fix: clean up portal-created cert/domain before TF apply instead of importing

rajbos · Copilot · rajbos · commit 43b8c0b9954d · 2026-04-28T10:59:18.000+02:00
The previous import approach caused a 400 'CertificateInUse' error because
Azure auto-generates cert names in the portal, which don't match the Terraform
resource name ('sharing-cert'). After import, TF detected the name drift and
planned a destroy+recreate, but Azure blocks cert deletion while a domain
binding exists.

New approach:
- Detect if TF state has a cert with a non-TF name (portal-created)
- If so: delete the domain binding first, then delete the cert, remove stale
  TF state entries — letting Terraform create both resources fresh with the
  correct names
- If cert is already TF-managed ('sharing-cert'): no-op

Also added lifecycle.create_before_destroy = true on the cert resource as a
safety net for future cert replacements.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/sharing-server-deploy.yml b/.github/workflows/sharing-server-deploy.yml
@@ -166,7 +166,7 @@ jobs:
             -backend-config="container_name=${{ vars.TF_STATE_CONTAINER }}" \
             -backend-config="key=${{ needs.setup.outputs.state_key }}"
 
-      - name: Import existing custom domain resources
+      - name: Reconcile custom domain Terraform state
         if: steps.prereqs.outputs.configured == 'true' && vars.SHARING_CUSTOM_DOMAIN != ''
         working-directory: sharing-server/infra
         env:
@@ -186,25 +186,45 @@ jobs:
           az account set --subscription "$ARM_SUBSCRIPTION_ID"
 
           ENV_NAME="${TF_VAR_app_name}-env"
+          EXPECTED_CERT_NAME="sharing-cert"
 
-          if ! terraform state show 'azurerm_container_app_environment_managed_certificate.this[0]' > /dev/null 2>&1; then
-            CERT_ID=$(az containerapp env certificate list \
+          # Detect if TF state has a cert with a name that doesn't match what Terraform
+          # would create (e.g. a portal-created cert was previously imported). If so, we
+          # must clean up Azure + state before apply, otherwise Terraform will try to
+          # destroy the old cert while the custom domain is still bound to it (400 error).
+          CURRENT_CERT_NAME=$(terraform state show 'azurerm_container_app_environment_managed_certificate.this[0]' 2>/dev/null \
+            | grep -E '^\s+name\s+=' | head -1 \
+            | sed 's/.*= "\(.*\)".*/\1/' || true)
+
+          if [[ "$CURRENT_CERT_NAME" != "$EXPECTED_CERT_NAME" ]]; then
+            echo "Cert not TF-managed (current: '${CURRENT_CERT_NAME:-none}'). Cleaning up Azure resources so Terraform can recreate them."
+
+            # Remove hostname binding first (cert cannot be deleted while a domain uses it)
+            az containerapp hostname delete \
+              --name "$TF_VAR_app_name" \
+              --resource-group "$TF_VAR_resource_group_name" \
+              --hostname "$TF_VAR_custom_domain" --yes 2>/dev/null || true
+
+            # Find the cert by subject name and delete it
+            AZURE_CERT_NAME=$(az containerapp env certificate list \
               --name "$ENV_NAME" \
               --resource-group "$TF_VAR_resource_group_name" \
-              --query "[?properties.subjectName=='$TF_VAR_custom_domain'].id | [0]" \
+              --query "[?properties.subjectName=='$TF_VAR_custom_domain'].name | [0]" \
               -o tsv 2>/dev/null || true)
-            if [[ -n "$CERT_ID" && "$CERT_ID" != "None" ]]; then
-              echo "Importing managed certificate: $CERT_ID"
-              terraform import -input=false 'azurerm_container_app_environment_managed_certificate.this[0]' "$CERT_ID"
+            if [[ -n "$AZURE_CERT_NAME" && "$AZURE_CERT_NAME" != "None" ]]; then
+              echo "Deleting Azure cert: $AZURE_CERT_NAME"
+              az containerapp env certificate delete \
+                --name "$ENV_NAME" \
+                --resource-group "$TF_VAR_resource_group_name" \
+                --certificate "$AZURE_CERT_NAME" --yes 2>/dev/null || true
             fi
-          fi
 
-          if ! terraform state show 'azurerm_container_app_custom_domain.this[0]' > /dev/null 2>&1; then
-            DOMAIN_ID="/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_resource_group_name/providers/Microsoft.App/containerApps/$TF_VAR_app_name/customDomainName/$TF_VAR_custom_domain"
-            if az rest --method get --url "https://management.azure.com${DOMAIN_ID}?api-version=2024-03-01" > /dev/null 2>&1; then
-              echo "Importing custom domain: $DOMAIN_ID"
-              terraform import -input=false 'azurerm_container_app_custom_domain.this[0]' "$DOMAIN_ID"
-            fi
+            # Remove stale TF state entries so Terraform creates fresh resources
+            terraform state rm 'azurerm_container_app_custom_domain.this[0]' 2>/dev/null || true
+            terraform state rm 'azurerm_container_app_environment_managed_certificate.this[0]' 2>/dev/null || true
+            echo "Cleanup done. Terraform will create cert and domain binding from scratch."
+          else
+            echo "Cert already TF-managed as '$EXPECTED_CERT_NAME'. No cleanup needed."
           fi
 
       - name: Terraform plan
diff --git a/sharing-server/infra/main.tf b/sharing-server/infra/main.tf
@@ -193,6 +193,10 @@ resource "azurerm_container_app_environment_managed_certificate" "this" {
   container_app_environment_id = azurerm_container_app_environment.this.id
   subject_name                 = var.custom_domain
   domain_control_validation    = "CNAME"
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "azurerm_container_app_custom_domain" "this" {
