdns for each address pool. I then went into Resource Explorer, and modified the gateway there, removing dummy from the list for each address pool.

This is really cumbersome and I hope this gets bumped up on the priority list for getting fixed.

Another note, the waf_configuration.0.file_upload_limit_mb, no matter what you set it to, always gets set back to 0, so will see it as a change every time on the app gateway. I think this will be fixed in 1.24.0, something about it is referenced there. I put in a lifecycle to ignore_changes so it stops and made a note to test it again when 1.24.0 is out.

[ghost]

This has been released in version 1.24.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
	version = "~> 1.24.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!