Using Trusted Root Certificate for Application Gateway V2


I have been trying to automate creation of Application Gateway V2 (with WAF_v2) by following the documentation

Surely there are few references to V2 so i am assuming that the documentation has been updated after the new App gateway V2 release.

My problem is with regards to the “Backend_http_Settings” which i am trying to configure to use the “trusted root certificate” using below syntax:

  backend_http_settings {
name                  = "${local.http_setting_name}"
cookie_based_affinity = "Disabled"
port                  = 443
protocol              = "Https"
request_timeout       = 30
host_name = ""
    name = "${local.trusted_root_certificate_name}"

In the above code block i have defined the authentication_certificate sub section so that i can link the backend_http_settings with a trusted_root_certificate that is being created in the same application gateway resource code block. This successfully passes the “terraform plan” however when i try to “apply” the change, it fails with below error:

Error: Code=“InvalidResourceReference” Message=“Resource XXXX/providers/Microsoft.Network/applicationGateways/XXXX/authenticationCertificates/XXXX-test-vnet-trc referenced by resource XXXX/providers/Microsoft.Network/applicationGateways/XXXX-test-agwv1/backendHttpSettingsCollection/XXXX-test-vnet-be-htst was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.” Details=

If I remove the “authentication_certificate” sub section from the above code, it works fine however it creates the Http Listner but with “Use Well Known CA Certificate” option selected.


Is there any configuration that i am missing to set correctly so that i can link the certificate for the trusted root?


What does the trusted_root_certificate block look like?

The API is complaining that no certificate exists with the name held in the local.trusted_root_certificate_name variable

As per the documentation, it holds Name (string name) and Data (certificate base64encoded).

local.trusted_root_certificate_name is a local variable through which i am defining “name” attribute for the trusted_root_certificate block. I am using the same variable in the above code block to access and assign it for the HTTP settings block.
My assumption is that (based on what i have observed without “authentication_certificate” attribute), that the certificate is successfully getting created in the trusted_root_certificate block (as i can see that when i try to manually assign it instead of using “default” option “Use Well Known CA Certificate”.

I am not sure if there is anything else i can do to track down if the certificate is created before its being assigned?

Looks like this bugfix in today’s release (1.40.0) could be relevant:
azurerm_application_gateway - support for the trusted_root_certificate_names property (#5204)

Thanks for the feedback. Tried to use the latest provider but still fails with same error. Not really sure if its something to do with any specific order in which i should be creating resources. Didn’t manage to find any good example that can show AppGateway creation with Certs installed.