azurerm_frontdoor broken with recent Azure API update

[cpressland]

Terraform (and AzureRM Provider) Version

Terraform v0.12.29
+ provider.azurerm v2.21.0

Affected Resource(s)

• azurerm_frontdoor

Terraform Configuration Files

resource "azurerm_frontdoor" "frontdoor" {
    name = "bink-frontdoor"
    resource_group_name = azurerm_resource_group.rg.name
    enforce_backend_pools_certificate_name_check = true

    tags = var.tags

< snipped >

    routing_rule {
        name = "api-prod-<snipped>"
        accepted_protocols = ["Https"]
        patterns_to_match = ["/*"]
        frontend_endpoints = ["default", "api-gb-bink-com", "api-bink-com"]
        forwarding_configuration {
            forwarding_protocol = "HttpsOnly"
            backend_pool_name = "api-prod-<snipped>"
            cache_enabled = false
        }
    }

< snipped >

}

Debug Output

Terraform Plan Output:

      ~ routing_rule {
            accepted_protocols = [
                "Https",
            ]
            enabled            = true
          ~ frontend_endpoints = [
              - "",
              - "",
              - "",
              + "default",
              + "api-gb-bink-com",
              + "api-bink-com",
            ]
            id                 = "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/Microsoft.Network/Frontdoors/bink-frontdoor/RoutingRules/api-prod-<snipped>"
            name               = "api-prod-<snipped>"
            patterns_to_match  = [
                "/*",
            ]

          ~ forwarding_configuration {
              + backend_pool_name                     = "api-prod-<snipped>"
                cache_enabled                         = false
                cache_query_parameter_strip_directive = "StripAll"
                cache_use_dynamic_compression         = false
                forwarding_protocol                   = "HttpsOnly"
            }
        }

Azure CLI Output:

  {
    "acceptedProtocols": [
      "Https"
    ],
    "enabledState": "Enabled",
    "frontendEndpoints": [
      {
        "id": "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/microsoft.network/frontdoors/bink-frontdoor/frontendendpoints/default",
        "resourceGroup": "frontdoor"
      },
      {
        "id": "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/microsoft.network/frontdoors/bink-frontdoor/frontendendpoints/api-gb-bink-com",
        "resourceGroup": "frontdoor"
      },
      {
        "id": "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/microsoft.network/frontdoors/bink-frontdoor/frontendendpoints/api-bink-com",
        "resourceGroup": "frontdoor"
      }
    ],
    "id": "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/Microsoft.Network/Frontdoors/bink-frontdoor/RoutingRules/api-prod-<snipped>",
    "name": "api-prod-<snipped>",
    "patternsToMatch": [
      "/*"
    ],
    "resourceGroup": "frontdoor",
    "resourceState": "Enabled",
    "routeConfiguration": {
      "backendPool": {
        "id": "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/microsoft.network/frontdoors/bink-frontdoor/backendpools/api-prod-<snipped>",
        "resourceGroup": "frontdoor"
      },
      "cacheConfiguration": null,
      "customForwardingPath": null,
      "forwardingProtocol": "HttpsOnly",
      "odatatype": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration"
    },
    "rulesEngine": null,
    "type": "Microsoft.Network/Frontdoors/RoutingRules",
    "webApplicationFirewallPolicyLink": null
  },

Expected Behavior

Terraform identifies that no changes are required

Actual Behavior

Azure API is responding with:

"id": "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/microsoft.network/frontdoors/bink-frontdoor/frontendendpoints/api-gb-bink-com"

instead of

"id": "/subscriptions/0add5c8e-<snipped>/resourcegroups/frontdoor/providers/Microsoft.Network/Frontdoors/bink-frontdoor/FrontendEndpoints/api-gb-bink-com"

Which terraform is identifying as different due to the lack of capitalisation.

Steps to Reproduce

Attempt to spin up a Front Door and Apply/Plan a second time

Important Factoids

Have raised a P1 with the Azure Support team to investigate as this is clearly a breaking API change.

[cpressland]

@WodansSon sorry for pinging you directly, as you've worked on Front Door recently I was wondering if you had any ideas/thoughts on the above?

[TheFlyingArcher]

I have issues with Front Door too upon second application of Front Door. I get this error

Error: unable to update Custom HTTPS configuration for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
unable to enable/update Custom Domain HTTPS for Frontend Endpoint "domain-name" (Resource Group "issue-35-brc"):
enabling Custom Domain HTTPS for Frontend Endpoint: frontdoor.FrontendEndpointsClient#EnableHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."

  on .terraform/modules/front_door/_modules/frontdoor/main.tf line 14, in resource "azurerm_frontdoor" "fd":
  14: resource "azurerm_frontdoor" "fd" {

The thing is that I don't change the custom domain at all. In my test case, I just changed backend pool name. Another individual who ran in to this issue updated tags.

[cpressland]

@bcline760 - correct, my terraform plan is totally borked too, the API appears to be rather case-insensitive and the provider appears to be case-sensitive. If I were better at Go I'd take a proper stab at fixing it:

https://github.com/terraform-providers/terraform-provider-azurerm/blob/e6a276c172c649b9be6c5e97590b2f0041d2e5b1/azurerm/internal/services/frontdoor/frontdoor_resource.go#L508

I've had my first triage call with Microsoft for investigating it on the API side, I'll continue to provide updates here as I have them.

[TheFlyingArcher]

Also #7498 was release that touched the Front Door. That was as recent as 2.20? Would that have any impact? I'm trying a test by using a provider version older than 2.20 to see if that change caused this.

[cpressland]

So, I've downgraded my provider to 2.19.0, had to mess with the state file a bit (backed it up first) but unfortunately the results are the same. This certainly appears to be an upstream change, not something specific to Terraform.

[terricain]

@bcline760 I've updated the provider which has fixed my changes, PR here - #8046 it might solve your issues too

[TheFlyingArcher]

Excellent. How quickly can this get merged? Front door is unusable right now.

[ghost]

This has been released in version 2.24.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.24.0"
}
# ... other configuration ...

[chan43999]

Still got the issue when trying to update AFD on azurerm version 2.27.0

Error: updating Custom HTTPS configuration for Frontend Endpoint "customfrontend" (Front Door "poc-fd" / Resource Group
"chan-test"): unable to enable/update Custom Domain HTTPS for Frontend Endpoint "customfrontend" (Resource Group
"chan-test"): enabling Custom Domain HTTPS for Frontend Endpoint: frontdoor.FrontendEndpointsClient#EnableHTTPS:
Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!