0

I have a Terraform deployment that deploys an Application Gateway in Azure to control traffic to an Application Service Environment hosting an application. Currently, the deployment creates a listener that is using port 80/HTTP but now that I have everything working as I want, I want to modify the deployment to do SSL termination at the App Gateway. I have created a self-signed certificate for testing purposes and I have loaded the certificate into Azure Key Vault. I am now trying to figure out how to modify my deployment to use the certificate. The only thing I can find is the need to add the ssl_certificate_name property to the listener but I know there is more to it than that. How do I tell Terraform "where" the certificate is?

phydeauxman
  • 1,432
  • 3
  • 26
  • 48
  • you can pull the values from the kv at deployment time, not sure if crappyform can do that, arm templates can – 4c74356b41 Jan 21 '19 at 05:40

1 Answers1

1

Unfortunately, a Application Gateway could not support get references directly from a certificate stored in key vault, you could upvote to support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway.

From this document, a http_listener block only supports reference a certificate via ssl_certificate_name, so you could reference the certificate from the name and data attribute in ssl_certificate block. In this block, the data requires the contents of the Authentication Certificate which should be used. Also, you could use a built-in function file to read certificate base64encode contents. For example, to read a file: ${file("path.txt")}.

ssl_certificate {
     name     = "default"
     data     = "${base64encode(file("mycert.pfx"))}"
     password = "XXXXXXX"
  }

and 

  http_listener {
    name                           = "https"
    frontend_ip_configuration_name = "default"
    frontend_port_name             = "https"
    protocol                       = "Https"
    ssl_certificate_name           = "default"
  }

You could get more scenarios about attaching SSL certificate to Azure application gateway in Terraform and Azure Application Gateway with end-to-end SSL .

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Thanks for the info, this was very helpful. Unless I am missing something, there is no documentation for the `ssl_certificate` block in the Terraform documentation for `Application Gateway`. – phydeauxman Jan 23 '19 at 01:45
  • I also noticed that, but I found people always use that block. You could read it in the example scenarios. I think this should be the same utility with `authentication_certificate` block in application gateway but add extra `password` parameter. – Nancy Jan 23 '19 at 01:55