I am struggling with the renewal process for a certificate stored in Key Vault for an Azure App Service. Here is what I have:
1 - azurerm_app_service_certificate resource using a cert stored in Azure Key Vault
2 - App Service using this certificate for a custom hostname binding
This works fine.
Now the certificate is up for renewal, so i have created a new version of the certificate in Azure Key Vault. When i run Terraform Plan, it wants to create the new azurerm_app_service_certificate resource because it detects a new version of the certificate in the KeyVault. This is where it goes wrong - it cannot delete the existing resource because it is used by the App Service, and i can’t remove the version of the certificate from the key vault because Azure don’t support removing versions.
To get around this, i ended up hardcoding the Cert ID into my Hostname binding rather than using a data source to look it up. I then created a new Key Vault Certificate for the new cert so now i have in KeyVault something like:
testcert.company.com
tertcert.company.com-2020
This seems like a very clunky way of working and i wondered if i am missing something here or whether they way I am doing it is the only way to renew a certificate at expiry time. For reference here is how i reference the 2 resources:
resource “azurerm_app_service_certificate” “engineering-2020-21” {
name = “star-eng-company-com”
resource_group_name = azurerm_resource_group.ui.name
location = var.resourceGroupLocation
key_vault_secret_id = data.azurerm_key_vault_secret.starengcert.id
}
resource “azurerm_app_service_custom_hostname_binding” “integration-forms” {
hostname = “integration-forms.eng.company.com”
app_service_name = module.int-uiapp.appServiceName
resource_group_name = data.terraform_remote_state.internal-common.outputs.internal-rg-ui
ssl_state = “SniEnabled”
thumbprint = data.terraform_remote_state.internal-common.outputs.starengcertthumbprint
}
For the above the 2 resources are managed by different state files and the thumbprint is outputted from the azurerm_app_service_certificate resource.
Thanks