fix: add null_resource to register hostname before managed cert creation

rajbos · Copilot · rajbos · commit 88380ab78eef · 2026-04-28T11:11:19.000+02:00
Azure API requires the hostname to be bound to a container app before a
managed certificate can be created for it (error: RequireCustomHostnameInEnvironment).
This creates a circular dependency in Terraform: the managed cert needs the
hostname registered, but azurerm_container_app_custom_domain with SniEnabled
needs the cert to exist.

Break the cycle with a null_resource that registers the hostname (Disabled
binding) via az CLI local-exec, giving the cert resource a hostname to
validate against. TF then creates the cert and upgrades the binding to
SniEnabled via azurerm_container_app_custom_domain.

Also adds the hashicorp/null provider (~&gt; 3.0) to providers.tf.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/sharing-server/infra/main.tf b/sharing-server/infra/main.tf
@@ -186,6 +186,26 @@ resource "azurerm_container_app" "this" {
 # DNS prerequisites (must exist before applying):
 #   CNAME  <subdomain>        → local.aca_fqdn
 #   TXT    asuid.<subdomain>  → azurerm_container_app_environment.this.custom_domain_verification_id
+#
+# Azure requires the hostname to be registered on the container app BEFORE a
+# managed certificate can be created for it. We use a null_resource to register
+# the hostname (binding type Disabled) via az CLI, which breaks the circular
+# dependency: cert needs hostname, SniEnabled binding needs cert.
+
+resource "null_resource" "hostname_registration" {
+  count = var.custom_domain != "" ? 1 : 0
+
+  triggers = {
+    hostname = var.custom_domain
+    app_id   = azurerm_container_app.this.id
+  }
+
+  provisioner "local-exec" {
+    command = "az containerapp hostname add --name '${azurerm_container_app.this.name}' --resource-group '${var.resource_group_name}' --hostname '${var.custom_domain}' 2>/dev/null || true"
+  }
+
+  depends_on = [azurerm_container_app.this]
+}
 
 resource "azurerm_container_app_environment_managed_certificate" "this" {
   count                        = var.custom_domain != "" ? 1 : 0
@@ -194,6 +214,8 @@ resource "azurerm_container_app_environment_managed_certificate" "this" {
   subject_name                 = var.custom_domain
   domain_control_validation    = "CNAME"
 
+  depends_on = [null_resource.hostname_registration]
+
   lifecycle {
     create_before_destroy = true
   }
diff --git a/sharing-server/infra/providers.tf b/sharing-server/infra/providers.tf
@@ -10,6 +10,10 @@ terraform {
       source  = "hashicorp/random"
       version = "~> 3.6"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.0"
+    }
   }
 
   # All backend values are supplied via -backend-config flags in CI.

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,10 @@ terraform {`
`10`	`10`	`source = "hashicorp/random"`
`11`	`11`	`version = "~> 3.6"`
`12`	`12`	`}`
	`13`	`+ null = {`
	`14`	`+ source = "hashicorp/null"`
	`15`	`+ version = "~> 3.0"`
	`16`	`+ }`
`13`	`17`	`}`
`14`	`18`
`15`	`19`	`# All backend values are supplied via -backend-config flags in CI.`