How does the new SSL support in app service custom host bindings work?

On October 2, a community PR added support for SSL certificate provisioning and assignign for app services in the Azure provider (and thanks to Joakim for that!)

I’m having trouble figuring out how to get it to work, though.

To begin with, I have to work with wildcard ssl certificates that already exist and have been created with the Azure Portal under App Service Certificates. It looks like that obviates the need for creating the azurerm_app_service_certificate resource and the relevant sections of the azurerm_key_vault resource - the cert already exists, right?

So that leaves me with:

resource "azurerm_app_service_custom_hostname_binding" "appsvc" {
  hostname = "${azurerm_dns_cname_record.appsvc.name}.${local.dns_zone_name}"
  app_service_name = azurerm_app_service.appsvc.name
  resource_group_name = azurerm_app_service.appsvc.resource_group_name
  ssl_state = "SniEnabled"
  thumbprint = local.ssl_thumbprint
}

…where local.ssl_thumbprint is the 40-char text string representing the thumbprint of the existing wildcard SSL certificate.

When I terraform apply, however, I get the following error:

Error: web.AppsClient#CreateOrUpdateHostNameBinding: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="NotFound" Message="Certificate 284....E7 was not found." Details=[{"Message":"Certificate 284....E7 was not found."},{"Code":"NotFound"},{"ErrorEntity":{"Code":"NotFound","ExtendedCode":"04031","Message":"Certificate 284....E7 was not found.","MessageTemplate":"Certificate {0} was not found.","Parameters":["284....E7"]}}]

(Thumbprint partially redacted for posting purposes)

The secret for the certificate is contained within a keyvault in the same subscription, and I have added the Terraform Service Principal I’m using to a Secret (Get, List) access policy for that keyvault, in case that was necessary. My understanding is that it shouldn’t be as it’s the generic app service service principal that reads the keyvault, and that access policy appears to have been properly created by the Azure Portal.

I tried digging around in the API reference for the Azure Go SDK and AFAICT there’s no other parameters expected, just the thumbprint.

I’ve tried creating an azurerm_app_service_certificate resource, and then referring to that resource for the thumbprint:

# Import the app service certificate
resource "azurerm_app_service_certificate" "foo" {
  name                = "foo-net"
  resource_group_name = var.appsvc_resource_group_name
  location            = var.location
  key_vault_secret_id = "https://foo-ca-dvlp-kv.vault.azure.net/secrets/wc-test-foo-net[guid]/[more guid]"

# Hostname binding
resource "azurerm_app_service_custom_hostname_binding" "appsvc" {
  hostname            = "${azurerm_dns_cname_record.appsvc.name}.${local.dns_zone_name}"
  app_service_name    = azurerm_app_service.appsvc.name
  resource_group_name = azurerm_app_service.appsvc.resource_group_name
  ssl_state           = "SniEnabled"
  thumbprint          = azurerm_app_service_certificate.foo.thumbprint
}

…but I get a similar error:

Error: Error creating/updating App Service Certificate "foo-net" (Resource Group "foo-services-ca-bar-dvlp-rg"): web.CertificatesClient#CreateOrUpdate: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. 
Status=404 Code="NotFound" Message="Certificate 284...E7 was not found." Details=[{"Message":"Certificate 284...E7 was not found."},{"Code":"NotFound"},{"ErrorEntity":{"Code":"NotFound","ExtendedCode":"04031","Message":"Certificate 284...E7 was not found.","MessageTemplate":"Certificate {0} was not found.","Parameters":["284...E7"]}}]

Interestingly, if I run terraform apply until the SSL host binding fails, and then go into the Azure portal and manually add the SSL host binding to any one of the app services hosted on the same app service plan, and then run terraform apply again, terraform will create the SSL host bindings for all the other app services on the same app service plan successfully. So something is getting set or configured by that action in the Portal that’s missing in azurerm.

Does anyone know how to get this to work?