"azurerm_cdn_endpoint_custom_domain" - Verizon - cannot enable HTTPS: "That action isn’t allowed in this profile."

alexs77 commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.1.7 on linux_amd64

provider registry.terraform.io/hashicorp/azuread v1.6.0
provider registry.terraform.io/hashicorp/azurerm v2.98.0
provider registry.terraform.io/hashicorp/random v3.1.0

Affected Resource(s)

azurerm_cdn_endpoint_custom_domain

Terraform Configuration Files

resource "azurerm_cdn_profile" "this" {
  name                = "example"
  location            = "West Europe"
  resource_group_name = "example"
  sku                 = "Standard_Verizon"
}

resource "azurerm_cdn_endpoint" "app_services" {
  name                = example
  profile_name        = azurerm_cdn_profile.this.name
  location            = azurerm_cdn_profile.this.location
  resource_group_name = azurerm_cdn_profile.this.resource_group_name

  origin {
    name      = "example"
    host_name = "cdn.example.com"
  }
}

resource "azurerm_cdn_endpoint_custom_domain" "app_services" {
  name            = "example"
  cdn_endpoint_id = var.endpoint_id
  host_name       = "cdn.example.net"

  cdn_managed_https {
    certificate_type = "Shared"
    protocol_type    = "ServerNameIndication"
  }
}

Debug Output

Panic Output

Expected Behaviour

Actual Behaviour

terraform plan shows:

  # module.cdn[0].module.cd["urihandler"].azurerm_cdn_endpoint_custom_domain.app_services[0] will be created
  + resource "azurerm_cdn_endpoint_custom_domain" "app_services" {
      + cdn_endpoint_id = "/subscriptions/…/resourceGroups/…/providers/Microsoft.Cdn/profiles/prep/endpoints/prep"
      + host_name       = "assets.example.com"
      + id              = (known after apply)
      + name            = "prep-assets"

      + cdn_managed_https {
          + certificate_type = "Shared"
          + protocol_type    = "ServerNameIndication"
          + tls_version      = "TLS12"
        }
    }

terraform apply then fails:

│ Error: enable CDN Managed HTTPS on "Custom Domain: (Name \"assets\" / Endpoint Name \"prep\" / Profile Name \"prep\" / Resource Group \"PreProduction\")": sending enable request: cdn.CustomDomainsClient#EnableCustomHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."
│ 
│   with module.cdn[0].module.cd["urihandler"].azurerm_cdn_endpoint_custom_domain.app_services[0],
│   on modules/cdn/modules/cd/main.tf line 21, in resource "azurerm_cdn_endpoint_custom_domain" "app_services":
│   21: resource "azurerm_cdn_endpoint_custom_domain" "app_services" {

Steps to Reproduce

terraform apply

Important Factoids

This is a Standard_Verizon CDN. Setting up a Standard_Akamai CDN also doesn't work ⇒ https://github.com/hashicorp/terraform-provider-azurerm/issues/15704

References

15704

magodo commented 2 years ago

The service team has different restriction about profile sku + cdn_managed_https combinations. In this case, Standard_Verizon cdn profile should support HTTPS custom domain, it appears you should tune the settings inside the cdn_managed_https a bit, e.g., set certificate_type to Dedicated (this works for Standard_Microsoft iirc).

alexs77 commented 2 years ago

Dedicated doesn't work either ☹

  # module.cdn[0].module.cd_verizon["urihandler"].azurerm_cdn_endpoint_custom_domain.app_services[0] will be created
  + resource "azurerm_cdn_endpoint_custom_domain" "app_services" {
      + cdn_endpoint_id = "/subscriptions/…/resourceGroups/../providers/Microsoft.Cdn/profiles/…/endpoints/…"
      + host_name       = "…"
      + id              = (known after apply)
      + name            = "…"

      + cdn_managed_https {
          + certificate_type = "Dedicated"
          + protocol_type    = "ServerNameIndication"
          + tls_version      = "TLS12"
        }
    }
…
╷
│ Error: sending enable request: cdn.CustomDomainsClient#EnableCustomHTTPS: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="That action isn’t allowed in this profile."
│ 
│   with module.cdn[0].module.cd_verizon["urihandler"].azurerm_cdn_endpoint_custom_domain.app_services[0],
│   on modules/cdn/modules/cd/main.tf line 21, in resource "azurerm_cdn_endpoint_custom_domain" "app_services":
│   21: resource "azurerm_cdn_endpoint_custom_domain" "app_services" {
│ 
╵

magodo commented 2 years ago

After testing a bit, it turns out that for Standard_Verizon, the cdn_managed_https block should be as below:

  cdn_managed_https {
    certificate_type = "Shared"
    protocol_type    = "IPBased"
    tls_version      = "None"
  }

Note that the tls_version = "None" is not available for now, until #15756 is merged.

alexs77 commented 2 years ago

@magodo It must be protocol_type = "IPBased"? SNI won't work?

magodo commented 2 years ago

You can have a try, but above config is what Portal actually uses for the Standard_Verizon. That said, different sku only supports some combination of the https profile settings.

joelw commented 6 months ago

In addition to @magodo's block, I found that I also needed to do:

  lifecycle {
    ignore_changes = [
      cdn_managed_https
    ]
  }

hashicorp / terraform-provider-azurerm