I’d like to know how to setup Container Apps with Frontdoor. Seems like the examples I found are with bicep. Here’s the one I was following: Integrating Azure Front Door WAF with Azure Container Apps
And here’s the TF code I wrote:
//add vnet
resource "azurerm_virtual_network" "default" {
name = "${var.prefix}-${var.env}-vnet"
location = var.location
resource_group_name = var.resource_group_name
address_space = ["10.10.0.0/16"]
}
//add subnet
resource "azurerm_subnet" "default" {
name = "${var.prefix}-${var.env}-pls-subnet"
resource_group_name = var.resource_group_name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = ["10.10.8.0/28"]
# enforce_private_link_service_network_policies = true
private_link_service_network_policies_enabled = false
private_endpoint_network_policies_enabled = false
# enforce_private_link_endpoint_network_policies = false
}
resource "azurerm_subnet" "infra" {
name = "${var.prefix}-${var.env}-infra-subnet"
resource_group_name = var.resource_group_name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = ["10.10.0.0/23"]
private_link_service_network_policies_enabled = true
private_endpoint_network_policies_enabled = false
}
//add container app
resource "azurerm_log_analytics_workspace" "default" {
name = "${var.prefix}-${var.env}-log-analytics"
location = var.location
resource_group_name = var.resource_group_name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_container_app_environment" "default" {
name = "${var.prefix}-${var.env}-container-env"
location = var.location
resource_group_name = var.resource_group_name
log_analytics_workspace_id = azurerm_log_analytics_workspace.default.id
infrastructure_subnet_id = azurerm_subnet.infra.id
internal_load_balancer_enabled = true
# docker_bridge_cidr = "10.10.0.0/24"
}
resource "azurerm_container_app" "default" {
name = "${var.prefix}-${var.env}-app"
container_app_environment_id = azurerm_container_app_environment.default.id
resource_group_name = var.resource_group_name
revision_mode = "Single"
ingress {
allow_insecure_connections = false
external_enabled = true
transport = "auto"
traffic_weight {
latest_revision = true
percentage = 100
}
target_port = 80
}
template {
container {
name = "examplecontainerapp"
image = "nginx:latest"
cpu = 0.25
memory = "0.5Gi"
}
min_replicas = 1
max_replicas = 3
}
}
resource "azurerm_public_ip" "default" {
name = "example-api"
sku = "Standard"
location = var.location
resource_group_name = var.resource_group_name
allocation_method = "Static"
}
resource "azurerm_lb" "default" {
name = "example-lb"
sku = "Standard"
location = var.location
resource_group_name = var.resource_group_name
frontend_ip_configuration {
name = azurerm_public_ip.default.name
public_ip_address_id = azurerm_public_ip.default.id
}
}
resource "azurerm_private_link_service" "default" {
name = "example-privatelink"
resource_group_name = var.resource_group_name
location = var.location
enable_proxy_protocol = false
visibility_subscription_ids = [data.azurerm_client_config.current.subscription_id]
auto_approval_subscription_ids = [data.azurerm_client_config.current.subscription_id]
nat_ip_configuration {
name = "primary"
private_ip_address_version = "IPv4"
subnet_id = azurerm_subnet.default.id
primary = true
}
load_balancer_frontend_ip_configuration_ids = [
azurerm_lb.default.frontend_ip_configuration.0.id,
]
}
resource "azurerm_private_endpoint" "default" {
name = "example-endpoint"
resource_group_name = var.resource_group_name
location = var.location
subnet_id = azurerm_subnet.default.id
private_service_connection {
name = "example-privateserviceconnection"
private_connection_resource_id = azurerm_private_link_service.default.id
is_manual_connection = false
}
}
resource "azurerm_cdn_frontdoor_profile" "default" {
name = "${var.prefix}-${var.env}-fd-profile"
resource_group_name = var.resource_group_name
sku_name = "Premium_AzureFrontDoor"
}
resource "azurerm_cdn_frontdoor_endpoint" "default" {
name = "${var.prefix}-${var.env}-fd-endpoint"
cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.default.id
enabled = true
}
resource "azurerm_cdn_frontdoor_origin_group" "default" {
name = "${var.prefix}-${var.env}-fd-origin-group"
cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.default.id
session_affinity_enabled = false
load_balancing {
sample_size = 4
successful_samples_required = 3
additional_latency_in_milliseconds = 50
}
health_probe {
path = "/"
request_type = "HEAD"
protocol = "Http"
interval_in_seconds = 100
}
}
//
resource "azurerm_cdn_frontdoor_origin" "default" {
depends_on = [azurerm_private_link_service.default, azurerm_private_endpoint.default]
name = "${var.prefix}-${var.env}-fd-origin"
cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.default.id
enabled = true
host_name = azurerm_container_app.default.latest_revision_fqdn
http_port = 80
https_port = 443
origin_host_header = azurerm_container_app.default.latest_revision_fqdn
priority = 1
weight = 1000
certificate_name_check_enabled = true
private_link {
target_type = "web"
request_message = "frontdoor"
location = var.location
private_link_target_id = azurerm_private_link_service.default.id
#private_link_target_id = azurerm_container_app.default.id
}
}
resource "azurerm_cdn_frontdoor_route" "default" {
name = "${var.prefix}-${var.env}-fd-route"
cdn_frontdoor_endpoint_id = azurerm_cdn_frontdoor_endpoint.default.id
cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.default.id
cdn_frontdoor_origin_ids = [azurerm_cdn_frontdoor_origin.default.id]
cdn_frontdoor_rule_set_ids = []
# cdn_frontdoor_custom_domain_ids = [azurerm_cdn_frontdoor_endpoint.default.id]
enabled = true
forwarding_protocol = "MatchRequest"
https_redirect_enabled = true
patterns_to_match = ["/*"]
supported_protocols = ["Http", "Https"]
link_to_default_domain = true
# cdn_frontdoor_custom_domain_ids = [azurerm_cdn_frontdoor_custom_domain.contoso.id, azurerm_cdn_frontdoor_custom_domain.fabrikam.id]
}
I’m getting private link not found error whenever the frontdoor origin is being created.
│ Error: waiting for the creation of Front Door Origin: (Origin Name "sample-dev-fd-origin" / Origin Group Name "sample-dev-fd-origin-group" / Profile Name "sample-dev-fd-profile" / Resource Group "sample-dev-tf"): Code="BadRequest" Message="Exception {\"ErrorMessage\":\"A call to the Private Endpoint management API returned a 'BadRequest'. Detailed message: {\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\": \\\"ThirdPartyPrivateLinkServiceProvidedDuringPrivateEndpointCreationDoesNotExistOrIsNotVisible\\\",\\r\\n \\\"message\\\": \\\"Third-party Private Link Service Id /subscriptions/xxxxx/resourceGroups/sample-dev-tf/providers/Microsoft.Network/privateLinkServices/example-privatelink provided during creation of Private Endpoint /subscriptions/xxxxx/resourceGroups/privatehub-prod-bl01-Rg/providers/Microsoft.Network/privateEndpoints/06e9ec6a-4dab-4595-8ba4-9f4104196ed2 creation does not exist or is not visible.\\\",\\r\\n \\\"details\\\": []\\r\\n }\\r\\n}\"} occured while executing function for lockName = pl-1531bdd0-87f6-4619-a0ec-61609f95f592-cpapilock. "
│
│ with module.sampledev.azurerm_cdn_frontdoor_origin.default,
│ on ../main.tf line 282, in resource "azurerm_cdn_frontdoor_origin" "default":
│ 282: resource "azurerm_cdn_frontdoor_origin" "default" {
│
╵