azurerm_application_gateway - support for Key Vault SSL certificate ids

[AlexMabry]

This is my first time contributing, so I may have missed something.

Implements key vault certificates on HTTPS listener for application gateway. See Issue #3935

According to this Microsoft issue (MicrosoftDocs/azure-docs#34382), the key vault must be set for safe delete mode to work, so I also included that in this PR.

Proposed Terraform Configuration

azurerm_application_gateway

• add new key_vault_secret_id parameter

resource "azurerm_application_gateway" "test" {
  name                = var.app_gw_name
  resource_group_name =data.azurerm_resource_group.ResourceGroup.name
  location            = data.azurerm_resource_group.ResourceGroup.location

  ssl_certificate {
    name                = var.ssl_certificate_name
    key_vault_secret_id = azurerm_key_vault_certificate.test.secret_id
  }

 http_listener {
    name                           = var.https_listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_port_name
    protocol                       = "Https"
    ssl_certificate_name           = var.ssl_certificate_name
  }
}

azurerm_application_gateway

• add new enable_soft_delete parameter

resource "azurerm_key_vault" "test" {
  name                = var.key_vault_name
  resource_group_name = data.azurerm_resource_group.ResourceGroup.name
  location            = data.azurerm_resource_group.ResourceGroup.location

  enable_soft_delete  = true
}

(fixes #3935)

[jeremysingh]

Any News on this?

[Ruankr]

Why is this moving further and further down the roadmap when it seems its ready to go? Been working with MS to drum up a solution outside of terraform to allow for this once resources has been created, and I can assure you it's ugly. This would be an easy win and very welcome change...

[katbyte]

@CyanMass45, the PR in its current state is not ready to go as it needs to be rebased on master and refactored into the new service package pattern as well as have the key vault bits removed as they were added separately in 2.0. The contributor hasn't yet and it's on our internal roadmap to revisit in the near future but unfortunately i cannot provide any firm dates.

[jackofallops]

One minor doc typo, but otherwise LGTM 👍

[ghost]

This has been released in version 2.2.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.2.0"
}
# ... other configuration ...

[francescopersico]

@katbyte i am quite sure this break the autorenew feature of the application gateway

After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for SSL termination. The instances also poll Key Vault at 24-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the SSL certificate currently associated with the HTTPS listener is automatically rotated.

With your validator you need to specify an exact version of the secret so the renew will not work.
You just need to point to the secret without the version.

[Ruankr]

I agree. The current tf code wants 3 parts : vaulturl/certificate name/hash

This adds it but app gateway never sees new versions of the cert. In order to have this it's only needs 2 part: vaulturl/certificate name.

[tombuildsstuff]

@francescopersico since this PR's been merged, can you open a new issue to track that? Thanks!

[t3mi]

It's already exists #6188

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!