Provider does not allow rewrite_rule_set blocks for basic SKU application gateways

[HenricFrobergSectra]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.5

AzureRM Provider Version

4.8.0

Affected Resource(s)/Data Source(s)

azurerm_application_gateway

Terraform Configuration Files

resource "azurerm_application_gateway" "main" {
  name                = "application_gateway"
  resource_group_name = var.RG_NAME
  location            = var.RG_LOCATION

  sku {
    name     = "Basic"
    tier     = "Basic"
    capacity = 1
  }

  gateway_ip_configuration {
    name      = "app_gateway_ip_configuration"
    subnet_id = var.SUBNET_FRONTEND_ID
  }

  frontend_port {
    name = local.frontend_https_name
    port = 443
  }

  frontend_ip_configuration {
    name                 = local.frontend_ip_configuration_name
    public_ip_address_id = azurerm_public_ip.public_ip.id
  }

  backend_address_pool {
    name = local.backend_address_pool_name
    fqdns = [ "${var.APP_FQDN}.example.com" ]
  }

  backend_http_settings {
    name                  = local.http_setting_name
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = var.SGS_REQUEST_TIMEOUT
    pick_host_name_from_backend_address = true
    probe_name = "check_backend_connectivity"
  }

  http_listener {
    name                           = local.https_listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_https_name
    ssl_certificate_name           = var.CERTIFICATE_NAME
    protocol                       = "Https"
  }

  request_routing_rule {
    name                       = local.request_routing_rule_name
    rule_type                  = "PathBasedRouting"
    http_listener_name         = local.https_listener_name
    backend_address_pool_name  = local.backend_address_pool_name
    backend_http_settings_name = local.http_setting_name
    priority                   = 1
    url_path_map_name          = local.url_path_map_name
  }

  rewrite_rule_set {
    name = "add_headers_for_signin" 

    rewrite_rule {
      name          = "SetHeaders" 
      rule_sequence = 100 

      request_header_configuration {
          header_name  = "X-Forwarded-Prefix" 
          header_value = "/adminportal" 
        }
    }
  }
}

Debug Output/Panic Output

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: The Application Gateway does not support `rewrite_rule_set` blocks for the selected SKU tier "Basic"
│
│   with azurerm_application_gateway.main,
│   on application_gateway.tf line 30, in resource "azurerm_application_gateway" "main":
│   30: resource "azurerm_application_gateway" "main" {

Expected Behaviour

The plan should have succeeded, as header rewrites are supported by the basic SKU: https://learn.microsoft.com/en-us/azure/application-gateway/overview-v2#sku-types.

I.e. rewrite_rule_set blocks should be allowed, as long as they don't contain a rewrite_rule with a url block. rewrite_rule with either request_header_configuration or response_header_configuration should be allowed.

Actual Behaviour

The plan failed.

Steps to Reproduce

terraform plan

Important Factoids

No response

References

The issue was introduced in the PR that added support for the Basic SKU: https://github.com/hashicorp/terraform-provider-azurerm/pull/27440/files. The PR added a check that will fail the plan if there are rewrite_rule_set blocks, which is too strict compared to what is allowed in the Azure Portal for a basic SKU Application gateway.

Suggested solution

rewrite_rule_set blocks should only fail the check if they have a rewrite_rule with a url block. rewrite_rule with either request_header_configuration or response_header_configuration should be allowed.

[teowa]

Hi @HenricFrobergSectra , thanks for reporting this!
I have submitted #28011 to resolve this.

[HenricFrobergSectra]

Thank you @teowa! It looks very promising.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.