-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_application_gateway - support for Key Vault SSL certificate ids #4366
Conversation
Any News on this? |
Why is this moving further and further down the roadmap when it seems its ready to go? Been working with MS to drum up a solution outside of terraform to allow for this once resources has been created, and I can assure you it's ugly. This would be an easy win and very welcome change... |
@CyanMass45, the PR in its current state is not ready to go as it needs to be rebased on master and refactored into the new service package pattern as well as have the key vault bits removed as they were added separately in 2.0. The contributor hasn't yet and it's on our internal roadmap to revisit in the near future but unfortunately i cannot provide any firm dates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor doc typo, but otherwise LGTM 👍
This has been released in version 2.2.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.2.0"
}
# ... other configuration ... |
Optional: true, | ||
Type: schema.TypeString, | ||
Optional: true, | ||
ValidateFunc: azure.ValidateKeyVaultChildId, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@katbyte i am quite sure this break the autorenew feature of the application gateway
After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for SSL termination. The instances also poll Key Vault at 24-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the SSL certificate currently associated with the HTTPS listener is automatically rotated.
With your validator you need to specify an exact version of the secret so the renew will not work.
You just need to point to the secret without the version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. The current tf code wants 3 parts : vaulturl/certificate name/hash
This adds it but app gateway never sees new versions of the cert. In order to have this it's only needs 2 part: vaulturl/certificate name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@francescopersico since this PR's been merged, can you open a new issue to track that? Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's already exists #6188
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
This is my first time contributing, so I may have missed something.
Implements key vault certificates on HTTPS listener for application gateway. See Issue #3935
According to this Microsoft issue (MicrosoftDocs/azure-docs#34382), the key vault must be set for safe delete mode to work, so I also included that in this PR.
Proposed Terraform Configuration
azurerm_application_gateway
key_vault_secret_id
parameterazurerm_application_gateway
enable_soft_delete
parameter(fixes #3935)