fix: prevent cert provisioning on per-branch testing deploys

rajbos · Copilot · rajbos · commit 9095c9c30996 · 2026-04-29T13:06:31.000+02:00
Custom domain managed certificates are only meaningful on stable,
long-lived environments (production). Each testing branch gets a unique
ACA FQDN (sharing-test-&lt;slug&gt;.azurecontainerapps.io) that already has
Azure TLS — no custom cert needed.

Setting SHARING_CUSTOM_DOMAIN on the testing GitHub environment caused
every new branch deploy to provision a fresh cert via CNAME validation,
which takes up to 60 minutes and fails if the CNAME points to a different
ACA environment (as it always does for per-branch deploys).

Changes:
- Gate the Reconcile custom domain workflow step on is_prod == 'true'
  so it is skipped for all non-main branch deploys even if
  SHARING_CUSTOM_DOMAIN is accidentally set on the testing environment
- Add a comment to main.tf explaining the custom_domain var is
  production-only

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/sharing-server-deploy.yml b/.github/workflows/sharing-server-deploy.yml
@@ -175,7 +175,11 @@ jobs:
             -backend-config="key=${{ needs.setup.outputs.state_key }}"
 
       - name: Reconcile custom domain Terraform state
-        if: steps.prereqs.outputs.configured == 'true' && vars.SHARING_CUSTOM_DOMAIN != ''
+        # Custom domains (and their managed certs) are only meaningful on stable, long-lived
+        # environments (production). Per-branch testing environments each get a unique ACA FQDN
+        # which already has Azure TLS — setting SHARING_CUSTOM_DOMAIN on the testing GitHub
+        # environment will be ignored here to prevent 60-minute cert provisioning on every PR.
+        if: steps.prereqs.outputs.configured == 'true' && vars.SHARING_CUSTOM_DOMAIN != '' && needs.setup.outputs.is_prod == 'true'
         working-directory: sharing-server/infra
         env:
           TF_VAR_resource_group_name:    ${{ vars.AZURE_RESOURCE_GROUP }}
diff --git a/sharing-server/infra/main.tf b/sharing-server/infra/main.tf
@@ -191,6 +191,10 @@ resource "azurerm_container_app" "this" {
 
 # ── Custom domain + managed TLS certificate ───────────────────────────────────
 # Only created when var.custom_domain is set.
+# Intended for stable, long-lived environments (production) only.
+# Per-branch testing environments should leave var.custom_domain empty — they use
+# the ACA-generated FQDN (*.azurecontainerapps.io) which already has Azure TLS.
+# Provisioning a managed cert requires CNAME validation and can take up to 60 min.
 # DNS prerequisites (must exist before applying):
 #   CNAME  <subdomain>        → local.aca_fqdn
 #   TXT    asuid.<subdomain>  → azurerm_container_app_environment.this.custom_domain_verification_id
