Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_cdn_endpoint_custom_domain is not properly choosing Latest certificate #20772

Closed
1 task done
Kapsztajn opened this issue Mar 3, 2023 · 2 comments · Fixed by #22683
Closed
1 task done

azurerm_cdn_endpoint_custom_domain is not properly choosing Latest certificate #20772

Kapsztajn opened this issue Mar 3, 2023 · 2 comments · Fixed by #22683
Assignees
@WodansSon
Labels
service/cdn upstream/microsoft Indicates that there's an upstream issue blocking this issue/PR v/3.x
Milestone
v3.67.0

Comments

@Kapsztajn
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.7

AzureRM Provider Version

3.45.0

Affected Resource(s)/Data Source(s)

azurerm_cdn_endpoint_custom_domain

Terraform Configuration Files

resource "azurerm_cdn_endpoint_custom_domain" "custom_domain" {
  for_each        = toset(var.static_domains)
  name            = join("-", [replace("${each.key}", ".", "-"), "cdn-profile"])
  cdn_endpoint_id = azurerm_cdn_endpoint.cdn_endpoint.id
  host_name       = "${each.key}"
  user_managed_https {
    key_vault_secret_id      = join("", [var.key_vault_certificate_url, "/secrets/", replace(each.key, ".", "-")])
    tls_version              = "TLS12"
  }
}

Debug Output/Panic Output

# module.hidden.azurerm_cdn_endpoint_custom_domain.custom_domain["hidden"] will be updated in-place
  ~ resource "azurerm_cdn_endpoint_custom_domain" "custom_domain" ***
        id              = "/subscriptions/***/resourceGroups/hidden/providers/Microsoft.Cdn/profiles/nonprod-cdn-profile/endpoints/nonprod-cdn-endpoint/customDomains/hidden"
        name            = "hidden"
        # (2 unchanged attributes hidden)

      + user_managed_https ***
          + key_vault_secret_id = "***/secrets/hidden"
          + tls_version         = "TLS12"
        ***
    ***

Expected Behaviour

Terraform should explicity choose Latest certificate when no version is provided.

        "secretVersion": null,

image

Actual Behaviour

Terraform is not choosing Latest version. On portal Certificate/Secret version is empty, even if it is required:
image

After checking from az cli I could see difference in secretVersion. When I manually set secretVersion to Latest it looks like this:

  {
    "customHttpsParameters": {
      "certificateSource": "AzureKeyVault",
      "certificateSourceParameters": {
        "deleteRule": "NoAction",
        "resourceGroupName": "hidden",
        "secretName": "hidden",
        "secretVersion": null,
        "subscriptionId": "hidden",
        "updateRule": "NoAction",
        "vaultName": "hidden"
}

secretVersion is null when after Terraform set certificate the version is:

  {
    "customHttpsParameters": {
      "certificateSource": "AzureKeyVault",
      "certificateSourceParameters": {
        "deleteRule": "NoAction",
        "resourceGroupName": "hidden",
        "secretName": "hidden",
        "secretVersion": "",
        "subscriptionId": "hidden",
        "updateRule": "NoAction",
        "vaultName": "hidden"
      }

"secretVersion": ""

Steps to Reproduce

Run Terraform with azurerm_cdn_endpoint_custom_domain connected to KeyVault secret.

Important Factoids

No response

References

Documentation could note how to provide specific version.
@Kapsztajn Kapsztajn added the bug label Mar 3, 2023
@github-actions github-actions bot removed the bug label Mar 3, 2023
@WodansSon WodansSon self-assigned this Mar 8, 2023
@WodansSon WodansSon added upstream/microsoft Indicates that there's an upstream issue blocking this issue/PR service/cdn labels Mar 8, 2023
@WodansSon
Copy link
Collaborator

WodansSon commented Jul 26, 2023
edited
Loading

@Kapsztajn Thank you for reporting this issue. According to the Azure Key Vault REST API reference documentation, ...This URI fragment is optional. If not specified, the latest version of the key is returned. The Microsoft.Azure.KeyVault library passes String.Empty as the version to the ARM call when there isn't a specific version requested. In the .NET documentation String.Empty is defined as a ...zero-length string, "". TBH, this feels more like a Portal UI/CLI bug rather than a Terraform issue. That said, I will see what I can do to work-around the Portal UI bug so it will display correctly. However, internally within Terraform, we will continue to define it as an empty string (e.g., "").

@WodansSon WodansSon mentioned this issue Jul 26, 2023
Merged
@github-actions github-actions bot added this to the v3.67.0 milestone Jul 26, 2023
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@WodansSon WodansSon

Labels
service/cdn upstream/microsoft Indicates that there's an upstream issue blocking this issue/PR v/3.x
Projects
None yet
Milestone
v3.67.0
3 participants
@WodansSon @Kapsztajn @catriona-m