Support for apex domains in azure_frontdoor

[akitson-degreed]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I cannot find a way to add an apex domain to frontdoor.

It looks like there was an old ticket opened for this here but even though it states it was resolved, I do not see how.

According to the MS Documentation, you choose either "custom domain" or "apex domain" when adding a domain to frontdoor (in the portal). However, there does not seem to be any terraform resource for managing apex domains in frontdoor. I can only find azurerm_cdn_frontdoor_custom_domain.

If I use the azurerm_cdn_frontdoor_custom_domain resource to create an apex domain as a custom domain, and then use azurerm_dns_a_record to manage the dns record, the domain is created in frontdoor as a custom domain (expected), and the dns "A" record is created (expected), but frontdoor is still looking for a CNAME record and shows an error on the domain screen in the portal with the message "Create CNAME Record".

I would expect there to be an azurerm_cdn_frontdoor_apex_domain resource for managing these apex domains.

According to the MS Documentation, an apex domain properly created in frontdoor will still use "the DNS state column for CNAME mapping check. Since an apex domain doesn’t support a CNAME record, the DNS state will show 'CNAME record is currently not detected' even after you add the alias record to the DNS provider." However, as shown in the image on the MS Documentation, and copied here, that message is "green" and does not show as an error.

I'd like to manage the apex domains for frontdoor correctly in terraform. Is there another resource I can use for this, or does an azurerm_cdn_frontdoor_apex_domain resource need to be created?

New or Affected Resource(s)/Data Source(s)

azurerm_cdn_frontdoor_apex_domain

Potential Terraform Configuration

resource "azurerm_cdn_frontdoor_custom_domain" "main" {
  name                     = local.domain_name_prefix_string
  cdn_frontdoor_profile_id = var.frontdoor_profile.id
  dns_zone_id              = data.azurerm_dns_zone.main.id
  host_name                = lower(var.domain_name)

  tls {
    certificate_type        = "CustomerCertificate"
    minimum_tls_version     = "TLS12"
    cdn_frontdoor_secret_id = data.azurerm_cdn_frontdoor_secret.main[0].id
  }
}

References

• https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-onboard-apex-domain?pivots=front-door-standard-premium
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_custom_domain

[rcskosir]

@akitson-degreed Perhaps you already saw this while looking at old related issues, but sharing in case you missed it: https://github.com/hashicorp/terraform-provider-azurerm/issues/8848#issuecomment-820200842

Azure created a workaround for apex domains: You have to create a regular CNAME record in your DNS, mapping afdverify. to afdverify..azurefd.net and then you can deploy Azure Front Door with a frontendEndpoint listening on that apex domain. This is documented at https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#map-the-temporary-afdverify-subdomain

[akitson-degreed]

@rcskosir yes, I saw that. But that isn't the issue here. It isn't about the DNS management.. it's about registering the domain as an "apex" domain in azure frontdoor.

With terraform, I can create the domain in frontdoor as a custom domain, but not as an apex domain. There is no terraform resource for creating an apex domain in azure frontdoor. As you can see in the image below, when adding a domain to azure frontdoor using the portal, there is an option to add it as an apex domain. But there is no terraform resource to do that. The only terraform resource for adding a domain to azure frontdoor is azurerm_cdn_frontdoor_custom_domain.

[rcskosir]

@akitson-degreed Thank you for the clarification! I am going to remove the upstream/microsoft label for now, since it's a different issue then the one I mentioned in the comment above. It is possible that with further investigation we could find that the API is missing support for APEX, in which case the label would be added back.