Application Gateway v2 with https non-functional, but deployment succeeds

[kautsig]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.7

• provider.azurerm v1.17.0

Affected Resource(s)

• azurerm_application_gateway

Expected Behavior

When creating an application gateway with a v2 sku and an https listener the application gateway is in a non-working state after deployment.

Actual Behavior

While provisioning succeeds the app gateway is non-functional. There is an empty ssl policy set, which prevents the gateway from starting correctly.

~ az network application-gateway ssl-policy show -g group --gateway-name gateway 
{                                                                                                                              
  "cipherSuites": null,                                                                                                        
  "disabledSslProtocols": [],                                                                                                  
  "minProtocolVersion": null,                                                                                                  
  "policyName": null,                                                                                                          
  "policyType": null                                                                                                           
}                                                                                                                              

Together with microsoft support we found out that removing the ssl policy fixes the issue.

This can be done through powershell:

$AppGW = Get-AzureRmApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
$AppGW = Remove-AzureRmApplicationGatewaySslPolicy -ApplicationGateway $AppGW

Also setting a default policy through azure cli works.

az network application-gateway ssl-policy set \
   -g $RESOURCE_GROUP \
   --gateway-name $APPGW \
   -n AppGwSslPolicy20170401 \
   --policy-type Predefined

Steps to Reproduce

1. Create a sku v2 app gateway
2. Add an ssl listener

References

• Bug Fixes/Enhancements to Application Gateway #1576 - refactoring of related code
• Feature Request: Full sslPolicy support for azurerm_application_gateway #1536 - new related feature of fully supporting the ssl policy

[tombuildsstuff]

hi @kautsig

Thanks for opening this issue :)

As you've found there's an issue tracking support for the full SSL Policy block within the Application Gateway resource in #1536 (which will also deprecate the separate disabled_ssl_protocols field) - as such I believe once that's supported it should be possible to work around this (by not specifying this block). Since that's a breaking change that's currently scheduled for 2.0 - but as this will be solved by #1536 I'm going to close this issue in favour of that one - please subscribe to that one for updates.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!