azurerm_nginx_certificate Updating to Support Azure Key Vault Certificates

[hsteckylf]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The azurerm_nginx_certificate resource requires a key_vault_secret_id. Azure has deprecated the support for storing TLS certificates as a Key Vault Secret as there is now a dedicated Key Vault Certificate object.

The Azure NGINXaaS implementation has been updated to require Azure Key Vault Certificates but this provider's azurerm_nginx_certificate module has not. This breaks the ability to deploy NGINXaaS with a certificate using this provider.

New or Affected Resource(s)/Data Source(s)

azurerm_nginx_certificate

Potential Terraform Configuration

resource "azurerm_nginx_certificate" "test" {
  name                     = "examplecert"
  nginx_deployment_id      = azurerm_nginx_deployment.test.id
  key_virtual_path         = "/src/cert/soservermekey.key"
  certificate_virtual_path = "/src/cert/server.cert"
  key_vault_certificate_id = azurerm_key_vault_certificate.test.id
}

References

No response

[puneetsarna]

Hi @hsteckylf

Thanks for raising this issue. I see that there is slight confusion in how a certificate gets used in NGINXaaS for Azure. We allow users to reference a certificate object in the argument key_vault_secret_id. Can you please try the following example:

resource "azurerm_nginx_certificate" "example" {
  name                     = var.name
  nginx_deployment_id      = azurerm_nginx_deployment.example.id
  key_virtual_path         = "/etc/nginx/ssl/test.key"
  certificate_virtual_path = "/etc/nginx/ssl/test.crt"
  key_vault_secret_id      = azurerm_key_vault_certificate.example.secret_id
}

The example shows you that a deployment is referencing the secret ID of the corresponding certificate object. Please reach out if you see any issues in running the above example.

Here's an elaborate terraform code for reference.