Creating Azure Front Door instance with TerraForm

Question

Having trouble creating a Azure Front Door instance with Terraform. The setup should be pretty basic, but can not find out what is wrong.

Here is the terraform script

resource "azurerm_frontdoor" "b2cfrontdoor" {
  name                                         = "fd-adpb2c-westeurope-dev"
  resource_group_name                          = azurerm_resource_group.b2c.name
  enforce_backend_pools_certificate_name_check = true

  routing_rule {
    name               = "routingrule"
    accepted_protocols = ["Http", "Https"]
    patterns_to_match  = ["/*"]
    frontend_endpoints = ["b2c-frontdoor-endpoint-dev"]
    forwarding_configuration {
      forwarding_protocol = "MatchRequest"
      backend_pool_name   = "b2-backend-pool-dev"
    }
  }

  backend_pool_load_balancing {
    name = "loadbalancingsettings"
  }

  backend_pool_health_probe {
    name    = "healthprobesettings"
    enabled = false
    probe_method = "HEAD"
  }

  backend_pool {
    name = "b2-backend-pool-dev"
    backend {
      host_header = "xyz.b2clogin.com"
      address     = "xyz.b2clogin.com"
      http_port   = 80
      https_port  = 443
    }
    load_balancing_name = "loadbalancingsettings"
    health_probe_name   = "healthprobesettings"
  }

  frontend_endpoint {
    name      = "b2c-frontdoor-endpoint-dev"
    host_name = "b2c-frontdoor-endpoint-dev.azurefd.net"
    session_affinity_enabled = false
    session_affinity_ttl_seconds = 0
  }
}

The error message returned is

Error: creating Front Door "fd-adpb2c-westeurope-dev" (Resource Group "rg-adpb2c-westeurope-dev"): frontdoor.FrontDoorsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="The frontend endpoint zone \"\" must only be used in the default CNAME entry."

  on resource_frontdoor.tf line 1, in resource "azurerm_frontdoor" "b2cfrontdoor":
   1: resource "azurerm_frontdoor" "b2cfrontdoor" {

Did some sniffing on the request sende to Azure and found a PUT request to

https://management.azure.com/subscriptions/*********************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev?api-version=2020-01-01

with this payload

{
  "location": "Global",
  "properties": {
    "backendPools": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/backendPools/b2-backend-pool-dev",
        "name": "b2-backend-pool-dev",
        "properties": {
          "backends": [
            {
              "address": "xyz.b2clogin.com",
              "backendHostHeader": "xyz.b2clogin.com",
              "enabledState": "Enabled",
              "httpPort": 80,
              "httpsPort": 443,
              "priority": 1,
              "weight": 50
            }
          ],
          "loadBalancingSettings": {
            "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/loadBalancingSettings/loadbalancingsettings"
          },
          "healthProbeSettings": {
            "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/healthProbeSettings/healthprobesettings"
          }
        }
      }
    ],
    "backendPoolsSettings": {
      "enforceCertificateNameCheck": "Disabled",
      "sendRecvTimeoutSeconds": 60
    },
    "enabledState": "Enabled",
    "friendlyName": "",
    "frontendEndpoints": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/frontendEndpoints/b2-frontdoor-endpoint-dev",
        "name": "b2-frontdoor-endpoint-dev",
        "properties": {
          "hostName": "b2-frontdoor-endpoint-dev.azurefd.net",
          "sessionAffinityEnabledState": "Disabled",
          "sessionAffinityTtlSeconds": 0
        }
      }
    ],
    "healthProbeSettings": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/healthProbeSettings/healthprobesettings",
        "name": "healthprobesettings",
        "properties": {
          "path": "/",
          "protocol": "Http",
          "intervalInSeconds": 120,
          "healthProbeMethod": "GET",
          "enabledState": "Disabled"
        }
      }
    ],
    "loadBalancingSettings": [
      {
        "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/loadBalancingSettings/loadbalancingsettings",
        "name": "loadbalancingsettings",
        "properties": {
          "sampleSize": 4,
          "successfulSamplesRequired": 2,
          "additionalLatencyMilliseconds": 0
        }
      }
    ],
    "routingRules": [
      {
        "id": "",
        "name": "routingrule",
        "properties": {
          "frontendEndpoints": [
            {
              "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/frontendEndpoints/b2-frontdoor-endpoint-dev"
            }
          ],
          "acceptedProtocols": [
            "Http",
            "Https"
          ],
          "patternsToMatch": [
            "/*"
          ],
          "enabledState": "Enabled",
          "routeConfiguration": {
            "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration",
            "backendPool": {
              "id": "/subscriptions/*********************************/resourceGroups/rg-adpb2c-westeurope-dev/providers/Microsoft.Network/frontDoors/fd-adpb2c-westeurope-dev/backendPools/b2-backend-pool-dev"
            },
            "forwardingProtocol": "MatchRequest"
          }
        }
      }
    ]
  },
  "tags": {}
}

and the response is

{
  "error": {
    "code": "BadRequest",
    "message": "The frontend endpoint zone \"\" must only be used in the default CNAME entry."
  }
}

The TerraForm version is 0.14.10 and the azurerm version is v2.56.0

Anyone knows about this problem?

Thanks

score 5 · Answer 1 · answered Sep 21 '21 at 15:22

The accepted answer is not quite correct. The actual requirement is that the subdomain of the frontend endpoint must match the name provided for the front door instance. The name of the frontend endpoint can be entirely unrelated to the name of the front door instance.

$frontDoorName = "matters"
$frontendEndpoint = New-AzFrontDoorFrontendEndpointObject -Name "irrelevant" -HostName "$frontDoorName.azurefd.net"
$frontDoor = New-AzFrontDoor `
    -ResourceGroupName $resourceGroupName `
    -Name $frontDoorName `
    -RoutingRule $routingRule `
    -FrontendEndpoint $frontendEndpoint `
    -BackendPool $backendPool `
    -LoadBalancingSetting $loadBalancingSetting `
    -HealthProbeSetting $healthProbeSetting

Lars Kolsaker · Accepted Answer · 2021-06-03T10:23:29.807

Found out what was wrong (also indicated by Jim Xu). The name of the resource ("azurerm_frontdoor" "b2cfrontdoor") and the name of the frontend_endpoint must be the same. When createing a Front Door instance in the Azure Portal you are not asked for name, The Front Door instance get it's name from the name of the frontend.

resource "azurerm_frontdoor" "b2cfrontdoor" {
      name                                         = "b2c-frontdoor-endpoint-dev"
      resource_group_name                          = azurerm_resource_group.b2c.name
      enforce_backend_pools_certificate_name_check = true
    
      routing_rule {
        name               = "routingrule"
        accepted_protocols = ["Http", "Https"]
        patterns_to_match  = ["/*"]
        frontend_endpoints = ["b2c-frontdoor-endpoint-dev"]
        forwarding_configuration {
          forwarding_protocol = "MatchRequest"
          backend_pool_name   = "b2-backend-pool-dev"
        }
      }
    
      backend_pool_load_balancing {
        name = "loadbalancingsettings"
      }
    
      backend_pool_health_probe {
        name    = "healthprobesettings"
        enabled = false
        probe_method = "HEAD"
      }
    
      backend_pool {
        name = "b2-backend-pool-dev"
        backend {
          host_header = "xyz.b2clogin.com"
          address     = "xyz.b2clogin.com"
          http_port   = 80
          https_port  = 443
        }
        load_balancing_name = "loadbalancingsettings"
        health_probe_name   = "healthprobesettings"
      }
    
      frontend_endpoint {
        name      = "b2c-frontdoor-endpoint-dev"
        host_name = "b2c-frontdoor-endpoint-dev.azurefd.net"
        session_affinity_enabled = false
        session_affinity_ttl_seconds = 0
      }
    }

Actually, the names do not have to match. See [my answer](https://stackoverflow.com/a/69271566/607701). — David Peden, Sep 21 '21 at 15:24

score 2 · Answer 3 · answered Jun 03 '21 at 02:38

Regarding the issue, please refer to the following steps

resource "azurerm_frontdoor" "b2cfrontdoor" {
  name                                         = "b2c-frontdoor-endpoint-dev"
  resource_group_name                          = azurerm_resource_group.b2c.name
  enforce_backend_pools_certificate_name_check = true
  

  routing_rule {
    name               = "routingrule"
    accepted_protocols = ["Http", "Https"]
    patterns_to_match  = ["/*"]
    frontend_endpoints = ["b2c-frontdoor-endpoint-dev"]
    forwarding_configuration {
      forwarding_protocol = "MatchRequest"
      backend_pool_name   = "b2-backend-pool-dev"
    }
  }

  backend_pool_load_balancing {
    name = "loadbalancingsettings"
  }

  backend_pool_health_probe {
    name    = "healthprobesettings"
    
  }

  backend_pool {
    name = "b2-backend-pool-dev"
    backend {
      host_header = "test.b2clogin.com"
      address     = "test.b2clogin.com"
      http_port   = 80
      https_port  = 443
    }
    load_balancing_name = "loadbalancingsettings"
    health_probe_name   = "healthprobesettings"
  }

  frontend_endpoint {
    name      = "b2c-frontdoor-endpoint-dev"
    host_name = "b2c-frontdoor-endpoint-dev.azurefd.net"
    session_affinity_enabled = false
    session_affinity_ttl_seconds = 0
  }
}

@LarsKolsaker Soory. I made a wrong. According to my test, the resource name and frontend_endpoint name should be same. — Jim Xu, Jun 03 '21 at 06:43
Actually, the names do not have to match. See [my answer](https://stackoverflow.com/a/69271566/607701). — David Peden, Sep 21 '21 at 15:24

score 0 · Answer 4 · answered Jun 17 '22 at 14:37

I've found this also occurs when the host name of any frontend endpoints isn't actually unique, e.g. because you forgot to include the correct environment part.

For example this would be a functional version.
Do note the host_name for your equivalent situation.

  frontend_endpoint {
    name      = "defaultHostName"
    host_name = "${var.application_name}-${terraform.workspace}-my-awesome-app.azurefd.net"
  }

Creating Azure Front Door instance with TerraForm

4 Answers4