azurerm_cdn_endpoint_custom_domain resource does not supports key-vault-secret in user_managed_https block

[ccsandhanshive]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.0.0

AzureRM Provider Version

3.2.0, 3.6.0

Affected Resource(s)/Data Source(s)

azurerm_cdn_endpoint_custom_domain

Terraform Configuration Files

resource "azurerm_cdn_endpoint_custom_domain" "this" {
  name            = "cdne-cd-test-05"
  cdn_endpoint_id = "/subscriptions/*************/resourceGroups/*********/providers/Microsoft.Cdn/profiles/cdnp-test02/endpoints/cdne-test02"
  host_name       = "www.**********.tk"

  user_managed_https {
      key_vault_certificate_id = "https://kv-******-test01.vault.azure.net/secrets/******/0b48e0ef60344ad6b07657f2f2838d08"
      tls_version              = "TLS12"
    }
  }

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"] will be created
  + resource "azurerm_cdn_endpoint_custom_domain" "this" {
      + cdn_endpoint_id = "/subscriptions/*********/resourceGroups/**********/providers/Microsoft.Cdn/profiles/cdnp-test02/endpoints/cdne-test02"
      + host_name       = "www.*******.tk"
      + id              = (known after apply)
      + name            = "cdne-cd-test05"

      + user_managed_https {
          + key_vault_certificate_id = "https://kv-*******-test01.vault.azure.net/secrets/********/0b48e0ef60344ad6b07657f2f2838d08"
          + tls_version              = "TLS12"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "JapanEast"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Creating...
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [10s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [20s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [30s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [40s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [50s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [1m0s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [1m10s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [1m20s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [1m30s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [1m40s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [1m50s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [2m0s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [2m10s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [2m20s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [2m30s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [2m40s elapsed]
module.CDNE_CD.azurerm_cdn_endpoint_custom_domain.this["cdne-cd-test05"]: Still creating... [2m50s elapsed]
╷
│ Error: keyvault.BaseClient#GetCertificate: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="CertificateNotFound" Message="A certificate with (name/id) ****/versions/0b48e0ef60344ad6b07657f2f2838d08 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"

Expected Behaviour

Azure portal and Azure CLI support key-vault secret in user-managed certificates. If this resource does not support a key-vault secret in that case resource with a key-vault secret should not be created and if this resource supports a key-vault secret as well, in that case, this resource should not throw any Error after terraform apply

Actual Behaviour

Resource gets created successfully with key-vault secret but terraform throws error saying
A certificate with (name/id) ****/versions/0b48e0ef60344ad6b07657f2f2838d08 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[ccsandhanshive]

• The pull request mentions that a new key_vault_secret_id property will replace the existing key_vault_certificate_id and it plans on deprecating the key_vault_certificate_id parameter in favor of key_vault_secret_id

• However, as per the following reference documents, both Azure portal and Azure CLI currently support key vault secret as well as key vault certificate

References:

Azure document: https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate

Azure CLI document: https://docs.microsoft.com/en-us/cli/azure/cdn/custom-domain?view=azure-cli-latest#az-cdn-custom-domain-create

[magodo]

@ccsandhanshive You can still do it via the key_vault_secret_id, see: https://github.com/hashicorp/terraform-provider-azurerm/pull/17114/files#diff-0e1b515c9271167cda4f2c7425acdb7a1e00bac5d33f56d45f2cb97acfb765d6R372

[github-actions]

This functionality has been released in v3.19.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.