Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_cdn_frontdoor_origin deploys as disabled. #18063

Closed
1 task done
RutgerAlbersCE opened this issue Aug 22, 2022 · 6 comments · Fixed by #18231
Closed
1 task done

azurerm_cdn_frontdoor_origin deploys as disabled. #18063

RutgerAlbersCE opened this issue Aug 22, 2022 · 6 comments · Fixed by #18231

Comments

@RutgerAlbersCE
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.7

AzureRM Provider Version

3.19.1

Affected Resource(s)/Data Source(s)

azurerm_cdn_frontdoor_origin_group

Terraform Configuration Files

data "azurerm_cdn_frontdoor_profile" "frontdoor" {
  name                = var.frontdoor_name
  resource_group_name = var.frontdoor_resource_group_name
}

resource "azurerm_cdn_frontdoor_origin_group" "origin-group" {
  name                     = var.endpoint_name
  cdn_frontdoor_profile_id = data.azurerm_cdn_frontdoor_profile.frontdoor.id
  load_balancing {
    additional_latency_in_milliseconds = 50
    sample_size                        = 4
    successful_samples_required        = 3
  }
}

resource "azurerm_cdn_frontdoor_origin" "origin" {
  name                           = "public-ip"
  cdn_frontdoor_origin_group_id  = azurerm_cdn_frontdoor_origin_group.origin-group.id
  certificate_name_check_enabled = false
  host_name                      = var.host_name
  health_probes_enabled          = false
  http_port                      = 80
  https_port                     = 443
  origin_host_header             = null
  priority                       = 1
  weight                         = 50
}

Debug Output/Panic Output

Error: waiting for the update of Front Door Origin: {\"ErrorMessage\":\"Endpoint aks-platform-euw-test_public-ip cannot be disabled since that would make all Endpoints in Endpoint Pool aks-platform-euw-test be disabled\"}

Expected Behaviour

The Origin Group should be created with the status "Enabled".

Actual Behaviour

The Origin Group gets created with the status "Disabled". When manually changing the status to "Enabled" and then deploying again terraform will try to set it to "Disabled" again. Resulting in the error message above.

Steps to Reproduce

When deploying the azurerm_cdn_frontdoor_origin resource with the settings supplied above it will create an origin resource, but with the "Disabled" status.

In the documentation I can't find a property to force this status to Enabled.
(Documentation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin)

Important Factoids

No response

References

Pull request for the new Frontdoor implementation:
#16671

@github-actions github-actions bot removed the bug label Aug 22, 2022
@RutgerAlbersCE RutgerAlbersCE changed the title azurerm_cdn_frontdoor_origin_group deploys as disabled. azurerm_cdn_frontdoor_origin deploys as disabled. Aug 22, 2022
@WodansSon WodansSon self-assigned this Aug 29, 2022
@WodansSon
Copy link
Collaborator

@RutgerAlbersCE thank you for opening this issue, but from my understanding this is by design. The Frontdoor Origin resource will be deployed as disabled if a route has not been associated with it.

@RutgerAlbersCE
Copy link
Author

Thanks for your reply. I'm not really sure that it's checking to see if a route has been associated for it to enable or disable the resource. My guess is that it's using the "health_probes_enabled" property to also set the origin enabled state.
At least I think that's what happening. See the following line (disclaimer: I don't really know Go: so I could be wrong):

EnabledState: expandEnabledBool(d.Get("health_probes_enabled").(bool)),

In our use-case we want to disable the health probes, but enable the origin resource.
The "azurerm_cdn_frontdoor_route" resource doesn't seem to be implemented yet according to the PR.

I've currently managed to get around this by using a workaround with the azapi_resource provider for the origin group. Maybe that offers some extra insight. But I'd prefer to use the azurerm provider where possible.

resource "azapi_resource" "origin" {
  type      = "Microsoft.Cdn/profiles/originGroups/origins@2020-09-01"
  name      = "public-ip"
  parent_id = azurerm_cdn_frontdoor_origin_group.origin_group.id
  body      = jsonencode({
    properties : {
      hostName : var.host_name
      httpPort : 80
      httpsPort : 443
      originHostHeader : null
      enabledState : "Enabled"
      priority : 1
      weight : 50
    }
  })
}

@WodansSon
Copy link
Collaborator

@RutgerAlbersCE That is exactly what is going on, in my new PR #18231 I fix this issue and expose an new field in the origin resource called enabled. To disable the health probes you need to remove their definition from your configuration file. You can see the linked PR for more detail.

@RutgerAlbersCE
Copy link
Author

That's great, I'll keep an eye out for the PR and test it when it's merged. Thanks!

WodansSon added a commit that referenced this issue Sep 29, 2022
…18551

* initial check-in

* still refactoring but should be functional

* Doc updates

* deprecate health_probes_enabled property

* Update website/docs/r/cdn_frontdoor_custom_domain_secret_validator.html.markdown

Co-authored-by: Sebastian <11445087+sebader@users.noreply.github.com>

* Update website/docs/r/cdn_frontdoor_custom_domain_txt_validator.html.markdown

Co-authored-by: Sebastian <11445087+sebader@users.noreply.github.com>

* refactor CIDR validation into validation packages

* fix naked return lint error in cidr overlap func

* Update code comments to add context

* Fix for 18249

* Remove txt and secret validators

* Remove validator ids, parse/validation packages

* Update rules doc for depends_on usage

* Doc updates

* Update test cases

* Correct skip txt for origin test

* More test and doc updates

* Update test and docs to use new subnet field

* Fix for 18370

* Update docs per PR comment

* Incremental fixed per PR review

* Initial additon of association and doc fix

* Custom domain assoc mostly working

* Additional progress...

* Fix lint errors

* Fix lint errors

* Last of the PR comments addressed...

* Fix for issue #18551

* Mostly working not done with the disable resource

* Done

Co-authored-by: Sebastian <11445087+sebader@users.noreply.github.com>
@github-actions github-actions bot added this to the v3.25.0 milestone Sep 29, 2022
@github-actions
Copy link

This functionality has been released in v3.25.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.