azurerm_cdn_frontdoor_route - make cdn_frontdoor_origin_ids field optional

[WodansSon]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

In issue #29063 a community member raised an issue that:

• You will have a diff on cdn_frontdoor_origin_ids, it set to null on import

While this is by design, some community members stated that they would prefer that the cdn_frontdoor_origin_ids field be deprecated in favor of a depends_on argument. This PR addresses both issues allowing for both, with the caveat that this may cause more issues moving forward due to community members personal preference. In the design of this resource exposing the cdn_frontdoor_origin_ids field was intentional, showing the relationship between the resources and allowing the Terraform core runtime to provision and destroy the resources in the correct order to avoid errors. With this change, while it will work, it puts that duty on the end user to ensure the correct order/relationship of the resources based on their personal preference (e.g., cdn_frontdoor_origin_ids or a depends_on argument).

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_cdn_frontdoor_route - make cdn_frontdoor_origin_ids field optional [GH-00000]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #29063

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[wyattfry]

This may have already been considered, but I was thinking about how giving the route a property for origin IDs only reflects part of what's actually happening at the Azure API level. As it is probably known, routes don't depend on specific origins—they just need their associated origin group to have at least one enabled origin before creation of the route can succeed.

What if we handled the issue in the provider itself with a custom poller? It could catch the specific "origin group needs at least one enabled origin" error from Azure and retry route creation for a few minutes. The Portal does not allow for origin groups with zero enabled origins, but the REST API does, even though such groups are of no practical value. If an origin group exists, I believe it's safe to assume that soon it will have at least one enabled origin.

The poller approach would:

• be more semantically accurate
• remove the need for workarounds in user configurations
• handle the timing automatically

The downside is a potential added delay during apply if origins aren't ready immediately, but that seems like a reasonable trade-off for cleaner resource modeling. Curious what others think about this approach, or if there are better alternatives, or reasons why the custom poller one wouldn't work?

[wyattfry]

Could you replace the utils.String() etc with pointer.To()?

[WodansSon]

Fixed.

[wyattfry]

Suggested change

	!>**Note:** The `azurerm_cdn_frontdoor_route` resource must **explicitly** reference its associated `azurerm_cdn_frontdoor_origin` resource(s). This can be achieved either by using a `depends_on` meta-argument that points to the `azurerm_cdn_frontdoor_origin` resource(s), or by specifying the `azurerm_cdn_frontdoor_origin` IDs via the `cdn_frontdoor_origin_ids` field.
	!> **Note:** The `azurerm_cdn_frontdoor_route` resource must **explicitly** reference its associated `azurerm_cdn_frontdoor_origin` resource(s). This can be achieved either by using a `depends_on` meta-argument that points to the `azurerm_cdn_frontdoor_origin` resource(s), or by specifying the `azurerm_cdn_frontdoor_origin` IDs via the `cdn_frontdoor_origin_ids` field.

[WodansSon]

Fixed.

[wyattfry]

I've seen both ways in the code, but it seems most of the time there's no new line before Elem:

Suggested change

	Optional: true,
	Elem: &pluginsdk.Schema{
	Optional: true,
	Elem: &pluginsdk.Schema{

[WodansSon]

Fixed.

[WodansSon]

This may have already been considered, but I was thinking about how giving the route a property for origin IDs only reflects part of what's actually happening at the Azure API level. As it is probably known, routes don't depend on specific origins—they just need their associated origin group to have at least one enabled origin before creation of the route can succeed.

What if we handled the issue in the provider itself with a custom poller? It could catch the specific "origin group needs at least one enabled origin" error from Azure and retry route creation for a few minutes. The Portal does not allow for origin groups with zero enabled origins, but the REST API does, even though such groups are of no practical value. If an origin group exists, I believe it's safe to assume that soon it will have at least one enabled origin.

The poller approach would:

• be more semantically accurate
• remove the need for workarounds in user configurations
• handle the timing automatically

The downside is a potential added delay during apply if origins aren't ready immediately, but that seems like a reasonable trade-off for cleaner resource modeling. Curious what others think about this approach, or if there are better alternatives, or reasons why the custom poller one wouldn't work?

That would likely be a more modern solution to the API’s provisioning order issue for this resource, as it would let Terraform handle the behavior more gracefully rather than relying on faux fields. However, the custom poller wasn’t really an option when this resource/PR was first created. I agree the custom poller approach is worth considering going forward, but for the scope of this PR, can we set that aside? I’m happy to open a follow-up PR to introduce the custom poller. For now, can we move this PR forward to address the current customer needs without that added functionality?

[wyattfry]

This may have already been considered, but I was thinking about how giving the route a property for origin IDs only reflects part of what's actually happening at the Azure API level. As it is probably known, routes don't depend on specific origins—they just need their associated origin group to have at least one enabled origin before creation of the route can succeed.
What if we handled the issue in the provider itself with a custom poller? It could catch the specific "origin group needs at least one enabled origin" error from Azure and retry route creation for a few minutes. The Portal does not allow for origin groups with zero enabled origins, but the REST API does, even though such groups are of no practical value. If an origin group exists, I believe it's safe to assume that soon it will have at least one enabled origin.
The poller approach would:

• be more semantically accurate
• remove the need for workarounds in user configurations
• handle the timing automatically

The downside is a potential added delay during apply if origins aren't ready immediately, but that seems like a reasonable trade-off for cleaner resource modeling. Curious what others think about this approach, or if there are better alternatives, or reasons why the custom poller one wouldn't work?

That would likely be a more modern solution to the API’s provisioning order issue for this resource, as it would let Terraform handle the behavior more gracefully rather than relying on faux fields. However, the custom poller wasn’t really an option when this resource/PR was first created. I agree the custom poller approach is worth considering going forward, but for the scope of this PR, can we set that aside? I’m happy to open a follow-up PR to introduce the custom poller. For now, can we move this PR forward to address the current customer needs without that added functionality?

Yes, the delay would be regrettable. I'm sorry to ask more of you, but from the user's perspective, I believe the improved experience a custom poller would provide would be worth the additional wait. Are there time-sensitive situations that would make the delay too costly?

[wyattfry]

Just a couple very small points.

[wyattfry]

We'd like to save the "!>" notes for cases where costly or irreversible damage could occur. The "~>" is a good choice for advising users how to avoid minor errors.

Suggested change

	!> **Note:** The `azurerm_cdn_frontdoor_route` resource must **explicitly** reference its associated `azurerm_cdn_frontdoor_origin` resource(s). This can be achieved either by using a `depends_on` meta-argument that points to the `azurerm_cdn_frontdoor_origin` resource(s), or by specifying the `azurerm_cdn_frontdoor_origin` IDs via the `cdn_frontdoor_origin_ids` field.
	~> **Note:** The `azurerm_cdn_frontdoor_route` resource must **explicitly** reference its associated `azurerm_cdn_frontdoor_origin` resource(s). This can be achieved either by using a `depends_on` meta-argument that points to the `azurerm_cdn_frontdoor_origin` resource(s), or by specifying the `azurerm_cdn_frontdoor_origin` IDs via the `cdn_frontdoor_origin_ids` field.

[WodansSon]

Fixed.

[wyattfry]

Could these two notes be condensed and combined?

[WodansSon]

Fixed.

[catriona-m]

Hi @WodansSon thanks for fixing this up. It looks like there are some conflicts needing resolved on this, but otherwise it looks like this is nearly ready to go. Thanks!

[WodansSon]

Hi @WodansSon thanks for fixing this up. It looks like there are some conflicts needing resolved on this, but otherwise it looks like this is nearly ready to go. Thanks!

Thanks for the calling that out, @catriona-m, I have fixed the conflicts and am running the tests again. 🙂

--- PASS: TestAccCdnFrontDoorRoute_complete (1606.21s)
--- PASS: TestAccCdnFrontDoorRoute_requiresImport (1611.69s)
--- PASS: TestAccCdnFrontDoorRoute_basic (1622.74s)
--- PASS: TestAccCdnFrontDoorRoute_basicDependsOnAndField (1629.25s)
--- PASS: TestAccCdnFrontDoorRoute_basicDependsOn (1696.55s)
--- PASS: TestAccCdnFrontDoorRoute_update (1746.74s)
--- PASS: TestAccCdnFrontDoorRoute_originPath (1752.09s)

[WodansSon]

Test after adding the depends_on step to update:

--- PASS: TestAccCdnFrontDoorRoute_update (1705.68s)

[wuxu92]

A custom poller can mitigate the issue in creation, but there are two cases:

1. it's not 100% sure that "If an origin group exists, I believe it's safe to assume that soon it will have at least one enabled origin", as customer may only config origin group and route with no origin, then the poller won't work
2. the dependency issue still exists in delete. that means we still need a specific depends on to all managed origin resources.

I agree we should make cdn_frontdoor_origin_ids as optional and update the document to mitigate the import issue

[sreallymatt]

Thanks @WodansSon - LGTM ✅

stale