Support for versionless key vault secretId in azurerm_application_gateway #6188
Comments
|
@katbyte is there a Validator for a secret_id without the version? |
|
Looks to me like the Azure API for application gateway's doesn't allow you to select a key vault certificate any way other than the secret identifier. Have you tried using a key vault data source like this? (code may not be perfect, haven't tested it) # Get Key Vault ID
data "azurerm_key_vault" "keyVault" {
name = "{keyVaultName}"
resource_group_name = "{keyVaultResourceGroupName}"
}
# Get ID for latest certificate version in KV
data "azurerm_key_vault_secret" "certificate" {
name = "{keyVaultCertificateName}"
key_vault_id = data.azurerm_key_vault.keyVault.id
}
# SSL Certificate Profile Creation
ssl_certificate {
name = "{certificateName]"
key_vault_secret_id = data.azurerm_key_vault_secret.certificate.id
} |
|
@swes1110 It's indeed working code sample - we are using it for quite some time now. |
Versionless secret_id working with auto certificate refresh |
|
@francescopersico Just tried specifying key_vault_secret_id using trimsuffix() function and got error that guys mentioned above or in parent issue: |
This issue is exactly about that. The terraform module is requiring to specify exactly a version but is not required by Azure. |
|
This is related to #4408 that was just fixed. It just needs the validator changed here https://github.com/terraform-providers/terraform-provider-azurerm/blob/f3429d9df1c54c8ed966be48ae0e9a45fd893cbb/azurerm/internal/services/network/application_gateway_resource.go#L1016 to be |
|
I've not seen it mentioned yet, but the current enforcement completely breaks automatic certificate renewal. This is because the gateways end up tied to specific cert ID/versions, so when a renewal or import occurs the app gateway is not able to automatically pull the new cert as the ID/version has changed, and continues to use the old cert until TF is re-run and updates the ID. If at all possible please could this issue be prioritised due to the scale of potential catastrophes that can be caused by expired certs not being replaced when the keyvault is holding the correctly updated one? It's very easy to miss the significance of the ID being enforced when writing the TF configuration and then to end up wondering why certs that should have updated within 24 hours (as per Azure integration docs), have not.
|
|
This has been released in version 2.14.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.14.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
Community Note
Description
The v2.2.0 version added support for key_vault_secret_id in azurerm_application_gateway (huge thanks for that!) but validate function requires the secret to be specified with a version. Is it possible to loose that requirement and make a secret version optional so that application gateway would fetch newer cerificate when its available? Powershell and az support such scenario with versionless secret id.
New or Affected Resource(s)
*azurerm_application_gateway
Potential Terraform Configuration
Actual Behavior
References
The text was updated successfully, but these errors were encountered: