Terraform - Azure application gateway issue with keyvault certificate integration

Question

I am trying to deploy application g/w with ssl certificate from key vault. It is prompting error as SecretIdSpecifiedIsInvalid when I run the terraform apply …Even though it is showing correct certificate id and name on error code which I can validate manually on portal.

I am also able to deploy app gateway manually using the same certificate from keyvault.

│ Error: creating Application Gateway: (Name “poc-appgw-iaps” / Resource Group “poc-rg-appgw”): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 – Original Error: Code=“SecretIdSpecifiedIsInvalid” Message=“SecretId ‘https://pockv-iaps.vault.azure.net/certificates/poc-cert-admin/xxxxxxxxxx’ specified in ‘/subscriptions/xxxxxxxxxxxxxxx/resourceGroups/poc-rg-appgw/providers/Microsoft.Network/applicationGateways/poc-appgw-iaps/sslCertificates/poc-cert-admin’ is invalid.” Details=[]

Answer 1

• Initially please try solve this problem by upgrading to the latest azurerm terraform provider. The latest should contain fixes for the situation if provision is all correct.
• The ssl certificate block must contain your PFX certificate. Data must be used if key vault secret_id is not already set.
• Key vault secret id of base-64 encoded unencrypted pfx certificate/secret must be stored in Azure KeyVault.

Please note that to enable the above feature , azure key vault soft delete must be anabled

Please make sure to have required access policies to get secrets .

provider "azurerm" {
    features{}
}
data "azurerm_client_config" "current" {}

resource "azurerm_user_assigned_identity" "base" {
  resource_group_name = "resourcegroup"
  location            = "resgrouplocation"
  name                = "appgwkeyvault"
}

data "azurerm_key_vault" "example"{
    name = "keyvault-name"
    resource_group_name = "resourcegroup"
} 
resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = data.azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_user_assigned_identity.base.principal_id

  key_permissions = [
    "Get",
  ]

  certificate_permissions = [
      "Get",
  ]
  secret_permissions = [
    "Get",
  ]
}
output "secret_identifier" {
  value = azurerm_key_vault_certificate.example.secret_id
}

//TODO required soft delete on the keyvault
ssl_certificate {
    name = "app_listener"
    key_vault_secret_id = azurerm_key_vault_certificate.example.secret_id
  }

Please make sure certificate properties are properly given , secrets must be .pfx format

resource "azurerm_key_vault_certificate" "example" {
  name         = "imported-cert"
  key_vault_id = azurerm_key_vault.kv.id

//make sure certificate is base64 encoded pfx certificate
  certificate {
    contents = filebase64("C:/appgwlistener.pfx")
    password = "password"
  }

  certificate_policy {
   ...
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }
  }
}

Below references can guide you:

1. Terraform - How to attach SSL certificate stored in Azure KeyVault to an Application Gateway - Stack Overflow
2. key_vault_secret_id azure_application_gateway| Terraform Registry