-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_application_gateway always replaces backend_http_settings when cookie_based_affinity is disabled and no affinity_cookie_name is defined #23467
Comments
Hi @omgjlk , I try to reproduce the issue but seems I can't with below config. Could it be the Thanks. tf configprovider "azurerm" {
features {}
}
data "azurerm_client_config" "test" {
}
resource "azurerm_resource_group" "test" {
name = "wt-test-appgw2"
location = "West Europe"
}
resource "azurerm_virtual_network" "test" {
name = "test-network1"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
address_space = ["10.254.0.0/16"]
}
resource "azurerm_subnet" "frontend" {
name = "frontend"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.254.0.0/24"]
}
resource "azurerm_subnet" "backend" {
name = "backend"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefixes = ["10.254.2.0/24"]
}
resource "azurerm_public_ip" "test" {
name = "test-pip"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
allocation_method = "Static"
sku = "Standard"
}
locals {
backend_address_pool_name = "${azurerm_virtual_network.test.name}-beap"
frontend_port_name = "${azurerm_virtual_network.test.name}-feport"
frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
http_setting_name = "${azurerm_virtual_network.test.name}-be-htst"
listener_name = "${azurerm_virtual_network.test.name}-httplstn"
request_routing_rule_name = "${azurerm_virtual_network.test.name}-rqrt"
redirect_configuration_name = "${azurerm_virtual_network.test.name}-rdrcfg"
}
resource "azurerm_application_gateway" "network" {
name = "testi2-appgateway"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
sku {
name = "Standard_v2"
tier = "Standard_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = azurerm_subnet.frontend.id
}
frontend_port {
name = local.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.test.id
}
backend_address_pool {
name = "bap3"
ip_addresses = []
fqdns = []
}
backend_address_pool {
ip_addresses = []
fqdns = ["foobar.com"]
name = local.backend_address_pool_name
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
host_name = "terraform.githubapp.com"
request_timeout = 60
pick_host_name_from_backend_address = false
connection_draining {
drain_timeout_sec = 300
enabled = true
}
}
http_listener {
name = local.listener_name
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Http"
}
request_routing_rule {
name = local.request_routing_rule_name
priority = 10
rule_type = "Basic"
http_listener_name = local.listener_name
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
} |
I'll work on a real reproduction instead of an edited version of what we're doing in production. At the same time I'll get DEBUG log output. For our production workload I've just set the affinity_cookie_name to what TF was saying it was and that resulted in TF saying that there were no changes necessary. |
Its always replacing for me no matter what. I am using AKS and that enables AGIC which replacess all the backends, whenver I deploy terraform again after that it completely replaces it all again, breaking my ingress. |
Same for me. It always updates. |
Is there an existing issue for this?
Community Note
I've got an application gateway with an http backend. That backend has
cookie_based_affinity
set toDisabled
. There is no definition for aaffinity_cookie_name
. However every run of Terraform wants to replace the resource, and in the details I can see:The replacement resource does not show an attribute for
affinity_cookie_name
being added.I assume that there is something on Azure side that is automatically creating an affinity cookie name when the resource is created, and now Terraform is comparing state to resource and notices a difference.
If I add the attribute to my terraform file the resource is no longer refreshed.
Terraform Version
1.4.4
AzureRM Provider Version
3.50.0
Affected Resource(s)/Data Source(s)
azurerm_application_gateway
Terraform Configuration Files
resource "azurerm_application_gateway" "tfe_prod" {
name = tfe_prod
resource_group_name = module.site.rg_network_name
location = module.site.rg_network_location
zones = ["1", "2", "3"]
sku {
name = "Standard_v2"
tier = "Standard_v2"
}
gateway_ip_configuration {
name = "${local.tfe_prod_full_name}-gw-subnet"
subnet_id = module.site.app_gateway_subnet_id
}
autoscale_configuration {
min_capacity = 2
max_capacity = 125
}
frontend_ip_configuration {
name = local.tfe_prod_frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.tfe_prod.id
}
backend_address_pool {
name = local.tfe_prod_backend_address_pool_name
}
TFE Application
backend_http_settings {
name = local.tfe_prod_backend_https_settings_name
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 60
host_name = local.tfe_prod_service_fqdn
connection_draining {
enabled = true
drain_timeout_sec = 300
}
}
}
Debug Output/Panic Output
Terraform will perform the following actions:
azurerm_application_gateway.tfe_prod will be updated in-place
~ resource "azurerm_application_gateway" "tfe_prod" {
id = "/subscriptions//resourceGroups/network/providers/Microsoft.Network/applicationGateways/azure-eastus-terraform-enterprise-production"
name = "azure-eastus-terraform-enterprise-production"
tags = {
"catalog_service" = "terraform-enterprise"
"environment" = "production"
}
Expected Behaviour
The resource does not change every plan.
Actual Behaviour
The resource is changing every plan.
Steps to Reproduce
Create an application gateway with a backend_http_settings that disable cookie_based_affinity and do not define an affinity_cookie_name. Plan/apply. Plan again and notice Terraform wanting to replace the backend_http_settings.
Important Factoids
No response
References
Looks similar to #16695
The text was updated successfully, but these errors were encountered: