azurerm_dns_a_record failing with weird "from no visitor picked" string in target_resource_id?

dossy commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ terraform -v
Terraform v0.12.29
+ provider.azurerm v2.24.0
+ provider.null v2.1.2

Affected Resource(s)

azurerm_dns_a_record
azurerm_cdn_profile
azurerm_cdn_endpoint

Terraform Configuration Files

resource "azurerm_cdn_profile" "cdn" {
  resource_group_name = "RG"
  location            = "EastUS2"
  name                = "cdn"
  sku                 = "Standard_Microsoft"
}

resource "azurerm_cdn_endpoint" "endpoint" {
  resource_group_name = "RG"
  location            = "EastUS2"
  profile_name        = azurerm_cdn_profile.cdn.name
  name                = "cdn-endpoint"

  querystring_caching_behaviour   = "UseQueryString"
  origin_host_header              = "www.domain.test"

  origin {
    name      = "www"
    host_name = "www.domain.test"
  }

  global_delivery_rule {
    modify_request_header_action {
      action  = "Delete"
      name    = "Cookie"
    }

    modify_response_header_action {
      action  = "Delete"
      name    = "Set-Cookie"
    }
  }
}

resource "azurerm_dns_a_record" "apex" {
  resource_group_name = "RG"
  zone_name           = "domain.test"
  name                = "@"

  ttl                 = 300
  target_resource_id  = azurerm_cdn_profile.cdn.id
}

Debug Output

(I cannot provide the entire log, but I've redacted names and IDs from the relevant portion of the log. Click to expand.)

``` 2020/08/20 16:34:46 [DEBUG] azurerm_dns_a_record.apex[0]: applying the planned Create change 2020/08/20 16:34:46 [TRACE] GRPCProvider: ApplyResourceChange 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Request: 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: GET /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01 HTTP/1.1 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Host: management.azure.com 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: User-Agent: Go/go1.14.5 (amd64-darwin) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.2.0 dns/2018-05-01 HashiCorp Terraform/0.12.29 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.24.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Accept-Encoding: gzip 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 2020-08-20T16:34:46.861-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01: 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: HTTP/2.0 404 Not Found 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Length: 170 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Cache-Control: private 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Type: application/json; charset=utf-8 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Date: Thu, 20 Aug 2020 20:34:46 GMT 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Server: Microsoft-IIS/10.0 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Strict-Transport-Security: max-age=31536000; includeSubDomains 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Content-Type-Options: nosniff 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 499 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Request-Id: REDACTED 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Routing-Request-Id: REDACTED 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Powered-By: ASP.NET 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 2020-08-20T16:34:47.196-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: {"code":"NotFound","message":"The resource record '@' does not exist in resource group 'REDACTED' of subscription 'REDACTED'."} 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Request: 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: PUT /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01 HTTP/1.1 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Host: management.azure.com 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: User-Agent: Go/go1.14.5 (amd64-darwin) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.2.0 dns/2018-05-01 HashiCorp Terraform/0.12.29 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.24.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Length: 254 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Type: application/json; charset=utf-8 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Accept-Encoding: gzip 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 2020-08-20T16:34:47.197-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: {"properties":{"ARecords":[],"TTL":300,"metadata":{"brand":"BB","environment":"production"},"targetResource":{"id":"/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn"}}} 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnsZones/domain.test/A/@?api-version=2018-05-01: 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: HTTP/2.0 400 Bad Request 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Length: 250 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Cache-Control: private 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Content-Type: application/json; charset=utf-8 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Date: Thu, 20 Aug 2020 20:34:47 GMT 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Server: Microsoft-IIS/10.0 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: Strict-Transport-Security: max-age=31536000; includeSubDomains 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Content-Type-Options: nosniff 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Correlation-Request-Id: REDACTED 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 11998 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Request-Id: REDACTED 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Ms-Routing-Request-Id: REDACTED 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: X-Powered-By: ASP.NET 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: 2020-08-20T16:34:47.636-0400 [DEBUG] plugin.terraform-provider-azurerm_v2.24.0_x5: {"code":"BadRequest","message":"Reference records are not supported for resource '\/subscriptions\/REDACTED\/resourceGroups\/REDACTED\/providers\/Microsoft.Cdn\/profiles\/cdn from no visitor picked'"} 2020/08/20 16:34:47 [DEBUG] azurerm_dns_a_record.apex[0]: apply errored, but we're indicating that via the Error pointer rather than returning it: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'" 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalMaybeTainted 2020/08/20 16:34:47 [TRACE] EvalMaybeTainted: azurerm_dns_a_record.apex[0] encountered an error during creation, so it is now marked as tainted 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalWriteState 2020/08/20 16:34:47 [TRACE] EvalWriteState: removing state object for azurerm_dns_a_record.apex[0] 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalApplyProvisioners 2020/08/20 16:34:47 [TRACE] EvalApplyProvisioners: azurerm_dns_a_record.apex[0] has no state, so skipping provisioners 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalMaybeTainted 2020/08/20 16:34:47 [TRACE] EvalMaybeTainted: azurerm_dns_a_record.apex[0] encountered an error during creation, so it is now marked as tainted 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalWriteState 2020/08/20 16:34:47 [TRACE] EvalWriteState: removing state object for azurerm_dns_a_record.apex[0] 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalIf 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalIf 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalWriteDiff 2020/08/20 16:34:47 [TRACE] : eval: *terraform.EvalApplyPost 2020/08/20 16:34:47 [ERROR] : eval: *terraform.EvalApplyPost, err: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'" 2020/08/20 16:34:47 [ERROR] : eval: *terraform.EvalSequence, err: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'" 2020/08/20 16:34:47 [TRACE] [walkApply] Exiting eval tree: azurerm_dns_a_record.apex[0] 2020/08/20 16:34:47 [TRACE] vertex "azurerm_dns_a_record.apex[0]": visit complete 2020/08/20 16:34:47 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping 2020/08/20 16:34:47 [TRACE] dag/walk: upstream of "provider.azurerm (close)" errored, so skipping 2020/08/20 16:34:47 [TRACE] dag/walk: upstream of "root" errored, so skipping 2020-08-20T16:34:47.900-0400 [DEBUG] plugin: plugin process exited: path=/Users/REDACTED/stacks/cdn/.terraform/plugins/darwin_amd64/terraform-provider-azurerm_v2.24.0_x5 pid=71900 2020-08-20T16:34:47.900-0400 [DEBUG] plugin: plugin exited ```

Panic Output

N/A

Expected Behavior

The apex record @ should have been created in the Azure DNS zone, as an alias resource pointing at the Azure CDN profile cdn.

Actual Behavior

Terraform will perform the following actions:

  # azurerm_dns_a_record.apex[0] will be created
  + resource "azurerm_dns_a_record" "apex" {
      + fqdn                = (known after apply)
      + id                  = (known after apply)
      + name                = "@"
      + resource_group_name = "REDACTED"
      + target_resource_id  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn"
      + ttl                 = 300
      + zone_name           = "domain.test"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "REDACTED"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_dns_a_record.apex[0]: Creating...

Error: Error creating/updating DNS A Record "@" (Zone "domain.test" / Resource Group "REDACTED"): dns.RecordSetsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Reference records are not supported for resource '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn from no visitor picked'"

  on cdn.tf line 56, in resource "azurerm_dns_a_record" "apex":
  56: resource "azurerm_dns_a_record" "apex" {

Steps to Reproduce

terraform apply

Important Factoids

N/A

References

N/A

tehho commented 4 years ago

Was just gonna do this my self but with data objects.

From the portal it looks like it points to the endpoint and not the profile. What happens if you target the endpoint.id instead?

Also cnd_endpoint doesn't have a data source.

dossy commented 4 years ago

From the portal it looks like it points to the endpoint and not the profile. What happens if you target the endpoint.id instead?

While it "works" if you target the endpoint.id in that it doesn't throw an error, it doesn't trigger the creation of the cdnverify CNAME record and otherwise doesn't seem to be doing the correct thing, and when you edit it in the Azure portal, the drop-down shows nothing selected, the CDN resource isn't selected.

When you select the CDN target manually in the Azure portal, then terraform import it, the ID that's targeted is the ID of the CDN profile, not the CDN endpoint.

magodo commented 4 years ago

Hi @dossy

You need to explicitly create the azurerm_dns_cname_record in Terraform. Speaking of the drop-down list of the A record (created via Terrafrom), it is just a visual issue of Portal, the CDN endpoint is indeed set to the A record, which you can verify by calling the API.
I have verified that the target_id of a DNS A record is the ID of CDN endpoint. Would you please double check on your side? If this is still the case, then could you provide the terraform log so that we can further investigate?

dossy commented 4 years ago

@magodo, thanks for asking.

So, I selected the CDN resource in the Azure portal, then used Azure CLI to fetch the record with something like this:

$ az network dns record-set a show --resource-group REDACTED --zone-name domain.test --name @

And, the targetResource.id in the response does point to the endpoint ID, not the CDN profile.

In Terraform, I define a resource azurerm_dns_a_record.apex and use terraform import to import the record from Azure.

At this point, there should be nothing to do, because the resource in Azure which was imported should mostly match the resource in TF. But, instead, when I terraform apply I get this:

Terraform will perform the following actions:

  # azurerm_dns_a_record.apex[0] will be updated in-place
  ~ resource "azurerm_dns_a_record" "apex" {
        fqdn                = "domain.test."
        id                  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/dnszones/domain.test/A/@"
        name                = "@"
        records             = []
        resource_group_name = "REDACTED"
      ~ tags                = {
          + "brand"       = "REDACTED"
          + "environment" = "REDACTED"
        }
      ~ target_resource_id  = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn/endpoints/cdn-endpoint" -> "/subscriptions/REDACTED/resourcegroups/REDACTED/providers/Microsoft.Cdn/profiles/cdn/endpoints/cdn-endpoint"
        ttl                 = 300
        zone_name           = "domain.test"

        timeouts {}
    }

Plan: 0 to add, 1 to change, 0 to destroy.

So, the updated tags I expect, but the target_resource_id? What's interesting is they are identical strings except for one character: the lowercase g in resourcegroups vs. resourceGroups.

In my TF configuration, I'm using target_resource_id = azurerm_cdn_endpoint.cdn-endpoint.id which is a resource defined in the same configuration.

Where'd that lowercase g come from?

tehho commented 4 years ago

@dossy where there a lower g in the inport? what does terraform state list say?

If Yes try terraform state rm and import with upper case g to see if there is a difference

magodo commented 4 years ago

Hi @dossy Thank you for providing the details!

Besides the g, at least the ID is a endpoint ID :smile: The g here is because some service will modify the case of some key word of ID (e.g. the resourceGroups here), while they shouldn't. I can submit a PR to relax the casing for the target_resource_id so that you will get this diff.

dossy commented 4 years ago

@tehho - The issue isn't with what's terraform import'ed. The issue is the id output from azurerm_cdn_endpoint has resourcegroups instead of resourceGroups - not sure why this is happening, though.

tombuildsstuff commented 4 years ago

@magodo in which case can we ensure the ID coming back from the CDN Endpoint resource is patched to the expected format (as we do for FrontDoor) - for users Resource ID's should be consistent/reliable where possible

ghost commented 4 years ago

This has been released in version 2.26.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.26.0"
}
# ... other configuration ...

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

hashicorp / terraform-provider-azurerm