13

It's been somewhat long I'm trying to automate the deployment of an application gateway using Terraform but it simply fails with an error message. I have made sure all protocol settings to HTTPS. However, I doubt there is something fishy with the PFX certificate.

Is it that I'm not supplying the authentication certificate due to which it's failing? Tried a lot over the web to get a solution but there are no mentions of this.

Terraform Code:

# Create a resource group
resource "azurerm_resource_group" "rg" {
  name     = "my-rg-application-gateway-12345"
  location = "West US"
}

# Create a application gateway in the web_servers resource group
resource "azurerm_virtual_network" "vnet" {
  name                = "my-vnet-12345"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  address_space       = ["10.254.0.0/16"]
  location            = "${azurerm_resource_group.rg.location}"
}

resource "azurerm_subnet" "sub1" {
  name                 = "my-subnet-1"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "10.254.0.0/24"
}

resource "azurerm_subnet" "sub2" {
  name                 = "my-subnet-2"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "10.254.2.0/24"
}

resource "azurerm_public_ip" "pip" {
  name                         = "my-pip-12345"
  location                     = "${azurerm_resource_group.rg.location}"
  resource_group_name          = "${azurerm_resource_group.rg.name}"
  public_ip_address_allocation = "dynamic"
}

# Create an application gateway
resource "azurerm_application_gateway" "network" {
  name                = "my-application-gateway-12345"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  location            = "West US"

  sku {
    name           = "Standard_Small"
    tier           = "Standard"
    capacity       = 2
  }

  gateway_ip_configuration {
      name         = "my-gateway-ip-configuration"
      subnet_id    = "${azurerm_virtual_network.vnet.id}/subnets/${azurerm_subnet.sub1.name}"
  }

  ssl_certificate {
    name     = "certificate"
    data     = "${base64encode(file("mycert.pfx"))}"
    password = "XXXXXXX"
  }

  frontend_port {
      name         = "${azurerm_virtual_network.vnet.name}-feport"
      port         = 80
  }

  frontend_ip_configuration {
      name         = "${azurerm_virtual_network.vnet.name}-feip"
      public_ip_address_id = "${azurerm_public_ip.pip.id}"
  }

  backend_address_pool {
      name = "${azurerm_virtual_network.vnet.name}-beap"
  }

  backend_http_settings {
      name                  = "${azurerm_virtual_network.vnet.name}-be-htst"
      cookie_based_affinity = "Disabled"
      port                  = 443
      protocol              = "Https"
     request_timeout        = 1
  }

  http_listener {
        name                                  = "${azurerm_virtual_network.vnet.name}-httpslstn"
        frontend_ip_configuration_name        = "${azurerm_virtual_network.vnet.name}-feip"
        frontend_port_name                    = "${azurerm_virtual_network.vnet.name}-feport"
        protocol                              = "https"
  }

  request_routing_rule {
          name                       = "${azurerm_virtual_network.vnet.name}-rqrt"
          rule_type                  = "Basic"
          http_listener_name         = "${azurerm_virtual_network.vnet.name}-httpslstn"
          backend_address_pool_name  = "${azurerm_virtual_network.vnet.name}-beap"
          backend_http_settings_name = "${azurerm_virtual_network.vnet.name}-be-htst"
  }
}

Error: 

Error: Error applying plan:

1 error(s) occurred:

* azurerm_application_gateway.network: 1 error(s) occurred:

* azurerm_application_gateway.network: Error Creating/Updating ApplicationGateway "my-application-gateway-12345" (Resource Group "my-rg-application-gateway-12345"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayHttpsListenerMustReferenceSslCert" Message="Http Listener /subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/my-rg-application-gateway-12345/providers/Microsoft.Network/applicationGateways/my-application-gateway-12345/httpListeners/my-vnet-12345-httpslstn uses protocol Https. Ssl Certificate must be specified." Details=[]

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
Improve this question
3
  • 1
    Your http_listener block also needs the ssl_certificate_name
    – ydaetskcoR
    Feb 16, 2018 at 11:23
  • Works fine now ! Thanks for pointing out the miss. :)
    – jagatjyoti
    Feb 16, 2018 at 11:43
  • I have tried this but my ingress is still using default pool with port 80, I was wondering if you can tell me how your ingress setup looks like?
    – Matrix
    Sep 2, 2021 at 9:20

1 Answer 1

Reset to default
8

As mentioned in the azurerm_application_gateway docs you need to add the ssl_certificate_name to your http_listener block when using https.

Improve this answer
3
  • Hi, do you know how to include a pfx file in the Ansible script? ssl_certificates: - data: "{{ lookup('file', './certificate.pfx') | b64encode }}"
    – Techiescorner
    Apr 30, 2021 at 7:08
  • Updated link: registry.terraform.io/providers/hashicorp/azurerm/latest/docs/…
    – JohnLBevan
    Sep 2, 2022 at 11:26
  • Can we import in k-vault and then point the cert in appplication gateyway terraform . Which are required fields. I try to search but cant find any.
    – Harry
    Sep 2, 2022 at 18:41

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.