Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_application_gateway - support for Key Vault SSL certificate ids #4366

Merged
merged 16 commits into from
Mar 18, 2020

Conversation

AlexMabry
Copy link
Contributor

@AlexMabry AlexMabry commented Sep 18, 2019

This is my first time contributing, so I may have missed something.

Implements key vault certificates on HTTPS listener for application gateway. See Issue #3935

According to this Microsoft issue (https://github.com/MicrosoftDocs/azure-docs/issues/34382), the key vault must be set for safe delete mode to work, so I also included that in this PR.

Proposed Terraform Configuration

azurerm_application_gateway

  • add new key_vault_secret_id parameter
resource "azurerm_application_gateway" "test" {
  name                = var.app_gw_name
  resource_group_name =data.azurerm_resource_group.ResourceGroup.name
  location            = data.azurerm_resource_group.ResourceGroup.location

  ssl_certificate {
    name                = var.ssl_certificate_name
    key_vault_secret_id = azurerm_key_vault_certificate.test.secret_id
  }

 http_listener {
    name                           = var.https_listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_port_name
    protocol                       = "Https"
    ssl_certificate_name           = var.ssl_certificate_name
  }
}

azurerm_application_gateway

  • add new enable_soft_delete parameter
resource "azurerm_key_vault" "test" {
  name                = var.key_vault_name
  resource_group_name = data.azurerm_resource_group.ResourceGroup.name
  location            = data.azurerm_resource_group.ResourceGroup.location

  enable_soft_delete  = true
}

(fixes #3935)

@jeremysingh
Copy link

Any News on this?

@Ruankr
Copy link

Ruankr commented Mar 11, 2020

Why is this moving further and further down the roadmap when it seems its ready to go? Been working with MS to drum up a solution outside of terraform to allow for this once resources has been created, and I can assure you it's ugly. This would be an easy win and very welcome change...

@katbyte
Copy link
Collaborator

katbyte commented Mar 11, 2020

@CyanMass45, the PR in its current state is not ready to go as it needs to be rebased on master and refactored into the new service package pattern as well as have the key vault bits removed as they were added separately in 2.0. The contributor hasn't yet and it's on our internal roadmap to revisit in the near future but unfortunately i cannot provide any firm dates.

Copy link
Member

@jackofallops jackofallops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor doc typo, but otherwise LGTM 👍

website/docs/r/application_gateway.html.markdown Outdated Show resolved Hide resolved
@katbyte katbyte changed the title Application Gateway support for Key Vault SSL certificate ids azurerm_application_gateway - support for Key Vault SSL certificate ids Mar 18, 2020
@katbyte katbyte merged commit 03e78fe into hashicorp:master Mar 18, 2020
katbyte added a commit that referenced this pull request Mar 18, 2020
@ghost
Copy link

ghost commented Mar 19, 2020

This has been released in version 2.2.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.2.0"
}
# ... other configuration ...

Optional: true,
Type: schema.TypeString,
Optional: true,
ValidateFunc: azure.ValidateKeyVaultChildId,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@katbyte i am quite sure this break the autorenew feature of the application gateway

After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for SSL termination. The instances also poll Key Vault at 24-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the SSL certificate currently associated with the HTTPS listener is automatically rotated.

With your validator you need to specify an exact version of the secret so the renew will not work.
You just need to point to the secret without the version.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. The current tf code wants 3 parts : vaulturl/certificate name/hash

This adds it but app gateway never sees new versions of the cert. In order to have this it's only needs 2 part: vaulturl/certificate name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@francescopersico since this PR's been merged, can you open a new issue to track that? Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's already exists #6188

@ghost
Copy link

ghost commented Apr 18, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Application Gateway support for Keyvault SSL certificate
8 participants