azurerm_cdn_frontdoor_rule route_configuration_override_action cdn_frontdoor_origin_group_id parameter should not be required

[jluenne]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The parameter cdn_frontdoor_origin_group_id is required when specifying a route_configuration_override_action within an azurerm_cdn_frontdoor_rule resource.
(see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_rule#cdn_frontdoor_origin_group_id)

In Azure Portal, it is possible to set "Override origin group" to "No", leaving the original routing untouched while other changes are still possible. This cannot be configured using terraform as long as cdn_frontdoor_origin_group_id is a required parameter.

Actual use case:
The same rule set should be used for several routes with different origin groups. Caching behavior should be changed based on url_path_condition, but routing itself should not be changed.

Please allow the parameter cdn_frontdoor_origin_group_id to be optional to cover this use case.

New or Affected Resource(s)/Data Source(s)

azurerm_cdn_frontdoor_rule

Potential Terraform Configuration

resource "azurerm_cdn_frontdoor_rule" "MakeSureApisHaveShortCacheTime" {
  depends_on = [azurerm_cdn_frontdoor_origin_group.web, azurerm_cdn_frontdoor_origin.web]

  name                      = "MakeSureApisHaveShortCacheTime"
  cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.web.id
  order                     = 1
  behavior_on_match         = "Continue"

  conditions {
    url_path_condition {
      operator         = "RegEx"
      negate_condition = false
      match_values     = ["/api/?(.*)"]
      transforms       = ["Lowercase", "Trim"]
    }
  }

  actions {
    route_configuration_override_action {
      cdn_frontdoor_origin_group_id = null
      forwarding_protocol           = "HttpsOnly"
      query_string_caching_behavior = "UseQueryString"
      compression_enabled           = true
      cache_behavior                = "OverrideAlways"
      cache_duration                = "0:0:10"
    }
  }
}

References

No response

[WodansSon]

@jluenne, thank you for opening this issue... this is a bit more difficult than I anticipated it would be to implement due to the rules which are enforced by the ARM API.

resource "azurerm_cdn_frontdoor_rule" "MakeSureApisHaveShortCacheTime" {
  depends_on = [azurerm_cdn_frontdoor_origin_group.web, azurerm_cdn_frontdoor_origin.web]

  name                      = "MakeSureApisHaveShortCacheTime"
  cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.web.id
  order                     = 0
  behavior_on_match         = "Continue"

  conditions {
    url_path_condition {
      operator         = "RegEx"
      negate_condition = false
      match_values     = ["api/?(.*)"]
      transforms       = ["Lowercase", "Trim"]
    }
  }

  actions {
    route_configuration_override_action {
      query_string_caching_behavior = "UseQueryString"
      compression_enabled           = true
      cache_behavior                = "OverrideAlways"
      cache_duration                = "00:00:10"
    }
  }
}

Changed fields by Portal:

• order was updated from 1 -> 0 (this is because if order is 0 the actions will always be run regardless if conditions are defined or not)
• forwarding_protocol is not a valid parameter if you are not passing a cdn_frontdoor_origin_group_id
• match_values are not allowed to include a leading / character(e.g. /api/?(.*) vs. api/?(.*)), per the Frontdoor documentation the service automatically adds the leading / to this parameter
• the cache_duration value is not in a valid format (e.g. 0:0:10 ->00:00:10)

Also of note, the Portal changes the UI depending on what you pick for the Override Origin Group value:

Yes:

No:

Other Considerations:

Since this resource has already been released I need to be very careful to not introduce any breaking changes to the resource while also attempting to implement parity with the Portal, which is not easy. I will do my best to get this update into the v3.29.0 of the provider but no promises. 🙂

[WodansSon]

NOTE: An unfortunate side effect to this fix, while technically this is not a breaking change because the forwarding_protocol does still default to match_request. To implement this change I had to remove the default value from the schema, which means that this change breaks the Terraform plan diff check because Terraform does not know that the default value will be automatically substituted for an empty forwarding_protocol value while it is doing the apply. If you do not explicitly define the forwarding_protocol in your configuration file you will receive a perpetual no-op diff when you run plan.

[sudeep1607]

@WodansSon How to disable cache through terraform when configuring route_configuration_override_action in azurerm_cdn_frontdoor_rule resource. I don't see any parameter for that and cache_duration argument is being shown as Required. When caching is disabled for the action we don't have to specify duration right?

[WodansSon]

@WodansSon How to disable cache through terraform when configuring route_configuration_override_action in azurerm_cdn_frontdoor_rule resource. I don't see any parameter for that and cache_duration argument is being shown as Required. When caching is disabled for the action we don't have to specify duration right?

@sudeep1607, good question... there currently isn't a way to do this in Terraform as it is currently implemented. I will have to expose a new value in the cache_behavior field where you can set this to be disabled and then make the cache_duration field optional. 🤔

[WodansSon]

@sudeep1607, I have added a fix to the PR which was opened to fix the original issue mentioned in this issue and to also fix the issue that you mentioned above. Once the fix is merged you will be able to match the portal behavior in Terraform by adding the below route_configuration_override_action to your configuration file:

Without Overriding the Origin Group:

  actions {
    route_configuration_override_action {
      cache_behavior = "Disabled"
    }
  }

Overriding the Origin Group:

  actions {
    route_configuration_override_action {
      cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.example.id
      forwarding_protocol           = "HttpsOnly"
      cache_behavior                = "Disabled"
    }
  }

NOTE: @sudeep1607, I have opened tracking issue #19008 for this issue since it is really a different issue that was reported in a related issue. 🚀

[github-actions]

This functionality has been released in v3.29.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.