New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Application Gateway still not working with versionless key vault secretId #16816
Comments
OK I've resolved this, it's not the provider. It was actually a subtle issue with the certificate secret id returned from azurerm_key_vault_secret. The value that is needed is 'secret_id' not 'id'. Also found that data source for azurerm_key_vault_secret actually exports 'versionless_secret_id' directly so specifying the versionless secret id is even easier. id - The Key Vault Certificate ID.
It is not easy to spot as the keyvault certificate id value is almost identical to the secret_id:
Application gateway requires the secret_id value which is different to the keyvault certificate id. I'd suggest the azurerm_application_gateway documentation should be updated with a note about how to use the versionless secret id given that certificate rotation in an important issue. |
@aristosvo @lotaezhao I would like to work on it |
I've been struggling with this for over a week. Your post just solved my problem with broken certificate rotations. It should also be mentioned that versionless_secret_id != versionless_id Instead of updating the documentation, I'd suggest that the ssl_certificate block in azurerm_application_gateway should be update to replace key_vault_secret_id with versionless_secret_id. |
Indeed, unless versionless_secret_id is allowed. You can't leverage auto rotation feature
https://docs.microsoft.com/en-us/azure/application-gateway/renew-certificates#certificates-on-azure-key-vault |
it would be great application gateway allow the versionless_secret_id we have to leverage the auto rotation Feature, othere wise we need to write some automation script to update the latest certificate version. |
@aravinthraja We have been using this feature for a few months now, so as far as I know it should also work for you to put the @kitarp29 Would you still like to work on this issue? It only requires an update of the docs. |
Sure I would like to work on it during the weekend |
Is there an existing issue for this?
Community Note
Terraform Version
1.1.7
AzureRM Provider Version
3.5.0
Affected Resource(s)/Data Source(s)
azurerm_application_gateway
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
The versionless keyvault certificate should be added to the application gateway as support for this is supposed to have been added in: #7095.
If I add the ssl certificate with a versioned secret id it works but if I use the same config with the versionless id (by trimming the version suffix from the secret id) I receive a 'SecretIdSpecifiedIsInvalid' error as below.
I know secret id is valid because if I add the ssl certificate using the same versionless id as terraform via Az CLI it works. I think this proves that the functionality is broken in the provider.
Actual Behaviour
'SecretIdSpecifiedIsInvalid' error is returned:
Steps to Reproduce
Deploy an application gateway configured with a versionless ssl certificate keyvault secret id.
Important Factoids
No response
References
This was supposedly fixed under the following issues but still appears to be broken:
#6188
#7095
The text was updated successfully, but these errors were encountered: