-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Application Gateway request_routing_rule order change even with Azurerm 3.0.2 #16136
Comments
Just wanted to add that on another application gateway, the issue is on backend_http_settings, so I assume this is just randomly happening on all the blocks. Not sure why one or the other is specifically affected though in each separate app gateway. But for this specific case, there was actually a difference in the http settings and once I fixed that (in the code only by aligning to what was in the portal) and ran the plan again no infrastructure changes were detected. I still believe that according to the new version of azurerm I should've seen only the change in one of the backend_http_settings and not the addition and removal of all of them. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Hey @Nyxbiker, what was your configuration for application gateway and what did you have to do to your config to get it to line up with the portal? My first thought is that we're not generating the Hash for |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
@mbfrahry thanks for your reply. |
Hi @mbfrahry, the config for backend_http_settings is also a dynamic block as below: `dynamic backend_http_settings {
}` And I basically just noticed that in the Azure Portal we had some settings with cookie affinity enabled, so I proceeded to align these properties in the code by changing "cookie_based_affinity" to "Enabled" and "affinity_cookie_name" to the cookie name that was set in the Portal. I think that this specific issue is related to what you were discussing above with johannespetereit and owaisaamir though, and I agree with them that this is a huge issue because especially in big configurations (we have 51 request routing rules in one app gateway only) it becomes super difficult to figure out what has changed, that would be causing the huge Terraform output for one small property difference. Coming back to the original issue, I noticed in the output that Terraform adds a property "- priority = 0 -> null" in the request_routing_rule that should be "removed". I'm not sure if this is related to the issue that I'm currently experiencing though because I don't have this issue in 1 out of 3 application gateways (that are all using the same parent module with dynamic blocks). Please note that the initial example is just for one sample routing_rule, but I have this removal and addition issue for all of the request_routing_rules in the affected application gateways. I checked if there were any differences between the code and the portal and I couldn't find any. Also, even after running terraform apply (that should just align everything that isn't) I still have the issue after running terraform plan again, which makes me think that this "priority" property that I see in the output might be causing the issue (but we don't have it set either in the code or the portal). I also tried to ignore the "priority" property in request_routing_rules to see if it would fix the issue, but I can't since lifecycle ignore does not support splat expressions etc. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
I implemented a provider to overcome such behaviors. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
@mbfrahry please where we can watch at progress and perhaps help with application gateway refactoring you mentioned here - #19963 (comment) Thank you, |
Is there any way to workaround this behavior? I have two |
There is no straightforward workaround. You can try as mentioned:
|
I try to use but got API error for 'location' attribute that isn't existing in provider. azurermagw_binding_service.binding-service-resource: Creating... |
Is there any sort of timeline on this being fixed? this is a pretty frustrating bug |
Looking into the plan output as json i do see things like this: {
"before": {
"request_routing_rule": [
{
"backend_address_pool_id": "",
"backend_address_pool_name": "",
"backend_http_settings_id": "",
"backend_http_settings_name": "",
"http_listener_id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/applicationGateways/REDACTED/httpListeners/global-default-https-redirect",
"http_listener_name": "global-default-https-redirect",
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/applicationGateways/REDACTED/requestRoutingRules/global-default-https-redirect",
"name": "global-default-https-redirect",
"priority": 22,
"redirect_configuration_id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/applicationGateways/REDACTED/redirectConfigurations/global-default-https-redirect",
"redirect_configuration_name": "global-default-https-redirect",
"rewrite_rule_set_id": "",
"rewrite_rule_set_name": "",
"rule_type": "Basic",
"url_path_map_id": "",
"url_path_map_name": ""
}
]
},
"after": {
"request_routing_rule": [
{
"backend_address_pool_id": "",
"backend_address_pool_name": null,
"backend_http_settings_id": "",
"backend_http_settings_name": null,
"http_listener_id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/applicationGateways/REDACTED/httpListeners/global-default-https-redirect",
"http_listener_name": "global-default-https-redirect",
"id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/applicationGateways/REDACTED/requestRoutingRules/global-default-https-redirect",
"name": "global-default-https-redirect",
"priority": 22,
"redirect_configuration_id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/applicationGateways/REDACTED/redirectConfigurations/global-default-https-redirect",
"redirect_configuration_name": "global-default-https-redirect",
"rewrite_rule_set_id": "",
"rewrite_rule_set_name": null,
"rule_type": "Basic",
"url_path_map_id": "",
"url_path_map_name": null
}
]
}
} is it just that the provider is using null for the omitted variables and azure is sending back empty string? |
I'm having the same issue but with http_listeners where it always recreates the listeners because the host_name changes to null for some reason. |
I don't know if I can help you, I had the same problem and solved it this way. |
I was able to fix it with azurerm 3.92 |
I had this issue with the latest provider 3.100.4 and after way too long troubleshooting I found it was incorrect backend settings on a pathbased route rule. Basically what was happening was the route rule had recently been changed from basic to a path based, so a url_path_map was added. But the backend settings had been left in the request_routing_rule section, but they are not used there when you do PathBasedRouting. Instead, they move into the url_path_map and from part of the default. As an example, I just commented out those 2 commented lines and that solved my problem. request_routing_rule {
name = "routerule-webapp-443"
rule_type = "PathBasedRouting"
http_listener_name = "listener-webapp-443"
# backend_address_pool_name = "bepool-webapp-empty"
# backend_http_settings_name = "behttp-webapp-443"
priority = "340"
url_path_map_name = "urlmap-webapp-443"
}
url_path_map {
name = "urlmap-webapp-443"
default_backend_address_pool_name = "bepool-webapp-empty"
default_backend_http_settings_name = "behttp-webapp-443"
path_rule {
name = "frontend"
backend_address_pool_name = "bepool-webapp"
backend_http_settings_name = "behttp-webapp-443"
paths = [
"/*",
]
}
} |
@mbfrahry I can see this ticket is assigned to you since last year. Github ticket #6896 opened in 2020 has not fixed the root issue even though its closed. :/ |
On latest terraform document application_gateway,
Do we really have downtime when modifying a part of the rules even though in the Terraform plan it "removes and adds" the whole set of rules? I ran a curl loop to test accessibility and did not notice any errors during terraform apply. |
@chuncheungy Since dry run is unreadable, in case of misconfigurations from the engineers, it's impossible to spot them in the dry run which produce a downtime. |
how is it possible that microsoft still didn't fix this issue? (still with 4.0.1) e.g. when using it with AKS this leads to the fact that the whole cluster needs to be destroyed in order to destroy and redeploy the gateway! there is no way one can edit from "Basic" routing to "PathBasedRouting" as it's a deadlock situation (if it doesn't deploy correctly - and it seems to be totally random if or if not it's working with the same script) |
I'm running into the same issue where Terraform keeps detecting changes in the request_routing_rule blocks because of ordering differences between my config and what's returned from Azure. Would it be possible for Terraform to sort these rules internally so they match up with what we have in our code? That way, the plan wouldn't show changes when there aren't any actual differences. |
Hi @mbfrahry, I can see this ticket has been assigned to you for more than 2y, could you please give us an ETA? |
@radurobot You can always assign priority manually and Terraform won't show changes. |
Just checking, this is still an issue for us (attributes being re-arranged making for a messy plan, but the apply works out fine). Is this still on the cards for AzureRM 4.0 ? |
I confirm this is a big issue for us. |
we did abandon it one year and half ago. and we are happy now. |
@eissko what is your alternative? |
@cveld non-msft solution as virtual appliance. f5/volterra a and its service "Web App & API protection". |
We encountered the same troubles and migrated the app gateway to Bicep. The "what-if" feature of bicep makes it quite comparable to Terraform. The diffs are readable again, thats what counts. |
|
Community Note
Terraform (and AzureRM Provider) Version
Terraform v1.1.7
on windows_amd64
Affected Resource(s)
azurerm_application_gateway
Terraform Configuration Files
Debug Output
Panic Output
Expected Behaviour
No change detected, I also tried to run terraform apply, and it does somehow "modify" the application gateway, but if I run terraform plan again I still have the same issue.
Actual Behaviour
Terraform tries to change the order of request_routing_rules only (and all of them, I only provided you one sample output since we have many of them on this app gateway). It keeps happening even after a terraform apply.
Steps to Reproduce
terraform plan
- you will see the attempted changeterraform apply
- terraform will apply the change even though there is no differenceterraform plan
- terraform still tries to do the same changesImportant Factoids
Some time ago when this issue was not known yet, I remember that I tried to create a new application gateway from scratch and the issue was not there, but after some months between various changes, the issue appeared again randomly and never went away. I don't know what is causing the issue but we have it on 3 different application gateways and can't get rid of it.
References
The text was updated successfully, but these errors were encountered: