azurerm_key_vault_certificate output id is key id not certificate id

Poil commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

AzureRM Provider Version

3.63.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_certificate

Terraform Configuration Files

resource "azurerm_key_vault_certificate" "cert" {

    key_vault_id = module.key_vault.key_vault_id

    name = "blabla"
    certificate {
      contents = filebase64(var.mycert)
      password = var.password
    }
  }

Debug Output/Panic Output

{
  "certificate" = tolist([
    {
      "contents" = "xxxxxxxxxxx"
      "password" = "xxxxxxxxxxxxx"
    },
  ])
  "certificate_attribute" = tolist([
    {
      "created" = "2023-06-30T19:16:44Z"
      "enabled" = true
      "expires" = "2024-02-06T23:59:59Z"
      "not_before" = "2023-01-06T00:00:00Z"
      "recovery_level" = "CustomizedRecoverable"
      "updated" = "2023-06-30T19:16:44Z"
    },
  ])
  "certificate_data" = "xxxxxxxxxxxxxxxx"
  "certificate_data_base64" = "xxxxxxxxxxxxxxxxx"
  "certificate_policy" = tolist([
    {
      "issuer_parameters" = tolist([
        {
          "name" = "Unknown"
        },
      ])
      "key_properties" = tolist([
        {
          "curve" = ""
          "exportable" = true
          "key_size" = 2048
          "key_type" = "RSA"
          "reuse_key" = false
        },
      ])
      "lifetime_action" = tolist([
        {
          "action" = tolist([
            {
              "action_type" = "EmailContacts"
            },
          ])
          "trigger" = tolist([
            {
              "days_before_expiry" = 0
              "lifetime_percentage" = 80
            },
          ])
        },
      ])
      "secret_properties" = tolist([
        {
          "content_type" = "application/x-pkcs12"
        },
      ])
      "x509_certificate_properties" = tolist([
        {
          "extended_key_usage" = tolist([
            "1.3.6.1.5.5.7.3.1",
            "1.3.6.1.5.5.7.3.2",
          ])
          "key_usage" = toset([
            "digitalSignature",
            "keyEncipherment",
          ])
          "subject" = "CN=*.xxxx.com, O=xxxx-xxxxx, L=OBERNAI, S=Grand-Est, C=FR"
          "subject_alternative_names" = tolist([
            {
              "dns_names" = toset([
                "*.xxxx.com",
                "xxxx.com",
              ])
              "emails" = toset([])
              "upns" = toset([])
            },
          ])
          "validity_in_months" = 14
        },
      ])
    },
  ])
  "id" = "https://zh-kv-xxxx-sc-r-euw.vault.azure.net/keys/wildcard-xxxx-com/xxxxxxxxxxxxx"
  "key_vault_id" = "/subscriptions/xxxxxxxxxxxxx/resourceGroups/zh-rg-xxxx-afd-r/providers/Microsoft.KeyVault/vaults/zh-kv-xxxx-sc-r-euw"
  "name" = "wildcard-xxxx-com"
  "resource_manager_id" = "/subscriptions/xxxxxxxxxxxxx/resourceGroups/zh-rg-xxxx-afd-r/providers/Microsoft.KeyVault/vaults/zh-kv-xxxx-sc-r-euw/certificates/wildcard-xxxx-com/versions/4a877d876ba749239a2cf71f2939c070"
  "resource_manager_versionless_id" = "/subscriptions/df66e078-797c-4679-8a2f-b6b53646beba/resourceGroups/zh-rg-xxxx-afd-r/providers/Microsoft.KeyVault/vaults/zh-kv-xxxx-sc-r-euw/certificates/wildcard-xxxx-com"
  "secret_id" = "https://zh-kv-xxxx-sc-r-euw.vault.azure.net/secrets/wildcard-xxxx-com/64584177709d4c3ebc45a743b787b864"
  "tags" = tomap({})
  "thumbprint" = "E2DE4562029775F5A383C7FA15A805E7C47BF13D"
  "timeouts" = null /* object */
  "version" = "4a877d876ba749239a2cf71f2939c070"
  "versionless_id" = "https://zh-kv-xxxx-sc-r-euw.vault.azure.net/keys/wildcard-xxxx-com"
  "versionless_secret_id" = "https://zh-kv-xxxx-sc-r-euw.vault.azure.net/secrets/wildcard-xxxx-com"
}

Expected Behaviour

id should be https://zh-kv-xxxx-sc-r-euw.vault.azure.net/certificates/wildcard-xxxx-com/4a877d876ba749239a2cf71f2939c070 like the resource_manager_id

Actual Behaviour

id is key id not certificate id

Azure CDN-Frontdoor absolutly need certificate id or we have a perpertual diff (trying to replace /certificates/ with /keys/)

Steps to Reproduce

upload a pfx to keyvault output it

Important Factoids

No response

References

No response

jackofallops commented 1 year ago

Hi @Poil - Can you provide some more information that might help us track this down? I've just created a few certs in different regions on v3.63.0 and they've all had the correct ID segment certificates. Which region are you using, and can you try without the use of each.key to keep the configuration as simple as possible?

Thanks!

Poil commented 1 year ago

Hi,

I'm on eu-west In the portal it looks like OK

Regards,

hashicorp / terraform-provider-azurerm