Skip to content
This repository has been archived by the owner on Mar 27, 2023. It is now read-only.

[#174649420] Update apim custom domain certificate #241

Merged
merged 4 commits into from
Sep 21, 2020
Merged

[#174649420] Update apim custom domain certificate #241

merged 4 commits into from
Sep 21, 2020

Conversation

pasqualedevita
Copy link
Contributor

  • update custom domain certificate from io-italia-it to api-internal-io-italia-it
  • update to module source to version v2.0.36 to avoid subnet address_prefixies deprecation
terragrunt plan

      ~ hostname_configuration {
          ~ proxy {
              ~ default_ssl_binding          = false -> true
              ~ host_name                    = "io-p-apim-api.azure-api.net" -> "api-internal.io.italia.it"
              + key_vault_id                 = "XXXXX"
                negotiate_client_certificate = false
            }
          - proxy {
              - default_ssl_binding          = true -> null
              - host_name                    = "api-internal.io.italia.it" -> null
              - key_vault_id                 = "XXXXX" -> null
              - negotiate_client_certificate = false -> null
            }
        }


  # azurerm_api_management_property.api_management_property["apigad-gad-client-certificate-verified-header"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-fn3-services-key"] will be created
  + resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-fn3-services-url"] will be created
  + resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-admin-key"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-admin-url"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-bonusapi-key"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-bonusapi-url"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-public-key"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-public-url"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-test-key"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }

  # azurerm_api_management_property.api_management_property["io-functions-test-url"] will be updated in-place
  ~ resource "azurerm_api_management_property" "api_management_property" {
      ...
      + value               = "sensitive_value"
    }


Plan: 2 to add, 10 to change, 0 to destroy.

Warning: This resource has been superseded by `azurerm_api_management_named_value` to reflects changes in the API/SDK and will be removed in version 3.0 of the provider.

@pasqualedevita pasqualedevita marked this pull request as ready for review September 4, 2020 09:54
@pasqualedevita
Copy link
Contributor Author

thank you @uolter we'll manually update custom domain certificate to prevent unexpected surprises with named values.
Next days we'll realign terraform repository.

@francescopersico
Copy link
Contributor

Certificate updated

@uolter
Copy link
Collaborator

uolter commented Sep 8, 2020
edited
Loading

thank you @uolter we'll manually update custom domain certificate to prevent unexpected surprises with named values.
Next days we'll realign terraform repository.

@pasqualedevita @francescopersico

The issue we see with the named values has been fixed with this piece of code:

https://github.com/terraform-providers/terraform-provider-azurerm/blob/bdcf1f9257b73fae1a758876556e58eebfced4f8/azurerm/internal/services/apimanagement/api_management_property_resource.go#L170

which is included in the latest version of the provider v2.26.0. Even if we update the provider I think we need to update manually the value in the state file or run an apply.

Actually it's also in version 2.22.0 but it does not work. It work when I use the resource azurerm_api_management_named_value

@uolter
Copy link
Collaborator

uolter commented Sep 8, 2020
edited
Loading

@pasqualedevita @francescopersico all empty named values in the status file have been fixed.

terragrunt plan
....
Plan: 0 to add, 1 to change, 0 to destroy.

      ~ hostname_configuration {

          ~ proxy {
              ~ default_ssl_binding          = false -> true
              ~ host_name                    = "io-p-apim-api.azure-api.net" -> "api-internal.io.italia.it"
              + key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it/769f9c195e574b73a732db2ffaaac941"
                negotiate_client_certificate = false
            }
          - proxy {
              - default_ssl_binding          = true -> null
              - host_name                    = "api-internal.io.italia.it" -> null
              - key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it" -> null
              - negotiate_client_certificate = false -> null
            }
        }
....

can I apply this change?

@uolter
Copy link
Collaborator

uolter commented Sep 9, 2020

@pasqualedevita @francescopersico all empty named values in the status file have been fixed.

terragrunt plan
....
Plan: 0 to add, 1 to change, 0 to destroy.

      ~ hostname_configuration {

          ~ proxy {
              ~ default_ssl_binding          = false -> true
              ~ host_name                    = "io-p-apim-api.azure-api.net" -> "api-internal.io.italia.it"
              + key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it/769f9c195e574b73a732db2ffaaac941"
                negotiate_client_certificate = false
            }
          - proxy {
              - default_ssl_binding          = true -> null
              - host_name                    = "api-internal.io.italia.it" -> null
              - key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it" -> null
              - negotiate_client_certificate = false -> null
            }
        }
....

can I apply this change?

We need to remove the version id form the key_valud_id before apply this change (thanks @pasqualedevita )

@uolter
Copy link
Collaborator

uolter commented Sep 9, 2020

@pasqualedevita @francescopersico all empty named values in the status file have been fixed.

terragrunt plan
....
Plan: 0 to add, 1 to change, 0 to destroy.

      ~ hostname_configuration {

          ~ proxy {
              ~ default_ssl_binding          = false -> true
              ~ host_name                    = "io-p-apim-api.azure-api.net" -> "api-internal.io.italia.it"
              + key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it/769f9c195e574b73a732db2ffaaac941"
                negotiate_client_certificate = false
            }
          - proxy {
              - default_ssl_binding          = true -> null
              - host_name                    = "api-internal.io.italia.it" -> null
              - key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it" -> null
              - negotiate_client_certificate = false -> null
            }
        }
....

can I apply this change?

We need to remove the version id form the key_valud_id before apply this change (thanks @pasqualedevita )

With this PR: pagopa-archive/io-infrastructure-modules-new#156 we can remove the certificate version.

@pasqualedevita
Copy link
Contributor Author

For me, it's ok to apply with new module version witch includes pagopa-archive/io-infrastructure-modules-new#156

@uolter
Copy link
Collaborator

uolter commented Sep 9, 2020

the plan looks good now:

  ~ hostname_configuration {

          ~ proxy {
              ~ default_ssl_binding          = false -> true
              ~ host_name                    = "io-p-apim-api.azure-api.net" -> "api-internal.io.italia.it"
              + key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it"
                negotiate_client_certificate = false
            }
          - proxy {
              - default_ssl_binding          = true -> null
              - host_name                    = "api-internal.io.italia.it" -> null
              - key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it" -> null
              - negotiate_client_certificate = false -> null
            }
        }

@uolter
Copy link
Collaborator

uolter commented Sep 9, 2020

For me, it's ok to apply with new module version witch includes pagopa/io-infrastructure-modules-new#156

@francescopersico can we apply this PR now?

@uolter uolter mentioned this pull request Sep 17, 2020
Merged
@uolter
Copy link
Collaborator

uolter commented Sep 21, 2020

the plan looks good now:

  ~ hostname_configuration {

          ~ proxy {
              ~ default_ssl_binding          = false -> true
              ~ host_name                    = "io-p-apim-api.azure-api.net" -> "api-internal.io.italia.it"
              + key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it"
                negotiate_client_certificate = false
            }
          - proxy {
              - default_ssl_binding          = true -> null
              - host_name                    = "api-internal.io.italia.it" -> null
              - key_vault_id                 = "https://io-p-kv-common.vault.azure.net/secrets/api-internal-io-italia-it" -> null
              - negotiate_client_certificate = false -> null
            }
        }

This seems a well known issue still open: hashicorp/terraform-provider-azurerm#7299

@uolter
Copy link
Collaborator

uolter commented Sep 21, 2020
edited
Loading

@pasqualedevita @francescopersico I am going to merge this branch.
There is a bug in the azure terraform provider (hashicorp/terraform-provider-azurerm#7299).
A fix is available, but not merged yet :(
I've built locally a custom provider which includes the fixes and run a plan:

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

It works !!!

@uolter uolter merged commit 4bee45c into master Sep 21, 2020
@uolter uolter deleted the 174649420-update-apim-custom-domain-certificate branch October 19, 2020 07:07
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@uolter uolter uolter approved these changes

@francescopersico francescopersico Awaiting requested review from francescopersico

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pasqualedevita @francescopersico @uolter