Deployment of AKS clusters & AppGWs not working as expected in Azure China

[wozorio]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.2 provider: azurerm 1.30.1

Affected Resource(s)

• azurerm_kubernetes_cluster
• azurerm_application_gateway

Terraform Configuration Files

# Create an AKS cluster
resource "azurerm_kubernetes_cluster" "aks" {
  name                = var.name
  location            = var.location
  resource_group_name = var.resource_group_name
  dns_prefix          = var.name
  kubernetes_version  = var.aks_cluster_version

  agent_pool_profile {
    name    = "nodepool"
    count   = var.aks_node_count
    vm_size = var.aks_vm_node_size
  }

  role_based_access_control {
    enabled = true

    azure_active_directory {
      client_app_id     = var.aad_client_app_id
      server_app_id     = var.aad_server_app_id
      server_app_secret = var.aad_server_app_secret
      tenant_id         = var.aad_tenant_id
    }
  }

  linux_profile {
    admin_username = var.aks_admin_username

    ssh_key {
      key_data = var.aks_admin_ssh_key
    }
  }

  service_principal {
    client_id     = var.aks_service_principal
    client_secret = var.aks_client_secret
  }

  tags = {
    Environment = var.environment
    Capability  = var.capability
    Contact     = var.contact
    MangagedBy  = "terraform"
  }
}

# Create an Application Gateway
resource "azurerm_application_gateway" "waf" {
  name                = var.name
  resource_group_name = var.resource_group_name
  location            = var.location

  sku {
    name     = var.sku_name
    tier     = var.sku_tier
    capacity = var.sku_capacity
  }

  gateway_ip_configuration {
    name      = "${var.name}-ipconfig"
    subnet_id = "${var.vnet_id}/subnets/${var.subnet_name}"
  }

  frontend_port {
    name = "${var.vnet_name}-https-frontend-port"
    port = 443
  }

  frontend_ip_configuration {
    name                 = "${var.vnet_name}-frontend-ip"
    public_ip_address_id = var.public_ip_id
  }

  backend_address_pool {
    name         = "${var.vnet_name}-backend-address-pool"
    ip_addresses = [var.backend_pool_ip_address]
  }

  backend_http_settings {
    name                  = "${var.vnet_name}-https-backend"
    cookie_based_affinity = "Disabled"
    port                  = "443"
    protocol              = "Https"
    request_timeout       = "20"
    probe_name            = var.probe_name

    authentication_certificate {
      name = "ciam-backend-public-cert"
    }
  }

  http_listener {
    name                           = "${var.vnet_name}-https-listener"
    frontend_ip_configuration_name = "${var.vnet_name}-frontend-ip"
    frontend_port_name             = "${var.vnet_name}-https-frontend-port"
    protocol                       = "Https"
    ssl_certificate_name           = "ciam-frontend"
  }

  request_routing_rule {
    name                       = "${var.vnet_name}-https-routing-rule"
    rule_type                  = "Basic"
    http_listener_name         = "${var.vnet_name}-https-listener"
    backend_address_pool_name  = "${var.vnet_name}-backend-address-pool"
    backend_http_settings_name = "${var.vnet_name}-https-backend"
  }

  authentication_certificate {
    name = "ciam-backend-public-cert"
    data = filebase64(var.backend_tls_certificate)
  }

  ssl_certificate {
    name     = "ciam-frontend"
    data     = filebase64(var.frontend_tls_certificate)
    password = var.frontend_tls_certificate_password
  }

  waf_configuration {
    firewall_mode        = "Prevention"
    rule_set_type        = "OWASP"
    rule_set_version     = "3.0"
    enabled              = true
    file_upload_limit_mb = "100"
  }

  probe {
    host                = var.probe_host
    name                = var.probe_name
    protocol            = "Https"
    path                = var.probe_path
    interval            = 30
    timeout             = 30
    unhealthy_threshold = 3
  }

  tags = {
    Environment = var.environment
    Capability  = var.capability
    Contact     = var.contact
    MangagedBy  = "terraform"
  }
}

The deployment of AKS clusters & Application Gateways and their respective resources, such as: Subnets, NSGs, Public IPs and etc, works fine the first time. However, if terraform plan is executed right afterwards, instead of reporting that no changes in the infrastructure were detected, it reports that nearly all the resources should be destroyed and re-created.

Debug Output

Panic Output

Expected Behavior

Once all the resources were deployed with Terraform successfully and nothing was changed afterwards, in the subsequent executions of terraform plan, the following output is expected: Your infrastructure is up-to-date.

Steps to Reproduce

1. terraform apply
2. terraform plan

Important Factoids

Issue only happens in Azure China. We are using the very same script / logic in Azure global and in there it works as expected.

References

• 0000

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!