Terraform Upgrade to 0.14.0/azurerm to 2.65.0 Causing an Issue regarding SSL Cert in Application Gateway Configuration

After upgrading terraform to 0.14.0 and azurerm to 2.65.0 I got three errors regarding ssl certificate configuration in the application gateway section.

Error: expected “ssl_certificate.0.key_vault_secret_id” to not be an empty string, got

on ~/modules/someservice/gateways.tf line 120, in resource "azurerm_application_gateway" "network":
102:   ssl_certificate {

Error: Computed attributes cannot be set

on ~/modules/someservice/gateways.tf line 120, in resource "azurerm_application_gateway" "network":
120:   ssl_certificate {

Computed attributes cannot be set, but a value was set for
“ssl_certificate.0.id”.

Error: Computed attributes cannot be set

on ~/modules/someservice/gateways.tf line 120, in resource "azurerm_application_gateway" "network":
120:   ssl_certificate {

Computed attributes cannot be set, but a value was set for
“ssl_certificate.0.public_cert_data”.

But key_vault_secret_id configuratiom is not existing in my code:

ssl_certificate {
    name     = local.certificate_name
    data     = filebase64("./ssl-cert/appgwcert.pfx")
    password = "SecretPwd"
  }

Snippet of the application gateway:

terraform {
  required_version = "= 0.14.0"
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "2.65.0"
    }
  }
}

provider "azurerm" {
  features {}
}


# #################################################################
 
resource "azurerm_public_ip" "pub-ip" {
  name                = "appgw-pubIP"
  resource_group_name = local.resour_group_name
  location            = local.resour_group_location
  allocation_method   = "Dynamic"
}


resource "azurerm_subnet" "subnet-01" {
  name                 = "seubnet-app-gateway"
  resource_group_name  = local.resour_group_name
  virtual_network_name = "vnet-app-gateway"
  address_prefixes     = ["10.21.0.0/24"]
}

# since these variables are re-used - a locals block makes this more maintainable
locals {
  resour_group_name              = "app-gateway-test-01"
  resour_group_location          = "westus2"
  backend_address_pool_name      = "backend-pool-test-01"
  frontend_port_name             = "port_443"
  frontend_ip_configuration_name = "appGwPublicFrontendIp"
  http_setting_name              = "http-settings-test-01"
  listener_name                  = "https-listener-01"
  request_routing_rule_name      = "routrul-test-01"
  certificate_name               = "appgw-cert-test-01"
}

resource "azurerm_application_gateway" "network" {
  name                = "app-gateway-test-01"
  resource_group_name = local.resour_group_name
  location            = local.resour_group_location

  sku {
    name     = "Standard_V2"
    tier     = "Standard"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "appGatewayIpConfig"
    subnet_id = azurerm_subnet.subnet-01.id
  }

  frontend_port {
    name = local.frontend_port_name
    port = 443
  }

  frontend_ip_configuration {
    name                 = local.frontend_ip_configuration_name
    public_ip_address_id = azurerm_public_ip.pub-ip.id
  }

  backend_address_pool {
    name = local.backend_address_pool_name
  }

  backend_http_settings {
    name                  = local.http_setting_name
    cookie_based_affinity = "Disabled"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 20
  }

  http_listener {
    name                           = local.listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_port_name
    protocol                       = "Https"
    ssl_certificate_name           = local.certificate_name
  }

  ssl_certificate {
    name     = local.certificate_name
    # reference the dummy certificate
    data     = filebase64("./ssl-cert/appgwcert.pfx")
    # this is only a dummy and not the actual certificate to be used thus no harm in storing the password
    password = "SecretPwd"
  }

  request_routing_rule {
    name                       = local.request_routing_rule_name
    rule_type                  = "Basic"
    http_listener_name         = local.listener_name
    backend_address_pool_name  = local.backend_address_pool_name
    backend_http_settings_name = local.http_setting_name
  }

  lifecycle {
    ignore_changes = [ssl_certificate, http_listener] 
    }
}

I have no idea how to fix it?

Hi @yazid.alayoubi! I don’t know what your previous azurerm_application_gateway configuration is, but it might be your state which is interfering.

It might help to terraform state rm and terraform import the resource, but can have some drawbacks as well as I’m unaware of your complete situation.

@aristosvo as I know it was a try to configure key vault ( key_vault_secret_id) in the ssl_certficate config code but it didn’t worked. After that the a dummy file based certficate has be configured in terraform:

ssl_certificate {
    name     = local.certificate_name
    data     = filebase64("./ssl-cert/appgwcert.pfx")
    password = "SecretPwd"
  }

This dummy certificate will but replaced manually with real one.
Which drawbacks has terraform state rm and terraform import the resource?

Thank you in advance!

Hi @yazid.alayoubi,

You should not be using v0.14.0 for the upgrade process. The final v0.14 release was v0.14.9, which should contain fixes for the situation shown.

@jbardin Many thanks. That solved my issue. Therefore 1000.000 thanks and more.