[AZURE] Unable to use correcly APIM custom domain resource

Hi community,

I’m unable to use the Azure API Management custom domain resource with APIM resource.

Doc links :
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_custom_domain

I need to use the custom domain resource because I deploy a preprod environment (which it has to be upload in demand) and it needs APIM to be deployed before I can configure key vault policy for system assigned identity automatically, and therefore deploy a custom domain configuration for use the certificate in the key vault.

The first deployment is ok, but when I try a “terraform plan” command without modification, it mentions that it wants to delete my custom domain configuration. If I apply and try again, it wants to add the custom domain configuration again, and it boucles like that.

I really need both APIM and custom domain resource and it seems not to be working together.

In my opinion, I do not create conflict because I’ve not shared parameter in the both resources.

Is there a bug in Terraform ?

I can share with you my configuration and other details.

Thanks in advance.

Cedric

Hi @cedriccolnot, can you share a minimum configuration that reproduces this behavior?

Hi,

resource “azurerm_api_management” “apim” {
name = “asb-${var.env}-apim2”
location = “francecentral”
resource_group_name = var.hub-rg
publisher_name = var.apim-publisher-name
publisher_email = var.apim-publisher-mail
sku_name = var.apim-sku
virtual_network_type = “Internal”

identity {
type = “SystemAssigned, UserAssigned”
identity_ids = [var.managed-identity-id]
}

virtual_network_configuration {
subnet_id = var.apim-subnet-id
}
}

resource “azurerm_api_management_custom_domain” “apim-domain” {
api_management_id = azurerm_api_management.apim.id

proxy {
default_ssl_binding = false
host_name = “asb-{var.env}-apim.azure-api.net" negotiate_client_certificate = false } proxy { default_ssl_binding = true host_name = "ic-{var.env}.MYDOMAIN.io”
key_vault_id = “https://KV-URL”
negotiate_client_certificate = false
}

depends_on = [var.kv-access-policy]
}

In the first deployment, all is fine : APIM is deployed, then KV sets permissions to the system assigned identity, et then APIM can sets its custom domains config.

But, when I try to apply without modification, it removes the custom domain (based on APIM configuration who has not hostmane/custom domain blocks). And in the third deployment, based on custom domain resource, it adds the config again.

User assigned identity is now in preview for APIM but we are not able (for the moment ?) to use it in custom domains config.

In the tfstate file, the APIM and custom domain blocks doesn’t change despite the effective creation/deletion of custom domain config. Only the effective depencies moves, and I think it’s maybe the “depends_on” line who creates this problem. But I really need thos to deploy the configuration in order (APIM–>KV certificates permissions–>custom domain).

Without this, I make a dependancy boucle.

Thanks for your help.

I think this issue was already raised with azurerm provider, in their github repo.

Thanks to you 2 for your responses.

In my way to deploy the preprod env, I let APIM up all the time and just set the SKU when I deploy the other resources. It’s a temporary solution but it’s fine for us for the moment.

I’ll be watching for the evolution of this problem.

I believe this may have been resolved in v2.51.0, released yesterday (PR: azurerm_api_management_custom_domain: resource gets updated every time by patst · Pull Request #10636 · terraform-providers/terraform-provider-azurerm · GitHub)

If it doesn’t resolve your issue, please consider raising a bug report on GitHub. Thanks!