0

I'm trying to upload the .cer certificate to the backend settings of the App Gw using the below code:

data "azurerm_key_vault_secret" "intdev-api-cer" {
  name         = "intdev-api-cer"
  key_vault_id = data.azurerm_key_vault.nw-kv-ie1.id
}

data "azurerm_key_vault_certificate" "intdev-api" {
  name         = "intdev-api"
  key_vault_id = data.azurerm_key_vault.nw-kv-ie1.id
}

resource "azurerm_application_gateway" "appgw1" {
.......

  backend_address_pool {
    name         = "Backendpool-intdev-api"
    ip_addresses = ["X.X.X.X", "X.X.X.X"]
  }

  backend_http_settings {
    name                           = "Backendsettings-intdev-api"
    cookie_based_affinity          = "Disabled"
    path                           = "/"
    port                           = 443
    protocol                       = "Https"
    request_timeout                = 60
    host_name                      = "intdev-api.xxx.com"
    probe_name                     = "Healthprobe-intdev-api"
    trusted_root_certificate_names = [data.azurerm_key_vault_secret.intdev-api-cer.name]
  }

  ssl_certificate {
    name                = data.azurerm_key_vault_certificate.intdev-api.name
    key_vault_secret_id = data.azurerm_key_vault_certificate.intdev-api.secret_id
  }

  http_listener {
    name                           = "Listener-intdev-api"
    frontend_ip_configuration_name = "xyz"
    frontend_port_name             = "abc"
    protocol                       = "Https"
    host_name                      = "intdev-api.xxx.com"
    ssl_certificate_name           = data.azurerm_key_vault_certificate.intdev-api.name
  }

  request_routing_rule {
    name                       = "Rule-intdev-api"
    rule_type                  = "Basic"
    http_listener_name         = "Listener-intdev-api"
    backend_address_pool_name  = "Backendpool-intdev-api"
    backend_http_settings_name = "Backendsetting-intdev-api"
    priority                   = 3
  }

  probe {
    name                                      = "Healthprobe-intdev-api"
    protocol                                  = "Https"
    pick_host_name_from_backend_http_settings = true
    path                                      = "/"
    interval                                  = 30
    timeout                                   = 30
    unhealthy_threshold                       = 3
  }

Error: updating Application Gateway: (Name "appgw1" / Resource Group "xyzabc"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidResourceReference" Message="Resource data.azurerm_key_vault_secret.intdev-api-cer.name referenced by resource backendHttpSettingsCollection/Backendsettings-intdev-api was not found . Please make sure that the referenced resource exists, and that both resources are in the same region." Details=[]

What is it i'm doing wrong here?

Sagar Hiremath
  • 13
  • 3

2 Answers2

0

I tried to reproduce the same in my environment and below is the result

I have created Keyvault and generated new certificate and uploading it in application gateway SSL using below terraform code.

provider "azurerm" {
    features{}
}
data "azurerm_client_config" "current" {}

data "azurerm_resource_group" "example"{
    name = "theja-rg"
}

resource "azurerm_user_assigned_identity" "venkat" {
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  name                = "venkat-keyvault"
}

resource "azurerm_key_vault" "venkattest" {
  name                       = "thejademo12345"
  location                   = data.azurerm_resource_group.example.location
  resource_group_name        = data.azurerm_resource_group.example.name
  tenant_id = data.azurerm_client_config.current.tenant_id
  sku_name = "standard"
  access_policy {
    object_id    = data.azurerm_client_config.current.object_id
    tenant_id    = data.azurerm_client_config.current.tenant_id

    certificate_permissions = [
      "Create",
      "Delete",
      "DeleteIssuers",
      "Get",
      "GetIssuers",
      "Import",
      "List",
      "ListIssuers",
      "ManageContacts",
      "ManageIssuers",
      "Purge",
      "SetIssuers",
      "Update"
    ]

    key_permissions = [
      "Backup",
      "Create",
      "Decrypt",
      "Delete",
      "Encrypt",
      "Get",
      "Import",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Sign",
      "UnwrapKey",
      "Update",
      "Verify",
      "WrapKey"
    ]

    secret_permissions = [
      "Backup",
      "Delete",
      "Get",
      "List",
      "Purge",
      "Restore",
      "Restore",
      "Set"
    ]
  }

  access_policy {
    object_id    = azurerm_user_assigned_identity.venkat.principal_id
    tenant_id    = data.azurerm_client_config.current.tenant_id

    secret_permissions = [
      "Get"
    ]
  }
}

output "secret_identifier" {
  value = azurerm_key_vault_certificate.example.secret_id
}

resource "azurerm_key_vault_certificate" "example" {
  name         = "venkatvault"
  key_vault_id = azurerm_key_vault.venkattest.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      # Server Authentication = 1.3.6.1.5.5.7.3.1
      # Client Authentication = 1.3.6.1.5.5.7.3.2
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["internal.contoso.com", "domain.hello.world"]
      }

      subject            = "CN=hello-world"
      validity_in_months = 12
    }
  }
}

resource "azurerm_virtual_network" "example" {
  name                = "venkat-network"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  address_space       = ["10.254.0.0/16"]
}

resource "azurerm_subnet" "frontend" {
  name                 = "Afrontend"
  resource_group_name  = data.azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.254.0.0/24"]
}

resource "azurerm_subnet" "backend" {
  name                 = "Abackend"
  resource_group_name  = data.azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.254.2.0/24"]
}

resource "azurerm_public_ip" "example" {
  name                = "venkat-pip"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  allocation_method   = "Static"
  sku = "Standard"
}
locals {
  backend_address_pool_name      = "${azurerm_virtual_network.example.name}-beap"
  frontend_port_name             = "${azurerm_virtual_network.example.name}-feport"
  frontend_ip_configuration_name = "${azurerm_virtual_network.example.name}-feip"
  http_setting_name              = "${azurerm_virtual_network.example.name}-be-htst"
  listener_name                  = "${azurerm_virtual_network.example.name}-httplstn"
  request_routing_rule_name      = "${azurerm_virtual_network.example.name}-rqrt"
  redirect_configuration_name    = "${azurerm_virtual_network.example.name}-rdrcfg"

}

resource "null_resource" "previous" {}

resource "time_sleep" "wait_240_seconds" {
  depends_on = [azurerm_key_vault.venkattest]

  create_duration = "240s"
}

resource "azurerm_application_gateway" "network" {
  name                = "venkat-appgateway"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location

  sku {
    name     = "Standard_v2"
    tier     = "Standard_v2"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "venkat-gateway"
    subnet_id = azurerm_subnet.frontend.id
  }

  frontend_port {
    name = local.frontend_port_name
    port = 443
  }

  frontend_ip_configuration {
    name                 = local.frontend_ip_configuration_name
    public_ip_address_id = azurerm_public_ip.example.id
  }

  backend_address_pool {
    name = local.backend_address_pool_name
  }

  backend_http_settings {
    name                  = local.http_setting_name
    cookie_based_affinity = "Disabled"
    path                  = "/path1/"
    port                  = 443
    protocol              = "Https"
    request_timeout       = 60
  }

  http_listener {
    name                           = local.listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_port_name
    protocol                       = "Https"
    ssl_certificate_name = "app_listener"
  }

  identity {
    type = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.venkat.id]
  }

  ssl_certificate {
    name = "app_listener"
    key_vault_secret_id = azurerm_key_vault_certificate.example.secret_id
  }

  request_routing_rule {
    name                       = local.request_routing_rule_name
    rule_type                  = "Basic"
    http_listener_name         = local.listener_name
    backend_address_pool_name  = local.backend_address_pool_name
    backend_http_settings_name = local.http_setting_name
      priority                 = 3
  }
  depends_on = [time_sleep.wait_240_seconds]
}

Terraform plan:

enter image description here

Terraform apply:

enter image description here

Once ran the above code resources are created successfully and certificate also uploaded to Application gateway.

enter image description here

Reference: Stack link by Ansuman Bal.

Venkat V
  • 2,197
  • 1
  • 1
  • 10
0

The problem was, I was trying to upload trusted root certificate to the backend settings through key vault. I had to define the trusted_root_certificate block and reference it in the backend settings.

The code above is about uploading .pfx certificate to the listener.

Sagar Hiremath
  • 13
  • 3