azurerm_application_gateway ssl certificate recreated every apply regardless of cert file contents.

[jbgi]

Terraform Version

Terraform v0.11.0
+ provider.azurerm v0.3.3

Affected Resource(s)

Please list the resources as a list, for example:

• azurerm_application_gateway

Terraform Configuration Files

resource "azurerm_application_gateway" "app-gw" {
  [...] 
  ssl_certificate = {
    name     = "certificate"
    data     = "${file("certificate.pfx")}"
    password = "${var.certificate_password}"
  }
}

Expected Behavior

SSL certificate should not be recreated when there is no changes to the certificate file.

Actual Behavior

terraform plan outputs:

Terraform will perform the following actions:

  ~ azurerm_application_gateway.app-gw
      ssl_certificate.0.data: <sensitive> => <sensitive> (attribute changed)

Plan: 0 to add, 1 to change, 0 to destroy.

even though the certificate file did not change.

Important Factoids

PFX certificate was created from a jks keystore via:

openssl pkcs12 -in certificate.jks -export -out certificate.pfx

Apart from the core issue, the fact the no-op operation takes up to 7 min add-up to the pain...

References

• AWS IAM certificates get deleted on rerun even though tf files were not changed terraform#3837
• aws_iam_server_certificate destroyed and recreated each apply terraform#2625
• aws_iam_server_certificate deleted and recreated every apply regardless of cert file contents terraform-provider-aws#1215

[rahulkp220]

I am also facing the same issue! hope it gets resolved soon.

[mykola42]

This might work as a workaround:

lifecycle {
    ignore_changes = ["ssl_certificate"]
}

[jbgi]

@mykola42 the workaround does not work as soon as you want to push some other changes:

* azurerm_application_gateway.services-gw: Error Creating/Updating ApplicationGateway "services_gateway" (Resource Group "Application-Gateway"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewaySslCertificateInvalidData" Message="Data or Password for certificate /subscriptions/xxxxxxxxxxx/resourceGroups/Application-Gateway/providers/Microsoft.Network/applicationGateways/services_gateway/sslCertificates/xxxxx is invalid." Details=[]

[tombuildsstuff]

👋

To give an update here: we're still waiting for the Application Gateway API to be fixed before proceeding with any enhancements or bug fixes for this resource; once the API is fixed (I've just requested an update). As such I've de-prioritised this issue for the moment, but we'll circle around and take another look once the API's in a usable state - sorry for the inconvenience here!

Thanks!

[tombuildsstuff]

hi @jbgi @rahulkp220 @mykola42

Given this issue is blocked on an upstream issue in the Azure API rather than keeping multiple issues open and trying to ensure they all remain up to date - I'm going to close this in favour of #1576 which is the Meta-Issue tracking the Bugs and Enhancements for the Application Gateway Resource. Once the bug in the API is fixed we should be able to take a look into this, but we'll keep track of the status of this issue there for the moment.

Thanks!

[hdost]

Hoping to re-open now that upstream has been fixed.

[tombuildsstuff]

This is fixed in #2054

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!