Is it possible to add a new listener, backend address pool, and request routing rule(s) to an existing Azure Application Gateway using Terraform?

Question

My use-case is multiple AppService apps with different lifecycles sitting behind a single Application Gateway. I'd like to add a new listener, new multi-site routing rules, and a new backend pool whenever I add a new app without tearing down and re-creating the gateway.

Initially, my plan was to have a Terraform config for shared infra that creates a skeleton Application Gateway and then have separate application-specific Terraform configs to add listeners, backend address pools, and routing rules to this gateway for each app. It seems to be impossible to accomplish with TF though.

I can clearly add listeners, routing rules and backend pools to an exiting gateway using Azure CLI or Portal. Is there a way to do it with Terraform?

Answer 1

It seems that this is not currently possible due to the fact that the Application Gateway must be initialised with at least one of each of these configuration blocks.

While it is possible to add further definitions using the Azure CLI, that behaviour isn't currently compatible with the way Terraform works. Consider what would happen if backend address pools were initially defined inline as part of the azurerm_application_gateway block and then further definitions of azurerm_application_gateway_backend_address_pool (hypothetical resource block) were also specified.

It would be nice if Terraform could deal with this situation with a union of those two definitions but unfortunately it doesn't play nicely with both inline and standalone resource blocks. Hence the warning on azurerm_subnet resources explaining that inline subnets on azurerm_virtual_network would conflict.

NOTE on Virtual Networks and Subnet's: Terraform currently provides both a standalone Subnet resource, and allows for Subnets to be defined in-line within the Virtual Network resource. At this time you cannot use a Virtual Network with in-line Subnets in conjunction with any Subnet resources. Doing so will cause a conflict of Subnet configurations and will overwrite Subnet's.

Logically it wouldn't be possible to have a similar warning for Application Gateway since it's inline resource blocks are mandatory (not so for Azure Virtual Networks)

For now, the options here would seem to be

1. Manage all application-specific aspects of the Application Gateway in the same place with native Terraform.
2. Create the skeleton definition of the Application Gateway and run local-exec provisioner CLI commands for application-specific configuration

  provisioner "local-exec" {
    command     = <<EOT
    az network application-gateway address-pool create `
      --resource-group MyResourceGroup `
      --gateway-name MyAppGateway `
      --name MyAddressPool `
      --servers 10.0.0.4 10.0.0.5 `

    EOT
    interpreter = ["PowerShell", "-command"]
  }

Answer 2

Here is the reference doc from Terraform for managing Azure Application Gateway. You can refer this sample code for adding new listeners,routing rules as well as backend pools to the existing application gateway. This template carries all the required arguments like,

http_listener - (Required) One or more http_listener blocks.

http_listener {
    name                           = "https-listener-1"
    frontend_ip_configuration_name = "feip"    
    frontend_port_name             = "http-port"
    protocol                       = "Http"
}

request_routing_rule - (Required) One or more request_routing_rule blocks.

  request_routing_rule {
    name                       = "${local.request_routing_rule_name}"
    rule_type                  = "Basic"
    http_listener_name         = "${local.listener_name}"
    backend_address_pool_name  = "${local.backend_address_pool_name}"
    backend_http_settings_name = "${local.http_setting_name}"
  }
}

backend_address_pool - (Required) One or more backend_address_pool blocks as defined below.

  backend_address_pool {
    name = "${local.backend_address_pool_name}"
  }