API management CA certificate out of sync

[Laudenlaruto]

I am trying to manage certificate with terraform for api management, unfortunately terraform is unable to import one, or realize that a certificate is missing.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.24

• provider.azuread v0.7.0
• provider.azurerm v2.7.0

Affected Resource(s)

azurerm_api_management

Terraform Configuration Files

data "azurerm_key_vault_secret" "certificate" { name = azurerm_key_vault_certificate.certificate.name key_vault_id = var.vault_id }
`resource "azurerm_api_management" "apim-back" {

name = "example"
location = location
resource_group_name = rg
publisher_name = "exmaple"
publisher_email = "[email protected]"
sku_name = Developer_1
virtual_network_type = "Internal"
virtual_network_configuration {
subnet_id = data.terraform_remote_state.network.outputs.subnet_id
}
certificate {
encoded_certificate = data.azurerm_key_vault_secret.certificate.value
certificate_password = ""
store_name = "Root"
}
}`

Debug Output

Error: creating/updating API Management Service "EXAMPLE" (Resource Group "RG"): apimanagement.ServiceClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="NotSupported" Message="Certificate management for the default domain 'examplet.azure-api.net' is not allowed."

Terraform state is then updated with believing it was added, and when I re apply it doesn't add it.

Expected Behavior

Terraform should have added my certificate to API management CA certificate

Actual Behavior

It crashes

Steps to Reproduce

1. terraform apply

[yupwei68]

Hi @Laudenlaruto , thanks for opening this issue. There is a related PR #6850 merged and released in azurerm 2.10.0.

If you update the azurerm to 2.10.0, you'll get the error message bellow:
Error: creating/updating API Management Service "api-yup" (Resource Group "apim-yup"): apimanagement.ServiceClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidParameters" Message="Invalid parameter: Specified password for the certificate associated with Intermediates is incorrect."

It suggests that certificate_password must not be empty. After I change the certificate_password to not empty string, I have created this resource with success.

[DimaPachynin]

Hi, CA certificates can be public certificates (.cer) and do not require a password. I don't know why terraform requires it.

[magodo]

Hi @Laudenlaruto, as @yupwei68 has mentioned that v2.10.0 provider has fixed this issue, hope you don't mind that I close this issue for now.
If there is any other issue, please feel free to open another issue to track.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!