Terraform-provider-azurerm: Updating azurerm_application_gateway fails with Duplicate address error
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
Terraform v0.11.11
- provider.azurerm v1.22.0
Affected Resource(s)
azurerm_application_gateway
Terraform Configuration Files
# Declare all our certificates at the top so they don't get lost
module "certificate" {
source = "../azure/azure_ssl_certificate"
secret_name = "certificate"
key_vault_name = "vault-centralus"
}
#Create a Public IP for the Application Gateway
resource "azurerm_public_ip" "widgets_public_ip" {
name = "widgets-ip"
resource_group_name = "${data.azurerm_resource_group.rgroup.name}"
location = "${data.azurerm_resource_group.rgroup.location}"
allocation_method = "Dynamic"
}
# Create an application gateway
resource "azurerm_application_gateway" "widgets_tm_j" {
name = "widgets"
resource_group_name = "${data.azurerm_resource_group.rgroup.name}"
location = "${data.azurerm_resource_group.rgroup.location}"
disabled_ssl_protocols = [ "TLSv1_0" ]
sku {
name = "Standard_Large"
tier = "Standard"
capacity = "8"
}
gateway_ip_configuration = [
{
name = "ip-config"
subnet_id = "${data.terraform_remote_state.vnet.gateway_subnets[0]}"
}
]
frontend_port {
name = "http-port"
port = 80
}
frontend_port {
name = "https-port"
port = 443
}
frontend_ip_configuration {
name = "feip"
public_ip_address_id = "${azurerm_public_ip.widgets_public_ip.id}"
}
backend_address_pool {
name = "beap"
ip_addresses = [
"${data.terraform_remote_state.node1.private_ip}",
]
}
backend_http_settings {
name = "backendhttp"
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 60
probe_name = "healthcheck"
pick_host_name_from_backend_address = true
}
http_listener {
name = "http-listener"
frontend_ip_configuration_name = "feip"
frontend_port_name = "http-port"
protocol = "Http"
}
request_routing_rule {
name = "http-route-default"
rule_type = "Basic"
http_listener_name = "http-listener"
backend_address_pool_name = "beap"
backend_http_settings_name = "backendhttp"
}
probe {
name = "healthcheck"
protocol = "Http"
path = "/check"
interval = 6
timeout = 5
unhealthy_threshold = 3
pick_host_name_from_backend_http_settings = true
}
#### Begin Certificate #####
ssl_certificate {
name = "certificate"
data = "${module.certificate.secret_value}"
password = "${module.certificate.secret_passphrase}"
}
## api-staging.widgets.com
# Listener name should be https-{domain} where domain is the value that goes in host_name
http_listener {
name = "https-api-staging.widgets.com"
frontend_ip_configuration_name = "feip"
frontend_port_name = "https-port"
protocol = "Https"
ssl_certificate_name = "certificate"
require_sni = true
host_name = "api-staging.widgets.com"
}
# Rule name should be https-route-{domain}
request_routing_rule {
name = "https-route-api-staging.widgets.com"
rule_type = "Basic"
http_listener_name = "https-api-staging.widgets.com"
backend_address_pool_name = "beap"
backend_http_settings_name = "backendhttp"
}
### End Certificate ####
}
Debug Output
https://gist.github.com/Ashex/e52694f8b96599b5208f084adf6c9fe5
Expected Behavior
Updating any attribute of the azurerm_application_gateway should succeed or throw an error related to that attribute
Actual Behavior
All changes return the following error:
* azurerm_application_gateway.widgets_tm_j: Error Creating/Updating Application Gateway "widgets" (Resource Group "widgets-us-west"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ApplicationGatewayBackendAddressPoolCannotHaveDuplicateAddress" Message="Backend Address Pool /subscriptions/000000000/resourceGroups/widgets-us-west/providers/Microsoft.Network/applicationGateways/widgets/backendAddressPools/beap cannot have duplicate addresses 172.93.16.4." Details=[]
Indicating that the same address is being added to a single address pool twice, which is not happening here.
Steps to Reproduce
terraform applyto create application gateway- Modify application gateway resource attributes
terraform apply
Important Factoids
Downgrading the provider to 1.21 allows me to update the application gateway without encountering this error.
References
- #0000
Ashex
All 10 comments
i've experienced similar output, and (although my requirements are slightly different) i think it's the same issue.
i have a backend address pool configured like this:
backend_address_pool {
name = "${local.test_backend_address_pool_name}"
fqdns = ["${local.test_fqdn}"]
}
terraform plan runs cleanly, but on updates terraform apply gives me a similar error to @Ashex
e.g. (edited to remove identifiers)
* azurerm_application_gateway.gateway: Error Creating/Updating Application Gateway "test-gateway" (Resource Group "test-gateway-rg"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ApplicationGatewayBackendAddressPoolCannotHaveDuplicateAddress" Message="Backend Address Pool /subscriptions/00000000/resourceGroups/test-gateway-rg/providers/Microsoft.Network/applicationGateways/test-gateway/backendAddressPools/test-gateway-test-pool cannot have duplicate addresses test-app.azurewebsites.net." Details=[]
as far as i can tell, this is related to the internal handling of BackendAddresses, Fqdns and FqdnList within the expand/flatten methods in azurerm/resource_arm_application_gateway.go. there are deprecations in play, it's possible that's a factor. the same internal variable is being used to populate both the 'old' and the 'new' keys:
output := map[string]interface{}{
"fqdns": fqdnList,
"ip_addresses": ipAddressList,
// TODO: deprecated - remove in 2.0
"ip_address_list": ipAddressList,
"fqdn_list": fqdnList,
}
this led me to a possible workaround... if i also specify the fqdn_list, but with a dummy value, i can get a clean terraform apply. as follows:
backend_address_pool {
name = "${local.test_backend_address_pool_name}"
fqdns = ["${local.test_fqdn}"]
fqdn_list = ["dummy"]
}
@Ashex similarly, you might have some luck with also setting ip_address_list in addition to ip_addresses. YMMV. (I'm assuming that the spelling "ip_addreses" in your original report is an unrelated typo.)
mdsills
on 19 Feb 2019
update: the above workaround ran into issues for me with HTTPS backends :(
mdsills
on 19 Feb 2019
For me the only working workaround is to provide one or multiple ip adresses for ip_adresses that are not not deployed at the moment.
fox918
on 26 Feb 2019
Same dang problem. Thanks for the suggested work-arounds.
bfleming-ciena
on 28 Feb 2019
Bugs like this makes it pretty hard to automate and lock down an environment. Adding the dummy does get me around a problem, but then I now have an invalid backend pool entry, so need to do two separate released to get it fixed.
I got it trying to fix an issue with fixing a probe and http setting to move to the "pick_host_name*' settings, and got this.
Mobe1969
on 1 Mar 2019
Bugs like this makes it pretty hard to automate and lock down an environment. Adding the dummy does get me around a problem, but then I now have an invalid backend pool entry, so need to do two separate released to get it fixed.
I got it trying to fix an issue with fixing a probe and http setting to move to the "pick_host_name*' settings, and got this.
Stuck with the same....unfortunately....
alexeyklots
on 1 Mar 2019
Trying to simply add tags to an application gateway and getting the same error.
wozorio
on 15 Mar 2019
Same here. My workaround was to set it to dummy like the above suggests. It did then have two fqdns for each address pool. I then went into Resource Explorer, and modified the gateway there, removing dummy from the list for each address pool.
This is really cumbersome and I hope this gets bumped up on the priority list for getting fixed.
Another note, the waf_configuration.0.file_upload_limit_mb, no matter what you set it to, always gets set back to 0, so will see it as a change every time on the app gateway. I think this will be fixed in 1.24.0, something about it is referenced there. I put in a lifecycle to ignore_changes so it stops and made a note to test it again when 1.24.0 is out.
brenak
on 20 Mar 2019
This has been released in version 1.24.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:
provider "azurerm" {
version = "~> 1.24.0"
}
# ... other configuration ...
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 3 Apr 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
hashibot[bot]
on 20 Apr 2019
Related issues
Faaux
·
3Comments
alant94
·
3Comments
hashibot
·
3Comments
akamalov
·
3Comments
Kanikamiglani31
·
3Comments
Most helpful comment
This has been released in version 1.24.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: