-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_frontdoor
- Fix for Frontdoor resource elements being returned out of order
#11456
Conversation
azurerm_frontdoor
- Fix for Frontdoor resource elements being returned out of order
My current hypothesis is that the
So to fix this I did a few things, with this PR I now block the modification of the custom HTTPS configuration from the main I believe with the changes I have introduced in this PR, even though they maybe painful, this will solve most, if not all, of the issues that so many of you have been hitting with the If you have the bandwidth and can build a private provider from this PR and test it against your current resources (please do not test this private against your prod deployments, this is just an experiment. If you can one off the issue in a test environment that would be ideal) that would be very helpful, as I cannot test all of the scenarios that exist in the wild, but the ones I have tested locally this PR did fix. So if you are up to help to get this fix tested it would be much appreciated to get as much data as possible. Cheers. 🚀 |
azurerm_frontdoor
- Fix for Frontdoor resource elements being returned out of orderazurerm_frontdoor
- Fix for Frontdoor resource elements being returned out of order
While on this patch it returns below even if
Plan always appends below : + frontend_endpoint {
+ custom_https_provisioning_enabled = false
+ host_name = "<redacted>.azurefd.net"
+ id = (known after apply)
+ name = "<redacted>"
+ session_affinity_enabled = false
+ session_affinity_ttl_seconds = 0
+ web_application_firewall_policy_link_id = "<redacted>
+ custom_https_configuration {
+ certificate_source = "FrontDoor"
+ minimum_tls_version = (known after apply)
+ provisioning_state = (known after apply)
+ provisioning_substate = (known after apply)
}
} After applying below in
|
@JayDoubleu, dagnabbit... Every configuration I ran last night worked perfectly for me locally. Would you mind posting your configuration file(with vars file if you have one) you used so I may add it as a test case? The always seeing the
I am currently investigating why we would be seeing this delta between our two experiences... |
azurerm_frontdoor
- Fix for Frontdoor resource elements being returned out of orderazurerm_frontdoor
- Fix for Frontdoor resource elements being returned out of order
@timja Would you mind giving this one a shot on your config please? |
Will do tomorrow |
Terraform version
Containerfile used to create providerClick to expand!Containerfile# docker build -t terraform-provider-azurerm-11456 -f Containerfile #--build-arg PR="11456"
# docker run -v $(pwd):/tmp/pwd terraform-provider-azurerm-11456 cp /go/bin/terraform-provider-azurerm /tmp/pwd
FROM docker.io/library/golang:1.16
ARG REPOSITORY="https://github.com/terraform-providers/terraform-provider-azurerm.git"
ARG BRANCH="master"
#ARG BRANCH="v2.53.0"
ARG PR="11456"
ARG GOOS="linux"
RUN mkdir -p $GOPATH/src/github.com/terraform-providers
RUN printf "\nRepository: ${REPOSITORY}\nBranch: ${BRANCH}\nPR: ${PR}\n\n"
RUN git clone ${REPOSITORY} $GOPATH/src/github.com/terraform-providers/terraform-provider-azurerm
WORKDIR $GOPATH/src/github.com/terraform-providers/terraform-provider-azurerm
RUN git checkout ${BRANCH}
RUN mkdir -p bin
RUN git log --name-status HEAD^..HEAD
RUN curl -sO https://patch-diff.githubusercontent.com/raw/terraform-providers/terraform-provider-azurerm/pull/${PR}.patch
RUN git config --global user.email "you@example.com" && git config --global user.name "Your Name"
RUN git am ${PR}.patch
RUN git log --name-status HEAD^..HEAD
RUN make build
RUN sha256sum $GOPATH/bin/terraform-provider-azurerm Build logSTEP 1: FROM docker.io/library/golang:1.16
STEP 2: ARG REPOSITORY="https://github.com/terraform-providers/terraform-provider-azurerm.git"
--> a5dc090f84b
STEP 3: ARG BRANCH="master"
--> a72d78a4c4e
STEP 4: ARG PR="11456"
--> f93cabe1078
STEP 5: ARG GOOS="linux"
--> c1ca016402e
STEP 6: RUN mkdir -p $GOPATH/src/github.com/terraform-providers
--> 3bb78674208
STEP 7: RUN printf "\nRepository: ${REPOSITORY}\nBranch: ${BRANCH}\nPR: ${PR}\n\n"
Repository: https://github.com/terraform-providers/terraform-provider-azurerm.git
Branch: master
PR: 11456
--> ad0c390be5f
STEP 8: RUN git clone ${REPOSITORY} $GOPATH/src/github.com/terraform-providers/terraform-provider-azurerm
Cloning into '/go/src/github.com/terraform-providers/terraform-provider-azurerm'...
Checking out files: 100% (11062/11062), done.
--> 3cff408ee4c
STEP 9: WORKDIR $GOPATH/src/github.com/terraform-providers/terraform-provider-azurerm
--> 527c865b900
STEP 10: RUN git checkout ${BRANCH}
Already on 'master'
Your branch is up to date with 'origin/master'.
--> 77f6324f76d
STEP 11: RUN mkdir -p bin
--> 834fc2d2bcd
STEP 12: RUN git log --name-status HEAD^..HEAD
commit 3e1a54615fac153689b3d092feed7bc1a0193be9
Author: magodo <wztdyl@sina.com>
Date: Sun Apr 25 12:08:20 2021 +0800
GNUMakefile: use `go install` to install tools since Go v1.16 (#11459)
M GNUmakefile
--> 997f938447d
STEP 13: RUN curl -sO https://patch-diff.githubusercontent.com/raw/terraform-providers/terraform-provider-azurerm/pull/${PR}.patch
--> 8bda1367fbf
STEP 14: RUN git config --global user.email "you@example.com" && git config --global user.name "Your Name"
--> 463a860d8f2
STEP 15: RUN git am ${PR}.patch
Applying: Fix for Frontdoor out of order
Applying: Remove all FE mods from AFD add faux ID to HTTPS
Applying: Block custom HTTPS values in main AFD resource
Applying: Fix comment spelling and spacing I think?
Applying: Fix comment spacing? :/
Applying: Update custom HTTP check from nil to len
--> 31d10cd4baf
STEP 16: RUN git log --name-status HEAD^..HEAD
commit f889e75459d8cf5c3abc20177a857a4b626f26dc
Author: Jeffrey Cline <20408400+WodansSon@users.noreply.github.com>
Date: Sun Apr 25 02:49:46 2021 -0700
Update custom HTTP check from nil to len
M azurerm/internal/services/frontdoor/frontdoor_resource.go
--> ece89d33e0a
STEP 17: RUN make build
==> Checking that code complies with gofmt requirements...
==> Checking that Custom Timeouts are used...
==> Checking that acceptance test packages are used...
go generate ./azurerm/internal/services/...
go generate ./azurerm/internal/provider/
go install
--> 98195559461
STEP 18: RUN sha256sum $GOPATH/bin/terraform-provider-azurerm
b9de36c423b4278126b7e878aca71faa0101a3527b86d1be132a688e4b33b807 /go/bin/terraform-provider-azurerm
STEP 19: COMMIT terraform-provider-azurerm-11456
--> 38b30463af6
38b30463af6560fc0615b2b34d7ed920373885180a9a714c8c10de10505e7fe3 Tf code used to reproduce the sorting issueClick to expand!# az feature register --namespace Microsoft.Network --name BypassCnameCheckForCustomDomainDeletion --subscription "<redacted>" # whoever created this feature deserves a beer
terraform {
required_version = "~> 0.14.4"
required_providers { azurerm = "=2.56.0" }
}
provider "azurerm" {
subscription_id = "<redacted>"
tenant_id = "<redacted>"
features {}
}
locals {
environment = "dev001" #
default_location = "uksouth"
prefix = "acctest-FD-001-${local.environment}" # replace 001 to make unique
storage_prefix = lower(replace(local.prefix, "-", ""))
tags = {}
fd_settings = {
default_frontend = local.prefix
custom_frontend = "${local.prefix}-custom"
custom_frontend_domain = "jaydoubleu.co.uk"
default_hp_settings_name = "exampleHealthProbeSetting1"
default_lb_settings_name = "exampleLoadBalancingSettings1"
}
}
###############
resource "azurerm_resource_group" "default" {
name = "rg-${lower(local.prefix)}"
location = local.default_location
tags = local.tags
}
### storage accounts
resource "azurerm_storage_account" "site01" {
name = "${local.storage_prefix}site01"
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
account_tier = "Standard"
account_replication_type = "LRS"
tags = local.tags
static_website {
error_404_document = "error.html"
index_document = "index.html"
}
}
resource "azurerm_storage_account" "site02" {
name = "${local.storage_prefix}site02"
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
account_tier = "Standard"
account_replication_type = "LRS"
tags = local.tags
static_website {
error_404_document = "error.html"
index_document = "index.html"
}
}
resource "azurerm_storage_account" "site03" {
name = "${local.storage_prefix}site03"
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
account_tier = "Standard"
account_replication_type = "LRS"
tags = local.tags
static_website {
error_404_document = "error.html"
index_document = "index.html"
}
}
resource "azurerm_frontdoor" "default" {
name = local.prefix
resource_group_name = azurerm_resource_group.default.name
enforce_backend_pools_certificate_name_check = true
tags = local.tags
frontend_endpoint {
name = local.fd_settings.default_frontend
host_name = "${lower(local.fd_settings.default_frontend)}.azurefd.net"
}
frontend_endpoint {
name = local.fd_settings.custom_frontend
host_name = "${lower(local.fd_settings.custom_frontend)}.${local.fd_settings.custom_frontend_domain}"
}
backend_pool_health_probe {
name = local.fd_settings.default_hp_settings_name
interval_in_seconds = "30"
protocol = "Https"
}
backend_pool_load_balancing {
name = local.fd_settings.default_lb_settings_name
}
### site01
backend_pool {
name = azurerm_storage_account.site01.name
backend {
host_header = azurerm_storage_account.site01.primary_web_host
address = azurerm_storage_account.site01.primary_web_host
http_port = 80
https_port = 443
}
load_balancing_name = local.fd_settings.default_lb_settings_name
health_probe_name = local.fd_settings.default_hp_settings_name
}
routing_rule {
name = azurerm_storage_account.site01.name
enabled = true
accepted_protocols = ["Https"]
patterns_to_match = ["/*"]
frontend_endpoints = [local.fd_settings.default_frontend, local.fd_settings.custom_frontend]
forwarding_configuration {
forwarding_protocol = "HttpsOnly"
backend_pool_name = azurerm_storage_account.site01.name
custom_forwarding_path = "/"
}
}
routing_rule {
name = "${azurerm_storage_account.site01.name}RedirectHTTPtoHTTPS"
enabled = true
accepted_protocols = ["Http"]
frontend_endpoints = [local.fd_settings.default_frontend, local.fd_settings.custom_frontend]
patterns_to_match = ["/*"]
redirect_configuration {
redirect_protocol = "HttpsOnly"
redirect_type = "Found"
custom_path = "/"
}
}
### site02
backend_pool {
name = azurerm_storage_account.site02.name
backend {
host_header = azurerm_storage_account.site02.primary_web_host
address = azurerm_storage_account.site02.primary_web_host
http_port = 80
https_port = 443
}
load_balancing_name = local.fd_settings.default_lb_settings_name
health_probe_name = local.fd_settings.default_hp_settings_name
}
routing_rule {
name = azurerm_storage_account.site02.name
enabled = true
accepted_protocols = ["Https"]
patterns_to_match = ["/site02", "/site02/*"]
frontend_endpoints = [local.fd_settings.default_frontend, local.fd_settings.custom_frontend]
forwarding_configuration {
forwarding_protocol = "HttpsOnly"
backend_pool_name = azurerm_storage_account.site02.name
custom_forwarding_path = "/"
}
}
routing_rule {
name = "${azurerm_storage_account.site02.name}RedirectHTTPtoHTTPS"
enabled = true
accepted_protocols = ["Http"]
frontend_endpoints = [local.fd_settings.default_frontend, local.fd_settings.custom_frontend]
patterns_to_match = ["/site02", "/site02/*"]
redirect_configuration {
redirect_protocol = "HttpsOnly"
redirect_type = "Found"
custom_path = "/site02/"
}
}
### site03
backend_pool {
name = azurerm_storage_account.site03.name
backend {
host_header = azurerm_storage_account.site03.primary_web_host
address = azurerm_storage_account.site03.primary_web_host
http_port = 80
https_port = 443
}
load_balancing_name = local.fd_settings.default_lb_settings_name
health_probe_name = local.fd_settings.default_hp_settings_name
}
routing_rule {
name = azurerm_storage_account.site03.name
enabled = true
accepted_protocols = ["Https"]
patterns_to_match = ["/site03", "/site03/*"]
frontend_endpoints = [local.fd_settings.default_frontend, local.fd_settings.custom_frontend]
forwarding_configuration {
forwarding_protocol = "HttpsOnly"
backend_pool_name = azurerm_storage_account.site03.name
custom_forwarding_path = "/"
}
}
routing_rule {
name = "${azurerm_storage_account.site03.name}RedirectHTTPtoHTTPS"
enabled = true
accepted_protocols = ["Http"]
frontend_endpoints = [local.fd_settings.default_frontend, local.fd_settings.custom_frontend]
patterns_to_match = ["/site03", "/site03/*"]
redirect_configuration {
redirect_protocol = "HttpsOnly"
redirect_type = "Found"
custom_path = "/site03/"
}
}
} First terraform applyClick to expand!Warning: Provider development overrides are in effect
The following provider development overrides are set in the CLI configuration:
- hashicorp/azurerm in /home/jaydoubleu/devel/providers/devel/terraform-provider-azurerm_bins/11456
The behavior may therefore not match any released version of the provider and
applying changes may cause the state to become incompatible with published
releases.
azurerm_resource_group.default: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001]
azurerm_storage_account.site01: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Storage/storageAccounts/acctestfd001dev001site01]
azurerm_storage_account.site02: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Storage/storageAccounts/acctestfd001dev001site02]
azurerm_storage_account.site03: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Storage/storageAccounts/acctestfd001dev001site03]
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# azurerm_frontdoor.default will be created
+ resource "azurerm_frontdoor" "default" {
+ backend_pool_health_probes = (known after apply)
+ backend_pool_load_balancing_settings = (known after apply)
+ backend_pools = (known after apply)
+ backend_pools_send_receive_timeout_seconds = 60
+ cname = (known after apply)
+ enforce_backend_pools_certificate_name_check = true
+ frontend_endpoints = (known after apply)
+ header_frontdoor_id = (known after apply)
+ id = (known after apply)
+ load_balancer_enabled = true
+ location = (known after apply)
+ name = "acctest-FD-001-dev001"
+ resource_group_name = "rg-acctest-fd-001-dev001"
+ routing_rules = (known after apply)
+ backend_pool {
+ health_probe_name = "exampleHealthProbeSetting1"
+ id = (known after apply)
+ load_balancing_name = "exampleLoadBalancingSettings1"
+ name = "acctestfd001dev001site01"
+ backend {
+ address = "acctestfd001dev001site01.z33.web.core.windows.net"
+ enabled = true
+ host_header = "acctestfd001dev001site01.z33.web.core.windows.net"
+ http_port = 80
+ https_port = 443
+ priority = 1
+ weight = 50
}
}
+ backend_pool {
+ health_probe_name = "exampleHealthProbeSetting1"
+ id = (known after apply)
+ load_balancing_name = "exampleLoadBalancingSettings1"
+ name = "acctestfd001dev001site02"
+ backend {
+ address = "acctestfd001dev001site02.z33.web.core.windows.net"
+ enabled = true
+ host_header = "acctestfd001dev001site02.z33.web.core.windows.net"
+ http_port = 80
+ https_port = 443
+ priority = 1
+ weight = 50
}
}
+ backend_pool {
+ health_probe_name = "exampleHealthProbeSetting1"
+ id = (known after apply)
+ load_balancing_name = "exampleLoadBalancingSettings1"
+ name = "acctestfd001dev001site03"
+ backend {
+ address = "acctestfd001dev001site03.z33.web.core.windows.net"
+ enabled = true
+ host_header = "acctestfd001dev001site03.z33.web.core.windows.net"
+ http_port = 80
+ https_port = 443
+ priority = 1
+ weight = 50
}
}
+ backend_pool_health_probe {
+ enabled = true
+ id = (known after apply)
+ interval_in_seconds = 30
+ name = "exampleHealthProbeSetting1"
+ path = "/"
+ probe_method = "GET"
+ protocol = "Https"
}
+ backend_pool_load_balancing {
+ additional_latency_milliseconds = 0
+ id = (known after apply)
+ name = "exampleLoadBalancingSettings1"
+ sample_size = 4
+ successful_samples_required = 2
}
+ frontend_endpoint {
+ custom_https_provisioning_enabled = (known after apply)
+ host_name = "acctest-fd-001-dev001.azurefd.net"
+ id = (known after apply)
+ name = "acctest-FD-001-dev001"
+ session_affinity_enabled = false
+ session_affinity_ttl_seconds = 0
+ custom_https_configuration {
+ azure_key_vault_certificate_secret_name = (known after apply)
+ azure_key_vault_certificate_secret_version = (known after apply)
+ azure_key_vault_certificate_vault_id = (known after apply)
+ certificate_source = (known after apply)
+ minimum_tls_version = (known after apply)
+ provisioning_state = (known after apply)
+ provisioning_substate = (known after apply)
}
}
+ frontend_endpoint {
+ custom_https_provisioning_enabled = (known after apply)
+ host_name = "acctest-fd-001-dev001-custom.jaydoubleu.co.uk"
+ id = (known after apply)
+ name = "acctest-FD-001-dev001-custom"
+ session_affinity_enabled = false
+ session_affinity_ttl_seconds = 0
+ custom_https_configuration {
+ azure_key_vault_certificate_secret_name = (known after apply)
+ azure_key_vault_certificate_secret_version = (known after apply)
+ azure_key_vault_certificate_vault_id = (known after apply)
+ certificate_source = (known after apply)
+ minimum_tls_version = (known after apply)
+ provisioning_state = (known after apply)
+ provisioning_substate = (known after apply)
}
}
+ routing_rule {
+ accepted_protocols = [
+ "Https",
]
+ enabled = true
+ frontend_endpoints = [
+ "acctest-FD-001-dev001",
+ "acctest-FD-001-dev001-custom",
]
+ id = (known after apply)
+ name = "acctestfd001dev001site01"
+ patterns_to_match = [
+ "/*",
]
+ forwarding_configuration {
+ backend_pool_name = "acctestfd001dev001site01"
+ cache_enabled = false
+ cache_query_parameter_strip_directive = "StripAll"
+ cache_use_dynamic_compression = false
+ custom_forwarding_path = "/"
+ forwarding_protocol = "HttpsOnly"
}
}
+ routing_rule {
+ accepted_protocols = [
+ "Http",
]
+ enabled = true
+ frontend_endpoints = [
+ "acctest-FD-001-dev001",
+ "acctest-FD-001-dev001-custom",
]
+ id = (known after apply)
+ name = "acctestfd001dev001site01RedirectHTTPtoHTTPS"
+ patterns_to_match = [
+ "/*",
]
+ redirect_configuration {
+ custom_path = "/"
+ redirect_protocol = "HttpsOnly"
+ redirect_type = "Found"
}
}
+ routing_rule {
+ accepted_protocols = [
+ "Https",
]
+ enabled = true
+ frontend_endpoints = [
+ "acctest-FD-001-dev001",
+ "acctest-FD-001-dev001-custom",
]
+ id = (known after apply)
+ name = "acctestfd001dev001site02"
+ patterns_to_match = [
+ "/site02",
+ "/site02/*",
]
+ forwarding_configuration {
+ backend_pool_name = "acctestfd001dev001site02"
+ cache_enabled = false
+ cache_query_parameter_strip_directive = "StripAll"
+ cache_use_dynamic_compression = false
+ custom_forwarding_path = "/"
+ forwarding_protocol = "HttpsOnly"
}
}
+ routing_rule {
+ accepted_protocols = [
+ "Http",
]
+ enabled = true
+ frontend_endpoints = [
+ "acctest-FD-001-dev001",
+ "acctest-FD-001-dev001-custom",
]
+ id = (known after apply)
+ name = "acctestfd001dev001site02RedirectHTTPtoHTTPS"
+ patterns_to_match = [
+ "/site02",
+ "/site02/*",
]
+ redirect_configuration {
+ custom_path = "/site02/"
+ redirect_protocol = "HttpsOnly"
+ redirect_type = "Found"
}
}
+ routing_rule {
+ accepted_protocols = [
+ "Https",
]
+ enabled = true
+ frontend_endpoints = [
+ "acctest-FD-001-dev001",
+ "acctest-FD-001-dev001-custom",
]
+ id = (known after apply)
+ name = "acctestfd001dev001site03"
+ patterns_to_match = [
+ "/site03",
+ "/site03/*",
]
+ forwarding_configuration {
+ backend_pool_name = "acctestfd001dev001site03"
+ cache_enabled = false
+ cache_query_parameter_strip_directive = "StripAll"
+ cache_use_dynamic_compression = false
+ custom_forwarding_path = "/"
+ forwarding_protocol = "HttpsOnly"
}
}
+ routing_rule {
+ accepted_protocols = [
+ "Http",
]
+ enabled = true
+ frontend_endpoints = [
+ "acctest-FD-001-dev001",
+ "acctest-FD-001-dev001-custom",
]
+ id = (known after apply)
+ name = "acctestfd001dev001site03RedirectHTTPtoHTTPS"
+ patterns_to_match = [
+ "/site03",
+ "/site03/*",
]
+ redirect_configuration {
+ custom_path = "/site03/"
+ redirect_protocol = "HttpsOnly"
+ redirect_type = "Found"
}
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
azurerm_frontdoor.default: Creating...
azurerm_frontdoor.default: Still creating... [10s elapsed]
azurerm_frontdoor.default: Still creating... [20s elapsed]
azurerm_frontdoor.default: Still creating... [30s elapsed]
azurerm_frontdoor.default: Still creating... [40s elapsed]
azurerm_frontdoor.default: Still creating... [50s elapsed]
azurerm_frontdoor.default: Still creating... [1m0s elapsed]
azurerm_frontdoor.default: Still creating... [1m10s elapsed]
azurerm_frontdoor.default: Still creating... [1m20s elapsed]
azurerm_frontdoor.default: Creation complete after 1m22s [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Terraform plan output right after first creation reproducing sorting issueClick to expand!azurerm_resource_group.default: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001]
azurerm_storage_account.site03: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Storage/storageAccounts/acctestfd001dev001site03]
azurerm_storage_account.site01: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Storage/storageAccounts/acctestfd001dev001site01]
azurerm_storage_account.site02: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Storage/storageAccounts/acctestfd001dev001site02]
azurerm_frontdoor.default: Refreshing state... [id=/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001]
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# azurerm_frontdoor.default will be updated in-place
~ resource "azurerm_frontdoor" "default" {
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001"
name = "acctest-FD-001-dev001"
tags = {}
# (12 unchanged attributes hidden)
~ backend_pool {
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/backendPools/acctestfd001dev001site03"
~ name = "acctestfd001dev001site03" -> "acctestfd001dev001site02"
# (2 unchanged attributes hidden)
~ backend {
~ address = "acctestfd001dev001site03.z33.web.core.windows.net" -> "acctestfd001dev001site02.z33.web.core.windows.net"
~ host_header = "acctestfd001dev001site03.z33.web.core.windows.net" -> "acctestfd001dev001site02.z33.web.core.windows.net"
# (5 unchanged attributes hidden)
}
}
~ backend_pool {
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/backendPools/acctestfd001dev001site02"
~ name = "acctestfd001dev001site02" -> "acctestfd001dev001site03"
# (2 unchanged attributes hidden)
~ backend {
~ address = "acctestfd001dev001site02.z33.web.core.windows.net" -> "acctestfd001dev001site03.z33.web.core.windows.net"
~ host_header = "acctestfd001dev001site02.z33.web.core.windows.net" -> "acctestfd001dev001site03.z33.web.core.windows.net"
# (5 unchanged attributes hidden)
}
}
~ frontend_endpoint {
~ host_name = "acctest-fd-001-dev001-custom.jaydoubleu.co.uk" -> "acctest-fd-001-dev001.azurefd.net"
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/frontendEndpoints/acctest-FD-001-dev001-custom"
~ name = "acctest-FD-001-dev001-custom" -> "acctest-FD-001-dev001"
# (3 unchanged attributes hidden)
}
~ frontend_endpoint {
~ host_name = "acctest-fd-001-dev001.azurefd.net" -> "acctest-fd-001-dev001-custom.jaydoubleu.co.uk"
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/frontendEndpoints/acctest-FD-001-dev001"
~ name = "acctest-FD-001-dev001" -> "acctest-FD-001-dev001-custom"
# (3 unchanged attributes hidden)
}
~ routing_rule {
~ accepted_protocols = [
- "Http",
+ "Https",
]
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/routingRules/acctestfd001dev001site01RedirectHTTPtoHTTPS"
~ name = "acctestfd001dev001site01RedirectHTTPtoHTTPS" -> "acctestfd001dev001site01"
# (3 unchanged attributes hidden)
+ forwarding_configuration {
+ backend_pool_name = "acctestfd001dev001site01"
+ cache_enabled = false
+ cache_query_parameter_strip_directive = "StripAll"
+ cache_use_dynamic_compression = false
+ custom_forwarding_path = "/"
+ forwarding_protocol = "HttpsOnly"
}
- redirect_configuration {
- custom_path = "/" -> null
- redirect_protocol = "HttpsOnly" -> null
- redirect_type = "Found" -> null
}
}
~ routing_rule {
~ accepted_protocols = [
- "Https",
+ "Http",
]
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/routingRules/acctestfd001dev001site02"
~ name = "acctestfd001dev001site02" -> "acctestfd001dev001site01RedirectHTTPtoHTTPS"
~ patterns_to_match = [
- "/site02",
- "/site02/*",
+ "/*",
]
# (2 unchanged attributes hidden)
- forwarding_configuration {
- backend_pool_name = "acctestfd001dev001site02" -> null
- cache_enabled = false -> null
- cache_query_parameter_strip_directive = "StripAll" -> null
- cache_use_dynamic_compression = false -> null
- custom_forwarding_path = "/" -> null
- forwarding_protocol = "HttpsOnly" -> null
}
+ redirect_configuration {
+ custom_path = "/"
+ redirect_protocol = "HttpsOnly"
+ redirect_type = "Found"
}
}
~ routing_rule {
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/routingRules/acctestfd001dev001site01"
~ name = "acctestfd001dev001site01" -> "acctestfd001dev001site02"
~ patterns_to_match = [
- "/*",
+ "/site02",
+ "/site02/*",
]
# (3 unchanged attributes hidden)
~ forwarding_configuration {
~ backend_pool_name = "acctestfd001dev001site01" -> "acctestfd001dev001site02"
# (5 unchanged attributes hidden)
}
}
~ routing_rule {
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/routingRules/acctestfd001dev001site03RedirectHTTPtoHTTPS"
~ name = "acctestfd001dev001site03RedirectHTTPtoHTTPS" -> "acctestfd001dev001site02RedirectHTTPtoHTTPS"
~ patterns_to_match = [
- "/site03",
- "/site03/*",
+ "/site02",
+ "/site02/*",
]
# (3 unchanged attributes hidden)
~ redirect_configuration {
~ custom_path = "/site03/" -> "/site02/"
# (2 unchanged attributes hidden)
}
}
~ routing_rule {
~ accepted_protocols = [
- "Http",
+ "Https",
]
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/routingRules/acctestfd001dev001site02RedirectHTTPtoHTTPS"
~ name = "acctestfd001dev001site02RedirectHTTPtoHTTPS" -> "acctestfd001dev001site03"
~ patterns_to_match = [
- "/site02",
- "/site02/*",
+ "/site03",
+ "/site03/*",
]
# (2 unchanged attributes hidden)
+ forwarding_configuration {
+ backend_pool_name = "acctestfd001dev001site03"
+ cache_enabled = false
+ cache_query_parameter_strip_directive = "StripAll"
+ cache_use_dynamic_compression = false
+ custom_forwarding_path = "/"
+ forwarding_protocol = "HttpsOnly"
}
- redirect_configuration {
- custom_path = "/site02/" -> null
- redirect_protocol = "HttpsOnly" -> null
- redirect_type = "Found" -> null
}
}
~ routing_rule {
~ accepted_protocols = [
- "Https",
+ "Http",
]
id = "/subscriptions/<redacted>/resourceGroups/rg-acctest-fd-001-dev001/providers/Microsoft.Network/frontDoors/acctest-FD-001-dev001/routingRules/acctestfd001dev001site03"
~ name = "acctestfd001dev001site03" -> "acctestfd001dev001site03RedirectHTTPtoHTTPS"
# (3 unchanged attributes hidden)
- forwarding_configuration {
- backend_pool_name = "acctestfd001dev001site03" -> null
- cache_enabled = false -> null
- cache_query_parameter_strip_directive = "StripAll" -> null
- cache_use_dynamic_compression = false -> null
- custom_forwarding_path = "/" -> null
- forwarding_protocol = "HttpsOnly" -> null
}
+ redirect_configuration {
+ custom_path = "/site03/"
+ redirect_protocol = "HttpsOnly"
+ redirect_type = "Found"
}
}
# (3 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Ps. I have temporarily pre-created cnames under my domain for prefix Even if I would move code blocks around to satisfy terraform plan it will not be consistent across after destroy and re-create as it seems to decide ordering completely randomly. In this case it tries to move around all blocks (frontend endpoints, routing rules and backend pools ). Sometimes I get lucky and it gets it "just right" so I am unable to reproduce issue but after destroy and recreate usually can be replicated. One time it will move some blocks around and not the other etc. |
Thanks so much! |
When I run this on the existing frontdoor that I was using to test: #10571 I just get the wrong ssl cert picked:
https://github.com/hmcts/terraform-module-frontdoor/tree/hack (commit 838faf9802fba9d8e499480adbb52b97c11d6cd1) terraform.tfvarsfrontends = [ main.tfvariable "env" { data "azurerm_resource_group" "key_vault" { variable "frontends" { data "azurerm_subscription" "current" {} module "log_analytics_workspace" { module "landing_zone" { providers = { common_tags = {} add_access_policy = true |
I destroyed the frontdoor and re-created it, it successfully applied. When I do my next plan I get: resource_group_name diff:
full shuffling of pretty much everything: plan
|
@JayDoubleu, this is really weird... I used your exact config (except I used my own domain) and I get:
At this point the only difference between our two environments is the terraform core runtime version:
CORRECTION: |
This has been released in version 2.58.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.58.0"
}
# ... other configuration ... |
@WodansSon @alec-pinson, a colleague of mine is also testing with their FD instance, seems so far so good. |
I tested so far with new as well as existing instances: works like a charm! No more random changes in But looks great, thanks a ton @WodansSon for this much needed work! |
@WodansSon, @favoretti we got an issue, getting this on our plan:
Guessing the state file needs to be cleaned up? Might try an import with new state file to see if that will make it work. |
ARGH! Yep... that was my bad... that was not a scenario I had thought of, but it makes sense... I removed the support for that code block and field from the resource. I might have to implement a state migration function to remove this from the the state file. That is a great catch @ryanbowden... thanks for the heads up... now I just need to figure out a way to repro it... 🙃 If you go into your state file and remove that code block( This is actually way harder than it sounds, since I made the 3.0 hard cut between the front door resource and the custom https resource ahead of the 3.0 release... meaning, from now on, if you want a custom https domain you will also need to include a custom https configuration resource in your configuration file. So, with the new resource, if I remove the block and field from the main resource to avoid this error you will not be in the state you expect yourself to be in after the apply. I would have to detect this change and error out during the state migration because I did not see the blocks I deleted in the migration in the new configuration file, if that makes sense. It is doable, but I would need a bit more time to figure out the best way to detect this and correct it. Thanks again for reporting this issue @ryanbowden. |
I think you won't be able to statemigrate it. TF code needs to be refactored @ryanbowden so that you convert inline |
Or... Hmm... What you could do, if you have a test env, is generally remove FD from the state with |
Another way to go about it would be going back to previous provider version, moving |
Hi, firstly thanks for this mine is now working perfectly! One thing i've already mentioned to @favoretti regarding the currently:
however it looks like the new resource id type is
Although that being said I get the error below when trying to import:-
... I've just remembered I think there was maybe an issue around casing or something for this, anyways instead of importing I allowed terraform to 'overwrite' changes in azure and im now getting the beautiful
|
Ok.... can I get a general consensus around these changes as you have experienced them thus far, I know there is some pain around what I have done, but over all would you view this as a positive change? I know there are some scenarios I overlooked, and I am sorry for that, but I did the best I could with the current issue, well not just issue many issues... lol... I feel this was the best case and I will continue to work on fixing the edge cases, but I believe for new front doors everything should be resolved. The existing front doors may and will find issues depending on their configurations and I think that a one time pain point might be acceptable, granted not ideal, but acceptable. Thoughts? |
I definitely share the same view. Fixing already existing issues was already a huge challenge and it enables us to work with the provider in general. Left over edge cases at least have known workarounds while the main issue before this fix did not have any. |
Ps. One thing I just noticed is that front end endpoint needs to be created for
resource "azurerm_frontdoor_custom_https_configuration" "example_custom_https_1" {
frontend_endpoint_id = azurerm_frontdoor.example.frontend_endpoints["exampleFrontendEndpoint2"]
custom_https_provisioning_enabled = true
custom_https_configuration {
certificate_source = "AzureKeyVault"
azure_key_vault_certificate_secret_name = "examplefd1"
azure_key_vault_certificate_vault_id = data.azurerm_key_vault.vault.id
}
} |
@JayDoubleu |
@favoretti tried it but without success unfortunately. Seems like some sort of bug in dependency graph ? |
I ended up not accessing through the set and just building the ID, was the only way I could get it to work in all scenarios |
Hmm, this is interesting. Regardless of the fact that Funny thing is - I did write an acceptance test checking exactly that and it passes.. |
@timja I ended up with something similar |
@WodansSon so after making a few changes in the state files ours is working correctly with no issues now We had another issues around a log analytics but that's because it had part created it and then state file was messed up we remove it from state file and removed it in portal and now all created with no issues. Thank you so much to you and everyone else fixing this issue. ❤️ |
oo nice, I can move to that.
Referencing by index seems too risky, as indexes will get shuffled when you add/remove endpoints |
Hi some snippets of my code which is working:- resource "azurerm_frontdoor" "this" {
......
// Frontend Endpoint
dynamic "frontend_endpoint" {
for_each = local.configs
content {
name = frontend_endpoint.key
host_name = frontend_endpoint.value.waf.frontend_domain
web_application_firewall_policy_link_id = try(frontend_endpoint.value.waf.waf_policy_id, var.default_waf_policy)
session_affinity_enabled = false
session_affinity_ttl_seconds = 0
}
}
} // apply certificate secret
resource "azurerm_frontdoor_custom_https_configuration" "this" {
for_each = local.configs
frontend_endpoint_id = azurerm_frontdoor.this.frontend_endpoints[each.key]
custom_https_provisioning_enabled = true
custom_https_configuration {
certificate_source = "AzureKeyVault"
azure_key_vault_certificate_secret_name = data.azurerm_key_vault_secret.this[each.key].name
azure_key_vault_certificate_secret_version = data.azurerm_key_vault_secret.this[each.key].version
azure_key_vault_certificate_vault_id = var.certificate_keyvault_id
}
} |
@alec-pinson make sure you validate deleting endpoints and then creating a new one with that. I think I had an issue around there. |
ah ok sorry my bad i haven't created/deleted any endpoints |
I'm assuming referencing |
First of all big thanks @WodansSon for this work! I've just run the latest provider release against my front doors with various dynamic blocks and custom https configurations and it worked like a charm. I have faced the same issue though with the |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
BREAKING CHANGE:
This PR remove the Custom HTTPS Configuration section from the main Front Door resource and delegates it completely to the dedicated
azurerm_frontdoor_custom_https_configuration
resource. TBH it never should have been released with support in both locations as it was causing contention in the API because both of the resources were calling the same API multiple times, that is fixed as well in this PR.azurerm_frontdoor:
The values that have been removed are:
azurerm_frontdoor_custom_https_configuration:
The values that have been removed are:
UNIQUE CUSTOM HTTPS CONFIGURATION ID:
Exposed a unique ID string for the
azurerm_frontdoor_custom_https_configuration
resource with the following format:BEHAVIOR CHANGE:
With the release of the v2.58.0 provider, if you run the
apply
command against an existing Front Door resource the changes will not be applied. This will only happen once with preexisting Front Door instances and will not affect newly provisioned Front Door resources. This change in behavior in Terraform is due to an issue where the underlying service teams API is now returning the response JSON out of order from the way it was sent to the resource provider by Terraform causing unexpected discrepancies in theplan
after the resource has been provisioned. This will only happen one time, to avoid unwanted changes from being provisioned, once theexplicit_resource_order
mapping structure has been persisted to the state file the resource will resume functioning normally.(fixes #9153)
(fixes #8039)
(fixes #10661)
(fixes #9075)
(fixes #11287)
(fixes #7613)
(fixes #7208)
(fixes #6351)