Azure Frontdoor Custom HTTPS

Hi there,

My current flow is that I have a JSON document representing multiple website configurations. This gets pulled into TF and used to create Frontdoor endpoints. Then I try to enable HTTPS for these endpoints using a cert stored in keyvault. However, when I try to just for_each over, it fails in plan saying I can’t use one for the default endpoint, and if I try to filter out the default endpoint I get a map of string, known only after apply.

resource "azurerm_frontdoor_custom_https_configuration" "custom_https" {
  # we don't need to make one for *
  for_each = {for key, endpoint in : key => endpoint if key != "default"}
  frontend_endpoint_id = each.value
  custom_https_provisioning_enabled = true

  dynamic "custom_https_configuration" {
    for_each = var.environment != "dev" ? [null] : []
    content {
      certificate_source = "AzureKeyVault"
      azure_key_vault_certificate_vault_id = local.prod_cokv_id
      azure_key_vault_certificate_secret_name = local.ssl_certificate_name

Has anyone come across this before?

It looks like there’s a couple open issues related to this, but no solution: azurerm_frontdoor_custom_https_configuration and new Front Door endpoints precedence. · Issue #11857 · hashicorp/terraform-provider-azurerm (, azurerm_frontdoor_custom_https_configuration and new Front Door endpoints · Issue #28785 · hashicorp/terraform (

The solution to this is to not use azurerm_frontdoor.*.frontend_endpoints directly, but instead to construct the ID manually so as to not create a hard dependency during the plan phase:
frontend_endpoint_id = "${azurerm_frontdoor.*.id}/frontendEndpoints/${<frontend endpoint name>}"