fix: import stranded cert instead of deleting and recreating

rajbos · Copilot · rajbos · commit fe76622a0a34 · 2026-04-28T19:55:52.000+02:00
When a Terraform apply times out waiting for managed cert provisioning,
Azure retains the cert in a Pending/Creating state but TF drops it from
state.  The reconcile step previously saw the mismatch and deleted the
Azure cert, forcing a fresh creation that also timed out -- an infinite
loop.

Fix: before deleting anything, look up whether the correctly-named cert
('sharing-cert') already exists in Azure.  If it does, import it into
TF state so the next apply skips the 60-minute creation wait and only
re-runs the fast cert-binding step.  The existing delete-and-recreate
path is retained as a fallback if the import fails.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/sharing-server-deploy.yml b/.github/workflows/sharing-server-deploy.yml
@@ -205,35 +205,71 @@ jobs:
             | grep -E '^\s+name\s+=' | head -1 \
             | sed 's/.*= "\(.*\)".*/\1/' || true)
 
-          if [[ "$CURRENT_CERT_NAME" != "$EXPECTED_CERT_NAME" ]]; then
-            echo "Cert not TF-managed (current: '${CURRENT_CERT_NAME:-none}'). Cleaning up Azure resources so Terraform can recreate them."
-
-            # Remove hostname binding first (cert cannot be deleted while a domain uses it)
-            az containerapp hostname delete \
-              --name "$TF_VAR_app_name" \
-              --resource-group "$TF_VAR_resource_group_name" \
-              --hostname "$TF_VAR_custom_domain" --yes 2>/dev/null || true
-
-            # Find the cert by subject name and delete it
-            AZURE_CERT_NAME=$(az containerapp env certificate list \
+          if [[ "$CURRENT_CERT_NAME" == "$EXPECTED_CERT_NAME" ]]; then
+            echo "Cert already TF-managed as '$EXPECTED_CERT_NAME'. No cleanup needed."
+          else
+            # Cert is absent from TF state or has a mismatched name.
+            # Before deleting anything, check whether the correctly-named cert already
+            # exists in Azure (e.g. a previous apply timed out while polling for the cert
+            # to become Succeeded, leaving it stranded in Azure but dropped from TF state).
+            AZURE_CERT_ID=$(az containerapp env certificate list \
               --name "$ENV_NAME" \
               --resource-group "$TF_VAR_resource_group_name" \
-              --query "[?properties.subjectName=='$TF_VAR_custom_domain'].name | [0]" \
+              --query "[?name=='$EXPECTED_CERT_NAME'].id | [0]" \
               -o tsv 2>/dev/null || true)
-            if [[ -n "$AZURE_CERT_NAME" && "$AZURE_CERT_NAME" != "None" ]]; then
-              echo "Deleting Azure cert: $AZURE_CERT_NAME"
-              az containerapp env certificate delete \
+
+            if [[ -n "$AZURE_CERT_ID" && "$AZURE_CERT_ID" != "None" ]]; then
+              # The correctly-named cert exists in Azure but TF lost track of it.
+              # Import it so apply doesn't delete-and-recreate (which resets provisioning
+              # and triggers another 60-minute wait).
+              echo "Cert '$EXPECTED_CERT_NAME' found in Azure but not in TF state. Importing..."
+              if terraform import 'azurerm_container_app_environment_managed_certificate.this[0]' "$AZURE_CERT_ID"; then
+                # Drop stale custom-domain state so cert_binding re-runs to re-bind.
+                terraform state rm 'azurerm_container_app_custom_domain.this[0]' 2>/dev/null || true
+                echo "Import done. Terraform will rebind the cert without recreating it."
+              else
+                # Import failed; delete the Azure cert so apply doesn't hit "already exists".
+                echo "Import failed. Deleting Azure cert so Terraform can create a fresh one."
+                az containerapp hostname delete \
+                  --name "$TF_VAR_app_name" \
+                  --resource-group "$TF_VAR_resource_group_name" \
+                  --hostname "$TF_VAR_custom_domain" --yes 2>/dev/null || true
+                az containerapp env certificate delete \
+                  --name "$ENV_NAME" \
+                  --resource-group "$TF_VAR_resource_group_name" \
+                  --certificate "$EXPECTED_CERT_NAME" --yes 2>/dev/null || true
+                terraform state rm 'azurerm_container_app_custom_domain.this[0]' 2>/dev/null || true
+                terraform state rm 'azurerm_container_app_environment_managed_certificate.this[0]' 2>/dev/null || true
+                echo "Cleanup done. Terraform will create cert and domain binding from scratch."
+              fi
+            else
+              echo "Cert not TF-managed (current: '${CURRENT_CERT_NAME:-none}'). Cleaning up Azure resources so Terraform can recreate them."
+
+              # Remove hostname binding first (cert cannot be deleted while a domain uses it)
+              az containerapp hostname delete \
+                --name "$TF_VAR_app_name" \
+                --resource-group "$TF_VAR_resource_group_name" \
+                --hostname "$TF_VAR_custom_domain" --yes 2>/dev/null || true
+
+              # Find the cert by subject name and delete it
+              AZURE_CERT_NAME=$(az containerapp env certificate list \
                 --name "$ENV_NAME" \
                 --resource-group "$TF_VAR_resource_group_name" \
-                --certificate "$AZURE_CERT_NAME" --yes 2>/dev/null || true
-            fi
+                --query "[?properties.subjectName=='$TF_VAR_custom_domain'].name | [0]" \
+                -o tsv 2>/dev/null || true)
+              if [[ -n "$AZURE_CERT_NAME" && "$AZURE_CERT_NAME" != "None" ]]; then
+                echo "Deleting Azure cert: $AZURE_CERT_NAME"
+                az containerapp env certificate delete \
+                  --name "$ENV_NAME" \
+                  --resource-group "$TF_VAR_resource_group_name" \
+                  --certificate "$AZURE_CERT_NAME" --yes 2>/dev/null || true
+              fi
 
-            # Remove stale TF state entries so Terraform creates fresh resources
-            terraform state rm 'azurerm_container_app_custom_domain.this[0]' 2>/dev/null || true
-            terraform state rm 'azurerm_container_app_environment_managed_certificate.this[0]' 2>/dev/null || true
-            echo "Cleanup done. Terraform will create cert and domain binding from scratch."
-          else
-            echo "Cert already TF-managed as '$EXPECTED_CERT_NAME'. No cleanup needed."
+              # Remove stale TF state entries so Terraform creates fresh resources
+              terraform state rm 'azurerm_container_app_custom_domain.this[0]' 2>/dev/null || true
+              terraform state rm 'azurerm_container_app_environment_managed_certificate.this[0]' 2>/dev/null || true
+              echo "Cleanup done. Terraform will create cert and domain binding from scratch."
+            fi
           fi
 
       - name: Terraform plan
