azurerm_application_gateway: reordering blocks leads to change on every apply.

[bailsman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

v0.12.24
v2.5.0

Affected Resource(s)

• azurerm_application_gateway

Terraform Configuration Files

# since these variables are re-used - a locals block makes this more maintainable
locals {
  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
}

resource "azurerm_application_gateway" "test" {
  name                = "acctestag"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
  sku {
    name     = "Standard_Small"
    tier     = "Standard"
    capacity = 2
  }
  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = azurerm_subnet.test.id
  }
  frontend_port {
    name = local.frontend_port_name
    port = 80
  }
  frontend_port {
    name = "my_order_matters"
    port = 81
  }
  frontend_ip_configuration {
    name                 = local.frontend_ip_configuration_name
    public_ip_address_id = azurerm_public_ip.test.id
  }
  backend_address_pool {
    name = local.backend_address_pool_name
  }
  backend_http_settings {
    name                  = local.http_setting_name
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 1
  }
  http_listener {
    name                           = local.listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_port_name
    protocol                       = "Http"
  }
  request_routing_rule {
    name                       = local.request_routing_rule_name
    rule_type                  = "Basic"
    http_listener_name         = local.listener_name
    backend_address_pool_name  = local.backend_address_pool_name
    backend_http_settings_name = local.http_setting_name
  }
}

Expected Behavior

Take a look at the frontend_port named "my_order_matters".

If you apply this configuration, then swap the order of the two frontend ports (so that "my_order_matters" is above the other frontend_port instead of below) - I'm expecting this to make no difference whatsoever.

terraform apply would say "Apply complete! Resources: 0 added, 0 changed, 0 destroyed."

Actual Behavior

After applying the configuration and swapping the order of the two blocks, terraform has the following plan:

      ~ frontend_port {
            id   = "/subscriptions/81264640-dc44-452c-ba0a-0b917e03e0d5/resourceGroups/accgwtest-rg/providers/Microsoft.Network/applicationGateways/acctestag/frontendPorts/accgwtest-vn-feport"
          ~ name = "accgwtest-vn-feport" -> "my_order_matters"
          ~ port = 80 -> 81
        }
      ~ frontend_port {
            id   = "/subscriptions/81264640-dc44-452c-ba0a-0b917e03e0d5/resourceGroups/accgwtest-rg/providers/Microsoft.Network/applicationGateways/acctestag/frontendPorts/port_81"
          ~ name = "port_81" -> "accgwtest-vn-feport"
          ~ port = 81 -> 80
        }

Applying this change has no effect. After applying, it still wants to do the same change, no matter how many times you apply.

Steps to Reproduce

1. terraform apply
2. Swap the order of the frontend_ports, so "my_order_matters" is above rather than below the other one.
3. terraform apply
4. terraform apply again

Important Factoids

The same issue actually occurs with the other blocks, like redirect_configuration or request_routing_rule. frontend_port is just an example.

References

[bailsman]

My guess is that these should be schema.TypeSet instead of schema.TypeList in the schema, since the Azure API apparently doesn't care what the order is, and just ignores your change if you've only changed the order.

[bailsman]

The same issue actually occurs with all the other blocks, like redirect_configuration or request_routing_rule, etc, etc. Not only frontend_port.

[ArcturusZhang]

Hi @bailsman thanks for the issue.
It turns out that the front_end is a list instead of set, which is order-sensitive. This should be the root cause of this issue...

[ghost]

This has been released in version 2.7.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.7.0"
}
# ... other configuration ...

[mazilu88]

the problem is also present in http_listener, redirect_configuration and request_routing_rule.
on azurerm 2.8 atm

      ~ http_listener {
            frontend_ip_configuration_id   = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/frontendIPConfigurations/site-app-gw-prod-feip"
            frontend_ip_configuration_name = "site-app-gw-prod-feip"
            frontend_port_id               = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/frontendPorts/https-port"
            frontend_port_name             = "https-port"
          ~ host_name                      = "sorter.site.xx" -> "api-warehouse.site.xx"
            host_names                     = []
            id                             = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/httpListeners/lm-sorter-443-listen"
          ~ name                           = "lm-sorter-443-listen" -> "lm-sorter-api-warehouse-443-listen"
            protocol                       = "Https"
            require_sni                    = false
            ssl_certificate_id             = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/sslCertificates/wild-site-ro-2020"
            ssl_certificate_name           = "wild-site-ro-2020"
        }
      - http_listener {
          - frontend_ip_configuration_id   = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/frontendIPConfigurations/site-app-gw-prod-feip" -> null
          - frontend_ip_configuration_name = "site-app-gw-prod-feip" -> null
          - frontend_port_id               = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/frontendPorts/https-port" -> null
          - frontend_port_name             = "https-port" -> null
          - host_name                      = "api-warehouse.site.xx" -> null
          - host_names                     = [] -> null
          - id                             = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/httpListeners/lm-sorter-api-warehouse-443-listen" -> null
          - name                           = "lm-sorter-api-warehouse-443-listen" -> null
          - protocol                       = "Https" -> null
          - require_sni                    = false -> null
          - ssl_certificate_id             = "providers/Microsoft.Network/applicationGateways/site-app-gw-prod/sslCertificates/wild-site-ro-2020" -> null
          - ssl_certificate_name           = "wild-site-ro-2020" -> null
        }

[ArcturusZhang]

Hi @mazilu88 this should be mentioned in #6896 and possibly fixed by #7021

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!