azurerm_container_app_custom_domain - fix parsing the certificate ID error

[sinbai]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

• The Certificate Id returned from API has two possible values. When using an Azure created Managed Certificate, its format is "/subscriptions/%s/resourceGroups/%s/providers/Microsoft.App/managedEnvironments/%s/managedCertificates/%s", another format is "/subscriptions/%s/resourceGroups/%s/providers/Microsoft.App/managedEnvironments/%s/certificates/%s",
  we should handle both cases to avoid parsing error to fix azurerm_container_app_custom_domain fails parsing the certificate ID for managed certificates #25788 .

• Fix following 'run bash ./scripts/fun-gradually-deprecated.sh' error.

  

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #25788

[tombuildsstuff]

These are two different Resource Types within the API - Microsoft.App/managedEnvironments/certificates and Microsoft.App/managedEnvironments/managedCertificates - so should be exposed as two different properties on our side.

Presumably that'd mean introducing a new property container_app_environment_managed_certificate_id to go alongside the existing container_app_environment_certificate_id - what's the reasoning for shoe-horning these into a single field?

[sinbai]

Thanks for your feedback. The code has been updated. Could you please take another look?

[tombuildsstuff]

Since it's also possible to create/delete/read Managed Certificates I suspect we'll need an associated data source/resource to manage those, so that this is usable?

[sinbai]

I assume that this parsing issue is introduced by support the ability to use Azure Managed Certificates PR. Per the PR's description "This is required to support the automatic creation of Azure Managed Certificates. This PR is in Draft as we are considering design options and may significantly change how this is implemented before inclusion in the provider", I assume that there may be a special reason for not using Managed Certificates API , although I don't know what the reason is. Now that TF already supports Managed Certificates through azurerm_container_app_custom_domain, is it possible to fix the parsing error to unlock the user first?

[decewei]

I agree with @sinbai that this parsing error should be fixed first to support the user. We are using azurerm_container_app_custom_domain to suppress change on the certificate-related fields, so we can manually click through Azure portal to add the managed certificate; until managed certificate is supported in TF.

[RiccardoBarbieri]

Any news on the approval? I used a workaround for this issue but it's not ideal.

[github-actions]

This PR is being labeled as "stale" because it has not been updated for 30 or more days.

If this PR is still valid, please remove the "stale" label. If this PR is blocked, please add it to the "Blocked" milestone.

If you need some help completing this PR, please leave a comment letting us know. Thank you!

[stefano-xy]

Can we please move forward with this fix? I have a Container App with custom domain, defined via TF, but I have to remove and readd the TLS certificate binding manually every time TF complains with this parsing error via Azure Portal.

[fabrideci]

Is there any update on this? Still it's not possible to use azurerm_container_app_custom_domain with managed certificates after months of being reported.

[jeqermigselv-cloud]

Please, let's move forward with this!

[katbyte]

LGTM ☔

@sinbai in the months since this pr was last reviewed have you done any research or looked into creating the resources tom mentioned?

[CRidge]

@sinbai If I'm reading correctly, this fix should be included in 4.3.0, right?

I've updated to this version and I'm still getting the same error. Is there anything else I need to do to?

[jrdzha]

@sinbai If I'm reading correctly, this fix should be included in 4.3.0, right?

I've updated to this version and I'm still getting the same error. Is there anything else I need to do to?

Same here

[sinbai]

Hi @jrdzha , @CRidge , yes, the fix should be included in 4.3.0. Perhaps this PR does not cover your situation. Could you please open a new issue and provide the full Terraform config and reproduction steps to help reproduce and troubleshoot?

[jrdzha]

Hi @jrdzha , @CRidge , yes, the fix should be included in 4.3.0. Perhaps this PR does not cover your situation. Could you please open a new issue and provide the full Terraform config and reproduction steps to help reproduce and troubleshoot?

I see, this is the issue I'm getting:

parsing "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.App/managedEnvironments/REDACTED/managedCertificates/REDACTED": parsing segment "staticCertificates": parsing the Certificate ID: the segment at position 8 didn't match
│ 
│ Expected a Certificate ID that matched:
│ 
│ > /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.App/managedEnvironments/managedEnvironmentValue/certificates/certificateValue
│ 
│ However this value was provided:
│ 
│ > /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.App/managedEnvironments/REDACTED/managedCertificates/REDACTED
│ 
│ The parsed Resource ID was missing a value for the segment at position 8
│ (which should be the literal value "certificates").
│ 
│ 
│ 
│   with module.REDACTED.azurerm_container_app_custom_domain.REDACTED,
│   on ../REDACTED/container_app.tf line 171, in resource "azurerm_container_app_custom_domain" "REDACTED":
│  171:   container_app_environment_certificate_id = jsondecode(azapi_resource.managed_certificate.output).id

Is this different from this PR? I can open a separate issue if you think so.

[CRidge]

Hi @jrdzha , @CRidge , yes, the fix should be included in 4.3.0. Perhaps this PR does not cover your situation. Could you please open a new issue and provide the full Terraform config and reproduction steps to help reproduce and troubleshoot?

My output is basically identical to the one shown by @jrdzha.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.