Creating Azure Front Door instance with TerraForm

Asked 2/6, 2021 at 14:24 Answered 17/6, 2022 at 14:37

Solved terraform terraform-provider-azure azure-front-door

Having trouble creating a Azure Front Door instance with Terraform. The setup should be pretty basic, but can not find out what is wrong.

Here is the terraform script

resource "azurerm_frontdoor" "b2cfrontdoor" {
  name                                         = "fd-adpb2c-westeurope-dev"
  resource_group_name                          = azurerm_resource_group.b2c.name
  enforce_backend_pools_certificate_name_check = true

  routing_rule {
    name               = "routingrule"
    accepted_protocols = ["Http", "Https"]
    patterns_to_match  = ["/*"]
    frontend_endpoints = ["b2c-frontdoor-endpoint-dev"]
    forwarding_configuration {
      forwarding_protocol = "MatchRequest"
      backend_pool_name   = "b2-backend-pool-dev"
    }
  }

  backend_pool_load_balancing {
    name = "loadbalancingsettings"
  }

  backend_pool_health_probe {
    name    = "healthprobesettings"
    enabled = false
    probe_method = "HEAD"
  }

  backend_pool {
    name = "b2-backend-pool-dev"
    backend {
      host_header = "xyz.b2clogin.com"
      address     = "xyz.b2clogin.com"
      http_port   = 80
      https_port  = 443
    }
    load_balancing_name = "loadbalancingsettings"
    health_probe_name   = "healthprobesettings"
  }

  frontend_endpoint {
    name      = "b2c-frontdoor-endpoint-dev"
    host_name = "b2c-frontdoor-endpoint-dev.azurefd.net"
    session_affinity_enabled = false
    session_affinity_ttl_seconds = 0
  }
}

The error message returned is

Error: creating Front Door "fd-adpb2c-westeurope-dev" (Resource Group "rg-adpb2c-westeurope-dev"): frontdoor.FrontDoorsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="The frontend endpoint zone \"\" must only be used in the default CNAME entry."

  on resource_frontdoor.tf line 1, in resource "azurerm_frontdoor" "b2cfrontdoor":
   1: resource "azurerm_frontdoor" "b2cfrontdoor" {

Did some sniffing on the request sende to Azure and found a PUT request to

https://management.azure.com/subscriptions/*********************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev?api-version=2020-01-01

with this payload

{
  "location": "Global",
  "properties": {
    "backendPools": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/backendPools/b2-backend-pool-dev",
        "name": "b2-backend-pool-dev",
        "properties": {
          "backends": [
            {
              "address": "xyz.b2clogin.com",
              "backendHostHeader": "xyz.b2clogin.com",
              "enabledState": "Enabled",
              "httpPort": 80,
              "httpsPort": 443,
              "priority": 1,
              "weight": 50
            }
          ],
          "loadBalancingSettings": {
            "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/loadBalancingSettings/loadbalancingsettings"
          },
          "healthProbeSettings": {
            "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/healthProbeSettings/healthprobesettings"
          }
        }
      }
    ],
    "backendPoolsSettings": {
      "enforceCertificateNameCheck": "Disabled",
      "sendRecvTimeoutSeconds": 60
    },
    "enabledState": "Enabled",
    "friendlyName": "",
    "frontendEndpoints": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/frontendEndpoints/b2-frontdoor-endpoint-dev",
        "name": "b2-frontdoor-endpoint-dev",
        "properties": {
          "hostName": "b2-frontdoor-endpoint-dev.azurefd.net",
          "sessionAffinityEnabledState": "Disabled",
          "sessionAffinityTtlSeconds": 0
        }
      }
    ],
    "healthProbeSettings": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/healthProbeSettings/healthprobesettings",
        "name": "healthprobesettings",
        "properties": {
          "path": "/",
          "protocol": "Http",
          "intervalInSeconds": 120,
          "healthProbeMethod": "GET",
          "enabledState": "Disabled"
        }
      }
    ],
    "loadBalancingSettings": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/loadBalancingSettings/loadbalancingsettings",
        "name": "loadbalancingsettings",
        "properties": {
          "sampleSize": 4,
          "successfulSamplesRequired": 2,
          "additionalLatencyMilliseconds": 0
        }
      }
    ],
    "routingRules": [
      {
        "id": "",
        "name": "routingrule",
        "properties": {
          "frontendEndpoints": [
            {
              "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/frontendEndpoints/b2-frontdoor-endpoint-dev"
            }
          ],
          "acceptedProtocols": [
            "Http",
            "Https"
          ],
          "patternsToMatch": [
            "/*"
          ],
          "enabledState": "Enabled",
          "routeConfiguration": {
            "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration",
            "backendPool": {
              "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/backendPools/b2-backend-pool-dev"
            },
            "forwardingProtocol": "MatchRequest"
          }
        }
      }
    ]
  },
  "tags": {}
}

and the response is

{
  "error": {
    "code": "BadRequest",
    "message": "The frontend endpoint zone \"\" must only be used in the default CNAME entry."
  }
}

The TerraForm version is 0.14.10 and the azurerm version is v2.56.0

Anyone knows about this problem?

Thanks

Charmer answered 2/6, 2021 at 14:24 Comment(0)

Found out what was wrong (also indicated by Jim Xu). The name of the resource ("azurerm_frontdoor" "b2cfrontdoor") and the name of the frontend_endpoint must be the same. When createing a Front Door instance in the Azure Portal you are not asked for name, The Front Door instance get it's name from the name of the frontend.

resource "azurerm_frontdoor" "b2cfrontdoor" {
      name                                         = "b2c-frontdoor-endpoint-dev"
      resource_group_name                          = azurerm_resource_group.b2c.name
      enforce_backend_pools_certificate_name_check = true
    
      routing_rule {
        name               = "routingrule"
        accepted_protocols = ["Http", "Https"]
        patterns_to_match  = ["/*"]
        frontend_endpoints = ["b2c-frontdoor-endpoint-dev"]
        forwarding_configuration {
          forwarding_protocol = "MatchRequest"
          backend_pool_name   = "b2-backend-pool-dev"
        }
      }
    
      backend_pool_load_balancing {
        name = "loadbalancingsettings"
      }
    
      backend_pool_health_probe {
        name    = "healthprobesettings"
        enabled = false
        probe_method = "HEAD"
      }
    
      backend_pool {
        name = "b2-backend-pool-dev"
        backend {
          host_header = "xyz.b2clogin.com"
          address     = "xyz.b2clogin.com"
          http_port   = 80
          https_port  = 443
        }
        load_balancing_name = "loadbalancingsettings"
        health_probe_name   = "healthprobesettings"
      }
    
      frontend_endpoint {
        name      = "b2c-frontdoor-endpoint-dev"
        host_name = "b2c-frontdoor-endpoint-dev.azurefd.net"
        session_affinity_enabled = false
        session_affinity_ttl_seconds = 0
      }
    }

Charmer answered 3/6, 2021 at 10:16 Comment(1)

Actually, the names do not have to match. See my answer. – Zohara 21/9, 2021 at 15:24

The accepted answer is not quite correct. The actual requirement is that the subdomain of the frontend endpoint must match the name provided for the front door instance. The name of the frontend endpoint can be entirely unrelated to the name of the front door instance.

$frontDoorName = "matters"
$frontendEndpoint = New-AzFrontDoorFrontendEndpointObject -Name "irrelevant" -HostName "$frontDoorName.azurefd.net"
$frontDoor = New-AzFrontDoor `
    -ResourceGroupName $resourceGroupName `
    -Name $frontDoorName `
    -RoutingRule $routingRule `
    -FrontendEndpoint $frontendEndpoint `
    -BackendPool $backendPool `
    -LoadBalancingSetting $loadBalancingSetting `
    -HealthProbeSetting $healthProbeSetting

Zohara answered 21/9, 2021 at 15:22 Comment(0)

resource "azurerm_frontdoor" "b2cfrontdoor" {
      name                                         = "b2c-frontdoor-endpoint-dev"
      resource_group_name                          = azurerm_resource_group.b2c.name
      enforce_backend_pools_certificate_name_check = true
    
      routing_rule {
        name               = "routingrule"
        accepted_protocols = ["Http", "Https"]
        patterns_to_match  = ["/*"]
        frontend_endpoints = ["b2c-frontdoor-endpoint-dev"]
        forwarding_configuration {
          forwarding_protocol = "MatchRequest"
          backend_pool_name   = "b2-backend-pool-dev"
        }
      }
    
      backend_pool_load_balancing {
        name = "loadbalancingsettings"
      }
    
      backend_pool_health_probe {
        name    = "healthprobesettings"
        enabled = false
        probe_method = "HEAD"
      }
    
      backend_pool {
        name = "b2-backend-pool-dev"
        backend {
          host_header = "xyz.b2clogin.com"
          address     = "xyz.b2clogin.com"
          http_port   = 80
          https_port  = 443
        }
        load_balancing_name = "loadbalancingsettings"
        health_probe_name   = "healthprobesettings"
      }
    
      frontend_endpoint {
        name      = "b2c-frontdoor-endpoint-dev"
        host_name = "b2c-frontdoor-endpoint-dev.azurefd.net"
        session_affinity_enabled = false
        session_affinity_ttl_seconds = 0
      }
    }

Charmer answered 3/6, 2021 at 10:16 Comment(1)

Actually, the names do not have to match. See my answer. – Zohara 21/9, 2021 at 15:24

Regarding the issue, please refer to the following steps

resource "azurerm_frontdoor" "b2cfrontdoor" {
  name                                         = "b2c-frontdoor-endpoint-dev"
  resource_group_name                          = azurerm_resource_group.b2c.name
  enforce_backend_pools_certificate_name_check = true
  

  routing_rule {
    name               = "routingrule"
    accepted_protocols = ["Http", "Https"]
    patterns_to_match  = ["/*"]
    frontend_endpoints = ["b2c-frontdoor-endpoint-dev"]
    forwarding_configuration {
      forwarding_protocol = "MatchRequest"
      backend_pool_name   = "b2-backend-pool-dev"
    }
  }

  backend_pool_load_balancing {
    name = "loadbalancingsettings"
  }

  backend_pool_health_probe {
    name    = "healthprobesettings"
    
  }

  backend_pool {
    name = "b2-backend-pool-dev"
    backend {
      host_header = "test.b2clogin.com"
      address     = "test.b2clogin.com"
      http_port   = 80
      https_port  = 443
    }
    load_balancing_name = "loadbalancingsettings"
    health_probe_name   = "healthprobesettings"
  }

  frontend_endpoint {
    name      = "b2c-frontdoor-endpoint-dev"
    host_name = "b2c-frontdoor-endpoint-dev.azurefd.net"
    session_affinity_enabled = false
    session_affinity_ttl_seconds = 0
  }
}

Slotter answered 3/6, 2021 at 2:38 Comment(3)

Hi, what do you mean by "the following steps"? – Charmer 3/6, 2021 at 6:40

@LarsKolsaker Soory. I made a wrong. According to my test, the resource name and frontend_endpoint name should be same. – Slotter 3/6, 2021 at 6:43

Actually, the names do not have to match. See my answer. – Zohara 21/9, 2021 at 15:24

I've found this also occurs when the host name of any frontend endpoints isn't actually unique, e.g. because you forgot to include the correct environment part.

For example this would be a functional version.
Do note the host_name for your equivalent situation.

  frontend_endpoint {
    name      = "defaultHostName"
    host_name = "${var.application_name}-${terraform.workspace}-my-awesome-app.azurefd.net"
  }

Salomone answered 17/6, 2022 at 14:37 Comment(0)

Recommended topics

Hot tags