azurerm_cdn_frontdoor_custom_domain can't mix "certificate_type" properties in "tls" block

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.5

AzureRM Provider Version

3.109.0

Affected Resource(s)/Data Source(s)

azurerm_cdn_frontdoor_custom_domain

Terraform Configuration Files

The variable being provided with generic values:

frontdoor_custom_domains = {
    "CUSTOM-DOMAIN--www-example-com" = {
        "fd-custom-domain-name"             = "CUSTOM-DOMAIN--www-example-com"
        "fd-custom-domain-profile-name"     = "fd-profile-name"
        "fd-custom-domain-host-name"        = "www.example.com"
        "fd-custom-domain-certificate-id"   = null
    }
}

The terraform code:

resource "azurerm_cdn_frontdoor_custom_domain" "frontdoor_custom_domains" {
  depends_on                            = [ azurerm_cdn_frontdoor_origin.frontdoor_origins ]
  for_each                              = var.frontdoor_custom_domains
  # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  name                                  = each.value.fd-custom-domain-name
  cdn_frontdoor_profile_id              = azurerm_cdn_frontdoor_profile.frontdoor_profiles[each.value.fd-custom-domain-profile-name].id
  host_name                             = each.value.fd-custom-domain-host-name

  dynamic "tls" {
    for_each = each.value.fd-custom-domain-certificate-id != null ? ["CustomerCertificate"] : []
    content {
      certificate_type                    = "CustomerCertificate"
      cdn_frontdoor_secret_id             = azurerm_cdn_frontdoor_secret.frontdoor_secrets[each.value.fd-custom-domain-certificate-id].id
    }
  }
  dynamic "tls" {
    for_each = each.value.fd-custom-domain-certificate-id == null ? ["ManagedCertificate"] : []
    content {
      certificate_type                    = "ManagedCertificate"
    }
  }
}

Debug Output/Panic Output

Error: the 'cdn_frontdoor_secret_id' field is not supported if the 'certificate_type' is 'ManagedCertificate'
│ 
│   with module.build_frontdoor.azurerm_cdn_frontdoor_custom_domain.frontdoor_custom_domains["CUSTOM-DOMAIN--www-example-com"],
│   on ../Module/Frontdoor/main.tf line 185, in resource "azurerm_cdn_frontdoor_custom_domain" "frontdoor_custom_domains":
│  185: resource "azurerm_cdn_frontdoor_custom_domain" "frontdoor_custom_domains" {

Expected Behaviour

An azurerm_cdn_frontdoor_custom_domain that does not supply a fd-custom-domain-certificate-id should be created with a ManagedCertificate.

Actual Behaviour

An azurerm_cdn_frontdoor_custom_domain that does not supply a fd-custom-domain-certificate-id will not apply with an error that the cdn_frontdoor_secret_id field is not supported.

Steps to Reproduce

I am trying to create multiple azurerm_cdn_frontdoor_custom_domain resources that differ in the "tls" block of their configuration. Some will use certificate_type = "CustomerCertificate" and some will use certificate_type = "ManagedCertificate".

When certificate_type is set to "CustomerCertificate" you must also supply a cdn_frontdoor_secret_id. When certificate_type is set to "ManagedCertificate" you must not supply a cdn_frontdoor_secret_id.

To accomplish that I have tried using two dynamic tls blocks, one for each case, but even when the dynamic block being used does not contain the cdn_frontdoor_secret_id field the apply fails with the error provided.

Important Factoids

No response

References

No response

hashicorp / terraform-provider-azurerm