azurerm_dns_a_record failing with weird "from no visitor picked" string in target_resource_id?

[dossy]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ terraform -v
Terraform v0.12.29
+ provider.azurerm v2.24.0
+ provider.null v2.1.2

Affected Resource(s)

• azurerm_dns_a_record
• azurerm_cdn_profile
• azurerm_cdn_endpoint

Terraform Configuration Files

resource "azurerm_cdn_profile" "cdn" {
  resource_group_name = "RG"
  location            = "EastUS2"
  name                = "cdn"
  sku                 = "Standard_Microsoft"
}

resource "azurerm_cdn_endpoint" "endpoint" {
  resource_group_name = "RG"
  location            = "EastUS2"
  profile_name        = azurerm_cdn_profile.cdn.name
  name                = "cdn-endpoint"

  querystring_caching_behaviour   = "UseQueryString"
  origin_host_header              = "www.domain.test"

  origin {
    name      = "www"
    host_name = "www.domain.test"
  }

  global_delivery_rule {
    modify_request_header_action {
      action  = "Delete"
      name    = "Cookie"
    }

    modify_response_header_action {
      action  = "Delete"
      name    = "Set-Cookie"
    }
  }
}

resource "azurerm_dns_a_record" "apex" {
  resource_group_name = "RG"
  zone_name           = "domain.test"
  name                = "@"

  ttl                 = 300
  target_resource_id  = azurerm_cdn_profile.cdn.id
}

Debug Output

(I cannot provide the entire log, but I've redacted names and IDs from the relevant portion of the log. Click to expand.)

2020/08/20 16:34:46 [DEBUG] azurerm_dns_a_record.apex[0]: applying the planned Create change
2020/08/20 16:34:46 [TRACE] GRPCProvider: ApplyResourceChange
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Request: 
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: GET /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01 HTTP/1.1
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Host: management.azure.com
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: User-Agent: Go/go1.14.5 (amd64-darwin) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.2.0 dns/2018-05-01 HashiCorp Terraform/0.12.29 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.24.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Accept-Encoding: gzip
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 
2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01: 
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: HTTP/2.0 404 Not Found
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Length: 170
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Cache-Control: private
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Type: application/json; charset=utf-8
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Date: Thu, 20 Aug 2020 20:34:46 GMT
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Server: Microsoft-IIS/10.0
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Strict-Transport-Security: max-age=31536000; includeSubDomains
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Content-Type-Options: nosniff
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 499
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Request-Id: REDACTED
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Routing-Request-Id: REDACTED
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Powered-By: ASP.NET
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 
2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: {"code":"NotFound","message":"The resource record '@' does not exist in resource group 'REDACTED' of subscription 'REDACTED'."}
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Request: 
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: PUT /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01 HTTP/1.1
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Host: management.azure.com
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: User-Agent: Go/go1.14.5 (amd64-darwin) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.2.0 dns/2018-05-01 HashiCorp Terraform/0.12.29 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.24.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Length: 254
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Type: application/json; charset=utf-8
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Accept-Encoding: gzip
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 
2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: {"properties":{"ARecords":[],"TTL":300,"metadata":{"brand":"BB","environment":"production"},"targetResource":{"id":"/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn"}}}
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01: 
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: HTTP/2.0 400 Bad Request
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Length: 250
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Cache-Control: private
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Type: application/json; charset=utf-8
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Date: Thu, 20 Aug 2020 20:34:47 GMT
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Server: Microsoft-IIS/10.0
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Strict-Transport-Security: max-age=31536000; includeSubDomains
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Content-Type-Options: nosniff
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 11998
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Request-Id: REDACTED
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Routing-Request-Id: REDACTED
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Powered-By: ASP.NET
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 
2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: {"code":"BadRequest","message":"Reference records are not supported for resource '\/subscriptions\/REDACTED\/resourceGroups\/REDACTED\/providers\/Microsoft.Cdn\/profiles\/cdn from no visitor picked'"}
2020/08/20 16:34:47 [DEBUG] azurerm_dns_a_record.apex[0]: apply errored, but we're indicating that via the Error pointer rather than returning it: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'"
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/08/20 16:34:47 [TRACE] EvalMaybeTainted: azurerm_dns_a_record.apex[0] encountered an error during creation, so it is now marked as tainted
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/08/20 16:34:47 [TRACE] EvalWriteState: removing state object for azurerm_dns_a_record.apex[0]
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalApplyProvisioners
2020/08/20 16:34:47 [TRACE] EvalApplyProvisioners: azurerm_dns_a_record.apex[0] has no state, so skipping provisioners
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/08/20 16:34:47 [TRACE] EvalMaybeTainted: azurerm_dns_a_record.apex[0] encountered an error during creation, so it is now marked as tainted
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/08/20 16:34:47 [TRACE] EvalWriteState: removing state object for azurerm_dns_a_record.apex[0]
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalIf
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalIf
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalWriteDiff
2020/08/20 16:34:47 [TRACE] <root>: eval: *terraform.EvalApplyPost
2020/08/20 16:34:47 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'"
2020/08/20 16:34:47 [ERROR] <root>: eval: *terraform.EvalSequence, err: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'"
2020/08/20 16:34:47 [TRACE] [walkApply] Exiting eval tree: azurerm_dns_a_record.apex[0]
2020/08/20 16:34:47 [TRACE] vertex "azurerm_dns_a_record.apex[0]": visit complete
2020/08/20 16:34:47 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2020/08/20 16:34:47 [TRACE] dag/walk: upstream of "provider.azurerm (close)" errored, so skipping
2020/08/20 16:34:47 [TRACE] dag/walk: upstream of "root" errored, so skipping
2020-08-20T16:34:47.900-0400 [DEBUG] plugin: plugin process exited: path=/Users/REDACTED/stacks/cdn/.terraform/plugins/darwin_amd64/terraform-provider-azurerm_v2.24.0_x5 pid=71900
2020-08-20T16:34:47.900-0400 [DEBUG] plugin: plugin exited

Panic Output

N/A

Expected Behavior

The apex record @ should have been created in the Azure DNS zone, as an alias resource pointing at the Azure CDN profile cdn.

Actual Behavior

Terraform will perform the following actions:

  # azurerm_dns_a_record.apex[0] will be created
  + resource "azurerm_dns_a_record" "apex" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = "@"
      + resource_group_name = "REDACTED"
      + target_resource_id  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn"
      + ttl                 = 300
      + zone_name           = "domain.test"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "REDACTED"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_dns_a_record.apex[0]: Creating...

Error: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'"

  on cdn.tf line 56, in resource "azurerm_dns_a_record" "apex":
  56: resource "azurerm_dns_a_record" "apex" {

Steps to Reproduce

1. terraform apply

Important Factoids

N/A

References

N/A

[tehho]

Was just gonna do this my self but with data objects.

From the portal it looks like it points to the endpoint and not the profile.
What happens if you target the endpoint.id instead?

Also cnd_endpoint doesn't have a data source.

[dossy]

From the portal it looks like it points to the endpoint and not the profile.
What happens if you target the endpoint.id instead?

While it "works" if you target the endpoint.id in that it doesn't throw an error, it doesn't trigger the creation of the cdnverify CNAME record and otherwise doesn't seem to be doing the correct thing, and when you edit it in the Azure portal, the drop-down shows nothing selected, the CDN resource isn't selected.

When you select the CDN target manually in the Azure portal, then terraform import it, the ID that's targeted is the ID of the CDN profile, not the CDN endpoint.

[magodo]

Hi @dossy

1. You need to explicitly create the azurerm_dns_cname_record in Terraform. Speaking of the drop-down list of the A record (created via Terrafrom), it is just a visual issue of Portal, the CDN endpoint is indeed set to the A record, which you can verify by calling the API.

2. I have verified that the target_id of a DNS A record is the ID of CDN endpoint. Would you please double check on your side? If this is still the case, then could you provide the terraform log so that we can further investigate?

[dossy]

@magodo, thanks for asking.

So, I selected the CDN resource in the Azure portal, then used Azure CLI to fetch the record with something like this:

$ az network dns record-set a show --resource-group REDACTED --zone-name domain.test --name @

And, the targetResource.id in the response does point to the endpoint ID, not the CDN profile.

In Terraform, I define a resource azurerm_dns_a_record.apex and use terraform import to import the record from Azure.

At this point, there should be nothing to do, because the resource in Azure which was imported should mostly match the resource in TF. But, instead, when I terraform apply I get this:

Terraform will perform the following actions:

  # azurerm_dns_a_record.apex[0] will be updated in-place
  ~ resource "azurerm_dns_a_record" "apex" {
        fqdn                = "domain.test."
        id                  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnszones/domain.test/A/@"
        name                = "@"
        records             = []
        resource_group_name = "REDACTED"
      ~ tags                = {
          + "brand"       = "REDACTED"
          + "environment" = "REDACTED"
        }
      ~ target_resource_id  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn/endpoints/cdn-endpoint" -> "/subscriptions/REDACTED/resourcegroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn/endpoints/cdn-endpoint"
        ttl                 = 300
        zone_name           = "domain.test"

        timeouts {}
    }

Plan: 0 to add, 1 to change, 0 to destroy.

So, the updated tags I expect, but the target_resource_id? What's interesting is they are identical strings except for one character: the lowercase g in resourcegroups vs. resourceGroups.

In my TF configuration, I'm using target_resource_id = azurerm_cdn_endpoint.cdn-endpoint.id which is a resource defined in the same configuration.

Where'd that lowercase g come from?

[tehho]

@dossy where there a lower g in the inport? what does terraform state list say?

If Yes try terraform state rm and import with upper case g to see if there is a difference

[magodo]

Hi @dossy Thank you for providing the details!

Besides the g, at least the ID is a endpoint ID 😄 The g here is because some service will modify the case of some key word of ID (e.g. the resourceGroups here), while they shouldn't. I can submit a PR to relax the casing for the target_resource_id so that you will get this diff.

[dossy]

@tehho - The issue isn't with what's terraform import'ed. The issue is the id output from azurerm_cdn_endpoint has resourcegroups instead of resourceGroups - not sure why this is happening, though.

[tombuildsstuff]

@magodo in which case can we ensure the ID coming back from the CDN Endpoint resource is patched to the expected format (as we do for FrontDoor) - for users Resource ID's should be consistent/reliable where possible

[ghost]

This has been released in version 2.26.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.26.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!