Closed graememeyer closed 11 months ago
Note: I used granted every certificate permission available here both to myself and the Azure App Service, just to rule out permissions issues (since that's what it's intermittently complaining about).
I've just realised, TF may be failing to actually create the App Service Certificate in the first place - it's not showing up in the Azure Portal, so unless it's being created with permissions that mean I can't see it (I'm a global admin) then I think it's actually the create operation that must be failing
Edit: disregard this comment. The azurerm_app_service_certificate does show up in the Azure Portal, it's just a hidden type called microsoft.web/certificates. I was misunderstanding the resource mapping of the API to the portal. For anyone else in future that gets confused:
Azure Portal (GUI) Name | Azure API Resource | Terraform Resource |
---|---|---|
"Azure App Service Certificate" | Microsoft.CertificateRegistration/certificateOrders | azurerm_app_service_certificate_order |
Hidden Type: Microsoft.Web/certificates | Microsoft.Web/certificates | azurerm_app_service_certificate |
My bug report about the alternating success/failure to create azurerm_app_service_certificate_order still stands.
Thanks @graememeyer for raising this issue.
I noticed that you are using the access_policy
block in azurerm_key_vault
and using azurerm_key_vault_access_policy
at the same time. There will be conflicts using these two resources at the same time as mentioned in our official guidance here.
Can you try using one of them and see issue can be resolved? It works fine by using only one of these two resources from my side.
Thanks, feel free to let me know if there is anything needed.
@catriona-m This is not a bug for both app_service
and key_vault
. :)
Good catch @xiaxyi, I've reconfigured it with only azurerm_key_vault_access_policy resource blocks and that does indeed seem to have fixed it:
I ran the replace operation 5 times with no errors.
I did however have to add depends_on
resource dependency on the terraform_user_access
block - would you say that is to be expected? I'm not sure if Terraform should be expected to be able to determine the access permission dependency of its own context or not, perhaps that's unreasonable. Without the depends_on
block, I was intermittently getting errors like:
Thanks @graememeyer for the update, the depends_on is used when there is no explicit dependency. If you need the dependency relation between two access policies, you'll need to use the depends_on as there is no explicit dependency. May I know why you are configuring dependency between two policies?
Thanks for taking the time to submit this issue. It looks like this has been resolved with the insight from @xiaxyi. As such, I am going to mark this issue as closed.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Is there an existing issue for this?
Community Note
Terraform Version
1.3.2
AzureRM Provider Version
3.30.0
Affected Resource(s)/Data Source(s)
azurerm_app_service_certificate
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
This Terraform configuration should create an Azure App Service Certificate, using a certificate created and stored by and Azure Key Vault.
Actual Behaviour
Terraform successfully creates the certificate the first time, but when asked to replace the certificate, it fails with an access error. If asked a third time, Terraform then successfully creates the certificate. It alternates between success and failure thereafter.
I use
terraform apply -auto-approve
to create the infrastructure originallyThen use
terraform apply -auto-approve -replace="azurerm_app_service_certificate.app_service_certificate"
to test iterations of create/destroy.Steps to Reproduce
This should succeed.
This should fail with the error I provided.
This should then succeed.
Important Factoids
No response
References
Note the requirement to grant the Azure App Service access to your Key Vault so that it can read the Certificate data.
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_certificate#:~:text=If%20using%20key_vault_secret_id,every%20AAD%20Tenant%3A
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html