Reputation: 496
Creating custom host name binding for app service in terraform fails with Cannot find Certificate with name
I am trying to create custom host name binding for app service in terraform and I am using the following configuration for that
resource "azurerm_app_service_custom_hostname_binding" "webapp_fqdn" {
for_each = local.apsvc_fqdns_locations
hostname = each.value.fqdn
app_service_name = azurerm_app_service.webapp[each.value.apsvc_location_key].name
resource_group_name = var.regional_web_rg[each.value.location].name
ssl_state = "SniEnabled"
thumbprint = azurerm_app_service_certificate.cert[each.value.certificate_location_key].thumbprint
}
resource "azurerm_app_service_certificate" "cert" {
for_each = local.certificates_locations
name = each.value.certificate_name
resource_group_name = var.regional_web_rg[each.value.location].name
location = each.value.location
key_vault_secret_id = data.azurerm_key_vault_secret.cert[each.value.certificate_name].id
}
The code fails (sporadically) with the following error
"Cannot find Certificate with name 6CAC9XXXX."
When the error occures, I can go to portal and see the following
If I create those resources through Az PowerShell module by running the following
Set-AzWebApp -Name app508-resc-aa1-web-centralus-showcase-apsvc -ResourceGroupName app508-resc-aa1-web-centralus -HostNames @("showcase-aa1.np.dayforcehcm.com")
New-AzWebAppSSLBinding -ResourceGroupName app508-resc-aa1-web-centralus -WebAppName app508-resc-aa1-web-centralus-showcase-apsvc -Thumbprint "6CAC9XXXX" -Name "showcase-aa1.np.dayforcehcm.com"
it works perfectly fine and the resources are created properly. It looks like terraform tries to create both - host name and the custom host name binding by using one resource azurerm_app_service_custom_hostname_binding so is it some sort of race condition that I am facing or am I using wrong resources?
Upvotes: 6
Views: 2113
Answers (1)
Reputation: 3872
Okay, I see it's a problem with the azurerm provider. Usually, a WaitForCompletionRef call or equivalent function (whatever is offered by Azure-go-SDK) is made to wait until the create/update function is complete.
In the case of the azurerm_app_service_certificate resource, post create function call of SDK, the resourceAppServiceCertificateRead function is called immediately without waiting for the resource to be created. I think this is why you have this intermittently occuring.
if _, err := client.CreateOrUpdate(ctx, id.ResourceGroup, id.Name, certificate); err != nil {
return fmt.Errorf("creating/updating %s: %s", id, err)
}
d.SetId(id.ID())
return resourceAppServiceCertificateRead(d, meta)
You can create an issue here or create a PR to get this added. In the meantime, as a workaround, you can put some sleep for a few seconds until the resource is created. time_sleep
could help you with this.
Upvotes: 3
Related Questions
- Create custom domain for app services via terraform
- Terraform bind SSL Certificate to Azure WebApp
- Attaching SSL certificate to Azure application gateway in Terraform
- Terraform - Azure application gateway issue with keyvault certificate integration
- Terraform application gateway Data for certificate is invalid
- Terraform Azure Application Gateway unable to associate with certificate in key vault
- Trying to attach SSL certificate on application gateway using azure terraform
- Terraform "The name "xxx" used for the App Service needs to be globally unique and isn't available"
- Deploy Application Gateway with self-signed certificate with Terraform
- Azure SSL Binding Issue- No match seleted hostname