Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_app_service_certificate issue when creating multiple App Service certificates backended by same Key Vault Cert #4991

Closed
andydkelly-ig opened this issue Nov 26, 2019 · 3 comments
Closed

azurerm_app_service_certificate issue when creating multiple App Service certificates backended by same Key Vault Cert #4991

andydkelly-ig opened this issue Nov 26, 2019 · 3 comments
Labels
bug service/app-service service/key-vault Key Vault upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc)

Comments

@andydkelly-ig
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

  • azurerm_app_service_certificate

Terraform Configuration Files

resource "azurerm_app_service_certificate" "india-test" {
  name                = "india"
  resource_group_name = "ui-test"
  location            = "Central India"
  key_vault_secret_id = "${data.azurerm_key_vault_secret.certTest.id}"
}

resource "azurerm_app_service_certificate" "star-dev-au-east" {
  name                = "australia"
  resource_group_name = "ui-test"
  location            = "Australia East"
  key_vault_secret_id = "${data.azurerm_key_vault_secret.certTest.id}"
}

Expected Behavior

I expect this to create 2 App Service Certificates in the ui-test resource group that can be bound to a hostname.

Actual Behavior

I am not sure if this is a Terraform issue or a bug with the Azure SDK under the covers. What happens is that both resources are created, and can be accessed using the path:

/subscriptions/ab4c26b1-1234-488b-1234-894d862f9816/resourceGroups/ui-test/providers/Microsoft.Web/certificates/india

and

/subscriptions/ab4c26b1-1234-488b-1234-894d862f9816/resourceGroups/ui-test/providers/Microsoft.Web/certificates/india

The problem is that only the first one created becomes available in the App Service for that region. The second one we created with a different name but backed by the same Azure Key Vault Certificate exists but can't be viewed inside the App Service so it cannot be used.

I have noticed if you try to do this process through the GUI you cannot name the cert - it auto names it for you in the format keyvaultName-certName so in our example it would be called test-kv-certTest which would prevent me adding a second cert backed by the same KeyVault ID as it would create a duplicate name in the resource group (albeit in different regions).

Steps to Reproduce

1 - upload a PFX cert to KeyVault
2 - Use the azurerm_app_service_certificate resource to add a cert to a resource group (let's call it test) in a location - (let's use india) using the ID of the cert you added to KeyVault
3 - Create another azurerm_app_service_certificate resource using the same Key Vault ID and the same resource group, but use a different location (let's use australia).
4 - Navigate through the UI to India Azure App Service and look under TLS/SSL settings and Private Key Certificates and see the cert available to use.
5 - Navigate through the UI to Australia Azure App Service and look under TLS/SSL settings and Private Key Certificates and see that the cert isn't there.

  • #0000
@tombuildsstuff tombuildsstuff added the upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc) label Dec 16, 2020
@tombuildsstuff
Copy link
Contributor

hi @andydkelly-ig

Thanks for opening this issue.

Taking a look through here this appears to be an issue with the Terraform Configuration being used, where multiple resources are being provisioned with the same name. Whilst the Azure Provider checks for the presence of an existing resource (so that we don't unintentionally "adopt" it during Create), at this point in time Terraform doesn't have a mechanism to detect these conflicts at plan time.

Support for this is being tracked in this upstream issue: hashicorp/terraform-plugin-sdk#224 - once the Plugin SDK exposes a mechanism for supporting this behaviour we can take a look into adopting this. However since this isn't something we can fix at this point in time, I'm going to close this in favour of the upstream issue for the moment: hashicorp/terraform-plugin-sdk#224 - would you mind subscribing to that issue for updates?

Thanks!

@andydkelly-ig
Copy link
Author

Thanks Tom. Subscribed to #224

@ghost
Copy link

ghost commented Jan 15, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Jan 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug service/app-service service/key-vault Key Vault upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tombuildsstuff @tracypholmes @andydkelly-ig