I get the error message below:
Error: parsing "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/sslCertificates/<cert_name>": KeyVault Nested Item should contain 2 or 3 segments, got 10 from "subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/sslCertificates/<cert_name>"
I suppose the key error is "KeyVault Nested Item should contain 2 or 3 segments, got 10" but I have no idea what this means.
What I'm trying to do:
Via Terraform (azurerm), create an application gateway resource with a HTTPS(443) listener. I uploaded the certificate to the Azure Key (with Vault access policy) and created a managed identity to access that cert. In the portal, I can setup the listener with HTTPS using the managed identity and cert - no issues. Everything works as expected.
However, when I try to do the same in Terraform, I'm getting the error above.
Here's what I have:
data "azurerm_key_vault" "cert_store" {
name = "certstore"
resource_group_name = local.resource_group.name
}
data "azurerm_key_vault_certificate" "tls_cert" {
name = "tls_cert"
key_vault_id = data.azurerm_key_vault.cert_store.id
}
resource "azurerm_application_gateway" "app_gateway" {
name = "app_gateway1"
resource_group_name = local.resource_group.name
location = local.resource_group.location
sku {
name = var.gateway_vars.sku.name
tier = var.gateway_vars.sku.tier
capacity = 2
}
gateway_ip_configuration {
name = "${var.gateway_vars.name}-ip-configuration"
subnet_id = data.azurerm_subnet.gateway_subnet.id
}
frontend_port {
name = "port_80"
port = 80
}
frontend_port {
name = "port_443"
port = 443
}
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.app_gateway_managed_identity.id
]
}
ssl_certificate {
key_vault_secret_id = data.azurerm_key_vault_certificate.cert_store.id
name = "tls_cert"
}
frontend_ip_configuration {
name = "frontendIp"
public_ip_address_id = azurerm_public_ip.app_gateway.id
}
backend_address_pool {
name = "frontend-pool"
fqdns = ["fqdn.com"]
}
# https settings - used to connect to backend services via https
backend_http_settings {
name = "https"
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 60
path = "/"
pick_host_name_from_backend_address = true
}
http_listener {
name = "http80-listener"
frontend_ip_configuration_name = "frontendIp"
frontend_port_name = "port_80"
protocol = "Http"
}
http_listener {
name = "https443-listener"
frontend_ip_configuration_name = "frontendIp"
frontend_port_name = "port_443"
protocol = "Https"
ssl_certificate_name = "tls_cert"
require_sni = false
}
url_path_map {
name = "path-map"
default_backend_address_pool_name = "frontend-pool"
default_backend_http_settings_name = "https"
path_rule {
name = "xx"
paths = ["/path"]
backend_address_pool_name = "frontend-pool"
backend_http_settings_name = "https"
}
}
request_routing_rule {
name = "tdr-routing-rule-443"
rule_type = "PathBasedRouting"
http_listener_name = "https443-listener"
url_path_map_name = "path-map"
}
}
So as I was making this post and about the publish it, a coworker reached out and figured he saw something similar a while back. Found it here:
https://github.com/hashicorp/terraform-provider-azurerm/issues/6188
The problem was the version of the cert being referenced. I think it didn't know which version of the cert to use, so I had to tell it which one. Within the app gateway resource block, in the ssl_certificate block, I used the trimsuffix function:
ssl_certificate {
name = "tls_cert"
key_vault_secret_id = trimsuffix(data.azurerm_key_vault_secret.certificate_secret.id, "${data.azurerm_key_vault_secret.certificate_secret.version}")
}
Second, I had to use azurerm_key_vault_secret instead of azurerm_key_vault_certificate, like below:
data "azurerm_key_vault_secret" "certificate_secret" {
name = "name_of_cert"
key_vault_id = data.azurerm_key_vault.cert_store.id
}
After that, it seems to be working. I still don't fully understand why using a keyvault secret works over keyvault certificate when trying to get a certificate but :shrug:.