web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> <nil>

[survivant]

thank you for your time and your Terraform script. I'm trying to create a gafana instance in Azure using terraform with your script, but I have some issues.

$ terraform --version
Terraform v1.3.7
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.41.0
+ provider registry.terraform.io/hashicorp/http v3.2.1
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3

I had to add this block in main.tf

provider "azurerm" {
  features {

  }
}

in the file variables.tf

I modified those

variable "prefix" {
  default     = "sdionne"
  type        = string
  description = "prefix to be used to name resources."
}

variable "azure_region" {
  default     = "eastus"
  type        = string
  description = "Azure Region where resources will be deployed."
}

if I do terraform plan I'll see some deprecated messages

│ Warning: Deprecated Resource
│
│   with azurerm_app_service_plan.this,
│   on main.tf line 66, in resource "azurerm_app_service_plan" "this":
│   66: resource "azurerm_app_service_plan" "this" {
│
│ The `azurerm_app_service_plan` resource has been superseded by the
│ `azurerm_service_plan` resource. Whilst this resource will continue to be
│ available in the 2.x and 3.x releases it is feature-frozen for
│ compatibility purposes, will no longer receive any updates and will be
│ removed in a future major release of the Azure Provider.
│
│ (and 5 more similar warnings elsewhere)
╵

here the logs that I got

null_resource.copy_grafana_db: Creation complete after 13s [id=2794590748324386480]
azurerm_key_vault.this: Still creating... [40s elapsed]
azurerm_key_vault.this: Still creating... [50s elapsed]
azurerm_key_vault.this: Still creating... [1m0s elapsed]
azurerm_key_vault.this: Still creating... [1m10s elapsed]
azurerm_key_vault.this: Still creating... [1m20s elapsed]
azurerm_key_vault.this: Still creating... [1m30s elapsed]
azurerm_key_vault.this: Still creating... [1m40s elapsed]
azurerm_key_vault.this: Still creating... [1m50s elapsed]
azurerm_key_vault.this: Still creating... [2m0s elapsed]
azurerm_key_vault.this: Still creating... [2m10s elapsed]
azurerm_key_vault.this: Still creating... [2m20s elapsed]
azurerm_key_vault.this: Still creating... [2m30s elapsed]
azurerm_key_vault.this: Creation complete after 2m36s [id=/subscriptions/6fc85986-130e-40fa-8111-11e6d968f34f/resourceGroups/sdionne-grafana-rg/providers/Microsoft.KeyVault/vaults/sdionne-grafana-kv]
azurerm_key_vault_secret.grafana_password: Creating...
azurerm_app_service.this: Creating...
azurerm_key_vault_secret.grafana_password: Creation complete after 1s [id=https://sdionne-grafana-kv.vault.azure.net/secrets/grafana-password/2d33530331494580b8755711b4060866]
azurerm_app_service.this: Still creating... [10s elapsed]
azurerm_app_service.this: Still creating... [20s elapsed]
azurerm_app_service.this: Still creating... [30s elapsed]
╷
│ Warning: Deprecated Resource
│
│   with azurerm_app_service_plan.this,
│   on main.tf line 66, in resource "azurerm_app_service_plan" "this":
│   66: resource "azurerm_app_service_plan" "this" {
│
│ The `azurerm_app_service_plan` resource has been superseded by the
│ `azurerm_service_plan` resource. Whilst this resource will continue to be
│ available in the 2.x and 3.x releases it is feature-frozen for
│ compatibility purposes, will no longer receive any updates and will be
│ removed in a future major release of the Azure Provider.
│
│ (and one more similar warning elsewhere)
╵
╷
│ Error: creating App Service: (Site Name "sdionne-grafana-app" / Resource Group "sdionne-grafana-rg"): web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> <nil>
│
│   with azurerm_app_service.this,
│   on main.tf line 186, in resource "azurerm_app_service" "this":
│  186: resource "azurerm_app_service" "this" {
│

[alessiofilippin]

Hi Sebastien,

yes, there were a few changes in the terraform provider, and this module version is not aligned with those changes. I will try to make time for the upgrade but for now: you can ignore the warnings, if that it's not a dealbreaker for you. (if you need to use the latest terraform version - then this module is not applicable for now unfortunately)

Regarding the error - it might be related to the SKU and the SiteConfig - try to upgrade the SKU to standard or change the value of "use_32_bit_worker_process" in the "site_config".

I hope this will guide you on the right path -> https://stackoverflow.com/questions/67836550/terraform-fails-to-create-a-64-bit-azure-app-service-web-app

[survivant]

thansk for your answer. I read the answer from stackoverflow, and I found in the logs that the error was that support_credentials = true is not supported when origin = *

now it work.

In variables I have this

I wasn't expecting that a CDN will be created(here the resources type that were created (I'm hiding the names)

One of my next step is to plug it with AD for the users. I found a blog talking about it (Deploying Grafana to Azure App Service with Terraform (and Active Directory integration)) (but look like I'll have to adapt also the scripts because it produce error)

thanks again for your time.

[alessiofilippin]

Hi Sebastien,

good find! :) - I will look into changing the module as soon as possible. Thank you.

To enable AD auth - you will likely need to register an enterprise Application into AD and use the callback URL.

this is for AppService but it's probably valid for Grafana as well -> https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

this is for Grafana -> https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/

Also, I'm not sure what your requirements are but Azure released a Managed version of Grafana which might simplify all the configuration -> https://azure.microsoft.com/en-us/products/managed-grafana/

But it's not yet supported by Terraform. :)

[survivant]

thanks, I'll take a look for AD integration. for Managed Grafana, yep I know that it's available, but we maybe need to modify granafa.ini and it's not allow with the managed version. I have to use Grafana embedded, which it almost work. My login is accepted but I'm redirect again to Grafana login page. Not sure yet where is the issue. Wrong redirect in grafana, or a wrong config in CDN. That's my todo for today.

PS. I use your script (with little cleanup) to install InfluxDB in the same way of Grafana, works fine.

[survivant]

I have Grafana with AD now. I followed the guide.

and I added this to your script. ( the secret I had to add it manually, because I didn't right to add credentials in AD from command line..works in the UI)

    "GF_AUTH_GENERIC_OAUTH_NAME"                  = "Azure AD"
    "GF_AUTH_GENERIC_OAUTH_ENABLED"               = "true"
    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID"             = azuread_application.grafana.application_id
    # "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"         = azuread_application_password.grafana.value
    "GF_AUTH_GENERIC_OAUTH_SCOPES"                = "openid email name"
    "GF_AUTH_GENERIC_OAUTH_AUTH_URL"              = "https://login.microsoftonline.com/${data.azurerm_client_config.current.tenant_id}/oauth2/authorize"
    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL"             = "https://login.microsoftonline.com/${data.azurerm_client_config.current.tenant_id}/oauth2/token"
    "GF_AUTH_GENERIC_OAUTH_API_URL"               = ""
    "GF_AUTH_GENERIC_OAUTH_TEAM_IDS"              = ""
    "GF_AUTH_GENERIC_OAUTH_ALLOWED_ORGANIZATIONS" = ""

next step. try to have SSO. My web app and Grafana used the same AD.

[alessiofilippin]

Glad to hear that :)

I'm not entirely sure that OSS Grafana supports SSO natively. It should support OAuth not sure about SAML.