Azurerm_static_web_app_custom_domain Does Not Mark As Tainted When "status": "Unhealthy"

May 8, 2025 by ADMIN 89 views

**AzureRM Static Web App Custom Domain Issue: Tainted Resource Not Marked When Status is Unhealthy**

Introduction

In this article, we will discuss an issue with the AzureRM provider in Terraform, specifically with the azurerm_static_web_app_custom_domain resource. The problem arises when the custom domain status is marked as "Unhealthy" by Azure, but the resource is not marked as tainted, causing Terraform to not recreate the resource as expected.

Is There an Existing Issue for This?

After conducting a thorough search, we were unable to find an existing issue for this specific problem. If you have encountered this issue before, please let us know by adding a reaction to this issue to help the community and maintainers prioritize this request.

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version and AzureRM Provider Version

Terraform Version: 1.11.2
AzureRM Provider Version: 4.27.0

Affected Resource(s)/Data Source(s)

The azurerm_static_web_app_custom_domain resource is affected by this issue.

Terraform Configuration Files

# Existing static web app
data "azurerm_static_web_app" "myswa" {
  name                = "myswa"
  resource_group_name = local.myrg
}

# Note that this works fine normally - its when Azure marks the custom domain as "Unhealthy" that we would expect the resource to be 'tainted' and recreated, but this doesn't happen
resource "azurerm_static_web_app_custom_domain" "myswa-txt" {
  static_web_app_id = data.azurerm_static_web_app.myswa.id
  domain_name       = "mydomain.com"
  validation_type   = "dns-txt-token"
}

Debug Output/Panic Output

If we run via az CLI az staticwebapp hostname show --subscription "mysub" --resource-group "myrg" --name "myswa" --hostname "mydomain.com" we can see that it returns the below result (with real values replaced):

{
  "createdOn": "2024-11-06T22:39:27.321505+00:00",
  "domainName": "mydomain.com",
  "errorMessage": "An unknown error has occurred while attempting to renew your custom domain. Please ensure your domain is directing traffic to the static web app, and check again later.",
  "id": "/subscriptions/mysubid/resourceGroups/myrg/providers/Microsoft.Web/staticSites/myswa/customDomains/mydomain.com",
  "kind": null,
  "location": "West US2",
  "name": "mydomain.com",
  "resourceGroup": "myrg",
  "status": "Unhealthy",
  "type": "Microsoft.Web/staticSites/customDomains",
  "validationToken": null
}

The equivalent API call can be seen with `az rest --method get --url "https://management.azure.com/subscriptions/mysubid/resourceGroups/myrg/providers/Microsoft.Web/staticSites/myswa/customDomains/mydomain.com?api-version=2022-03-01"`

Expected Behaviour

As we have "status": "Unhealthy" in the return, the static site domain resource should be marked as 'tainted' and replaced.

Actual Behaviour

Nothing happened, Terraform thinks everything is great.

Steps to Reproduce

terraform apply while custom domain has expired (6 months+)

Important Factoids

No response

References

No response

Conclusion

Q: What is the issue with the AzureRM provider in Terraform?

A: The issue is that the azurerm_static_web_app_custom_domain resource does not mark the resource as tainted when the custom domain status is marked as "Unhealthy" by Azure. This causes Terraform to not recreate the resource as expected.

Q: What is the expected behavior of the `azurerm_static_web_app_custom_domain` resource?

A: The expected behavior is that when the custom domain status is marked as "Unhealthy", the resource should be marked as tainted and recreated.

Q: What is the actual behavior of the `azurerm_static_web_app_custom_domain` resource?

A: The actual behavior is that when the custom domain status is marked as "Unhealthy", the resource is not marked as tainted and is not recreated.

Q: How can I reproduce this issue?

A: You can reproduce this issue by running terraform apply while the custom domain has expired (6 months+).

Q: What Terraform version and AzureRM provider version are affected by this issue?

A: The affected Terraform version is 1.11.2 and the affected AzureRM provider version is 4.27.0.

Q: Is there an existing issue for this problem?

A: No, there is no existing issue for this problem. If you have encountered this issue before, please let us know by adding a reaction to this issue to help the community and maintainers prioritize this request.

Q: How can I help with this issue?

A: You can help by adding a reaction to this issue to help the community and maintainers prioritize this request. If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Q: What is the impact of this issue?

A: The impact of this issue is that Terraform will not recreate the resource as expected when the custom domain status is marked as "Unhealthy", which can lead to unexpected behavior and errors.

Q: Is there a workaround for this issue?

A: No, there is no known workaround for this issue. The best course of action is to wait for the issue to be addressed in future updates to the AzureRM provider.

Q: How can I stay up-to-date with the latest information on this issue?

A: You can stay up-to-date with the latest information on this issue by following the issue on GitHub and checking the AzureRM provider changelog for updates.