Develop Reference

Getting error only while executing terraform apply as resource cannot be found in application gateway

I have created a application gateway, WAF policy, public IP via terraform.
From Azure GUI I have created a Key vault in which I have uploaded the pfx certificate also I have created managed identity and granted full access to azure key vault.
I am trying to create a additional https listener and calling the certificate stored in the keyvault via data block but somehow landing in this error .
Note: Kayvault , managed identity , appgw, waf policy are all in same region.
Error :
│ Error: updating Application Gateway: (Name "abc-xyz-Nonprod-test-us6-Extappgw0001" / Resource Group "xyz-network-vnet-devtest"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidResourceReference" Message="Resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xyz-network-vnet-devtest/providers/Microsoft.Network/applicationGateways/abc-xyz-Nonprod-test-us6-Extappgw0001/sslCertificates/firepfx referenced by resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xyz-network-vnet-devtest/providers/Microsoft.Network/applicationGateways/abc-xyz-Nonprod-test-us6-Extappgw0001/httpListeners/External_app_gtw_nonprod_backend_listener_https was not found. Please make sure that the referenced resource exists, and that both resources are in the same region." Details=[]
│
│ with azurerm_application_gateway.abc-xyz-Nonprod-test-us6-Extappgw0001,
│ on abc-xyz-Nonprod-test-us6-Extappgw0001.tf line 102, in resource "azurerm_application_gateway" "abc-xyz-Nonprod-test-us6-Extappgw0001":
│ 102: resource "azurerm_application_gateway" "abc-xyz-Nonprod-test-us6-Extappgw0001"
code
terraform {
backend "azurerm" {
storage_account_name = "abccloudlbstorage"
resource_group_name = "xyz-NETENG-AppResources-Prod"
container_name = "testlb"
tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
key = "abc-xyz-Nonprod-test-us6-Extappgw0001.tfstate"
}
}
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
data "azurerm_subnet" "abc-xyz-devtest-us6-vnet00002-sub00001-AppGW" {
name = "abc-xyz-devtest-us6-vnet00002-sub00001-AppGW"
resource_group_name = "xyz-network-vnet-devtest"
virtual_network_name = "abc-xyz-devtest-us6-vnet00002"
}
data "azurerm_user_assigned_identity" "test-appgw-identity-us6"{
name = "test-appgw-identity-us6"
resource_group_name = "xyz-network-vnet-devtest"
}
data "azurerm_key_vault" "xyz-network-kv" {
name = "xyz-network-kv"
resource_group_name = "xyz-network-vnet-devtest"
}
data "azurerm_key_vault_certificate" "firepfx" {
name = "firepfx"
key_vault_id = data.azurerm_key_vault.xyz-network-kv.id
}
resource "azurerm_public_ip" "abc-test-us6-nonprod-FE0001" {
name = "abc-test-us6-nonprod-FE0001"
resource_group_name = "xyz-network-vnet-devtest"
location = "eastus2"
allocation_method = "Static"
sku = "Standard"
zones = ["1", "2", "3"]
tags = {
BusinessUnit = "enterprise-management"
LineOfBusiness = "xyz"
}
}
resource "azurerm_web_application_firewall_policy" "abc-test-us6-nonprod-WFW0001" {
name = "abc-test-us6-nonprod-WFW0001"
resource_group_name = "xyz-network-vnet-devtest"
location = "eastus2"
tags = {
BusinessUnit = "enterprise-management"
LineOfBusiness = "xyz"
}
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = false
match_values = ["8.8.8.8"]
}
action = "Block"
}
policy_settings {
enabled = true
mode = "Prevention"
request_body_check = true
file_upload_limit_in_mb = 100
max_request_body_size_in_kb = 128
}
managed_rules {
exclusion {
match_variable = "RequestHeaderNames"
selector = "x-company-secret-header"
selector_match_operator = "Equals"
}
managed_rule_set {
type = "OWASP"
version = "3.2"
}
}
}
resource "azurerm_application_gateway" "abc-xyz-Nonprod-test-us6-Extappgw0001" {
name = "abc-xyz-Nonprod-test-us6-Extappgw0001"
resource_group_name = "xyz-network-vnet-devtest"
location = "eastus2"
zones = ["1", "2", "3"]
firewall_policy_id = azurerm_web_application_firewall_policy.abc-test-us6-nonprod-WFW0001.id
tags = {
BusinessUnit = "enterprise-management"
LineOfBusiness = "xyz"
}
sku {
name = "WAF_v2"
tier = "WAF_v2"
}
autoscale_configuration {
min_capacity = 2
max_capacity = 10
}
gateway_ip_configuration {
name = "abc-test-us6-nonprod-GIP0001"
subnet_id = data.azurerm_subnet.abc-xyz-devtest-us6-vnet00002-sub00001-AppGW.id
}
frontend_port {
name = "abc-us6-gpt-nonprod-PRT-FE0001"
port = 80
}
frontend_ip_configuration {
name = "abc-test-us6-nonprod-CFG-FE0001"
public_ip_address_id = azurerm_public_ip.abc-test-us6-nonprod-FE0001.id
}
frontend_ip_configuration {
name = "abc-test-us6-nonprod-CFG-FE0002"
subnet_id = data.azurerm_subnet.abc-xyz-devtest-us6-vnet00002-sub00001-AppGW.id
private_ip_address = "10.46.72.200"
private_ip_address_allocation = "Static"
}
backend_address_pool {
name = "External_app_gtw_nonprod_backend"
}
backend_http_settings {
name = "External_app_gtw_nonprod_http_setting"
cookie_based_affinity = "Disabled"
path = "/"
port = 80
protocol = "Http"
request_timeout = 60
}
http_listener {
name = "External_app_gtw_nonprod_backend_listener"
frontend_ip_configuration_name = "abc-test-us6-nonprod-CFG-FE0001"
frontend_port_name = "abc-us6-gpt-nonprod-PRT-FE0001"
protocol = "Http"
}
request_routing_rule {
name = "External_app_gtw_nonprod_RR"
rule_type = "Basic"
http_listener_name = "External_app_gtw_nonprod_backend_listener"
backend_address_pool_name = "External_app_gtw_nonprod_backend"
backend_http_settings_name = "External_app_gtw_nonprod_http_setting"
priority = 1
}
frontend_port {
name = "abc-us6-gpt-nonprod-PRT-FE00011"
port = 443
}
backend_http_settings {
name = "External_app_gtw_nonprod_https_setting"
cookie_based_affinity = "Disabled"
path = "/"
port = 443
protocol = "Https"
request_timeout = 60
host_name = "irms.abc.com"
}
http_listener {
name = "External_app_gtw_nonprod_backend_listener_https"
frontend_ip_configuration_name = "abc-test-us6-nonprod-CFG-FE0001"
frontend_port_name = "abc-us6-gpt-nonprod-PRT-FE00011"
protocol = "Https"
ssl_certificate_name = data.azurerm_key_vault_certificate.firepfx.name
}
identity {
type = "UserAssigned"
identity_ids = [data.azurerm_user_assigned_identity.test-appgw-identity-us6.id]
}
request_routing_rule {
name = "External_app_gtw_nonprod_https"
rule_type = "Basic"
http_listener_name = "External_app_gtw_nonprod_backend_listener_https"
backend_address_pool_name = "External_app_gtw_nonprod_backend"
backend_http_settings_name = "External_app_gtw_nonprod_https_setting"
priority = 3
}
}

For Application Gateway, you have to create an ssl_certificate block that references the Key Vault secret ID under the key_vault_secret_id property. Then your listener will reference the name of this ssl_certificate resource instead of the locals variable you declared.
ssl_certificate {
name = "cert2023"
key_vault_secret_id "https://mykv.vault.azure.net/secrets/cert2023"
}

Terraform plan output shows recreating existing configuration / resources

I'm currently getting a strange issue. I have a Application Gateway deployed via terraform. If I try to add port 443 in both front end and backend end, the terraform plan shows it will delete the frontend and backend for port 80 and then recreate port 80 again along with the addition of 443.
~ resource "azurerm_application_gateway" "xyz" {
id = "xyz"
name = "xyz"
tags = {
"BusinessUnit" = "ehs"
"LineOfBusiness" = "corp"
}
# (8 unchanged attributes hidden)
- backend_http_settings {
- cookie_based_affinity = "Disabled" -> null
- id = "xyz" -> null
- name = "xyz" -> null
- path = "/path1/" -> null
- pick_host_name_from_backend_address = false -> null
- port = 80 -> null
- protocol = "Http" -> null
- request_timeout = 60 -> null
- trusted_root_certificate_names = [] -> null
}
+ backend_http_settings {
+ cookie_based_affinity = "Disabled"
+ host_name = "xyz"
+ id = (known after apply)
+ name = "xyz"
+ path = "/path1/"
+ pick_host_name_from_backend_address = false
+ port = 443
+ probe_id = (known after apply)
+ protocol = "Https"
+ request_timeout = 60
+ trusted_root_certificate_names = [
+ "irmscer",
]
}
+ backend_http_settings {
+ cookie_based_affinity = "Disabled"
+ id = "xyz"
+ name = "xyz"
+ path = "/path1/"
+ pick_host_name_from_backend_address = false
+ port = 80
+ protocol = "Http"
+ request_timeout = 60
+ trusted_root_certificate_names = []
}
+ frontend_port {
+ id = (known after apply)
+ name = "xyz"
+ port = 443
}
How to get around this issue? I'm not pointing the terraform to use an specific version
This is the terraform backend
terraform {
backend "azurerm" {
storage_account_name = "xyz"
resource_group_name = "xyz"
container_name = "appgw"
tenant_id = "xyz"
subscription_id = "xyz"
key = "xyz"
}
}
provider "azurerm" {
features {}
}

It is not re-creating entire application gateway. It is re-creating the settings with port 80 and 443 which is normal. This is normal behavior and not an issue. May be, the Terraform addresses these kind of issues in future versions.

backend_http_settings protocol will not listen on port 443 and port doesn't support for backend pools.
As a result, you cannot change the port for the backend, and the only supported one is 80.
And for front end configuration, if you want to add any existing listener port to the previous port 80, you must add one more frontend port block so that it will consider two ports and listen to the specific port that we provide.
Add frontend_port as shown:
frontend_port{
name = local.frontend_port_name_new
port = 443
}
Firstly, Deployed application_gateway with listener Port 80:
I've written below script by following terraform registry template and made a few changes as per your requirement and was able to update the port changes successfully.
provider "azurerm"{
features{}
}
resource "azurerm_resource_group" "example" {
name = "xxxresources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "xxxnetwork"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
address_space = xxxx
}
resource "azurerm_subnet" "frontend" {
name = "frontend"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = xxxx
}
resource "azurerm_subnet" "backend" {
name = "backend"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = xxx
}
resource "azurerm_public_ip" "example" {
name = "xxxx"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
allocation_method = "Dynamic"
}
# since these variables are re-used - a locals block makes this more maintainable
locals {
backend_address_pool_name = "${azurerm_virtual_network.example.name}-beapname"
frontend_port_name = "${azurerm_virtual_network.example.name}-fendport"
frontend_port_name_new = "${azurerm_virtual_network.example.name}-feportnew"
frontend_ip_configuration_name = "${azurerm_virtual_network.example.name}-fconfig"
http_setting_name = "${azurerm_virtual_network.example.name}-htstname"
listener_name = "${azurerm_virtual_network.example.name}-httplisten"
request_routing_rule_name = "${azurerm_virtual_network.example.name}-rt"
redirect_configuration_name = "${azurerm_virtual_network.example.name}-rcfg"
}
resource "azurerm_application_gateway" "network" {
name = "xxxxappgateway"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = azurerm_subnet.frontend.id
}
frontend_port {
name = local.frontend_port_name
port = 80
}
frontend_port{
name = local.frontend_port_name_new
port = 443
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.example.id
}
backend_address_pool {
name = local.backend_address_pool_name
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
path = "/path1/"
port = 80
protocol = "Http"
request_timeout = 60
}
http_listener {
name = local.listener_name
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Http"
}
request_routing_rule {
name = local.request_routing_rule_name
rule_type = "Basic"
http_listener_name = local.listener_name
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
}
terraform init:
After updating the port terraform plan showed output as below:
terraform apply:
Changes deployed successfully and you can track the change analysisby going to the Activity Log under deployed application_gateway resource:

Terraform Upgrade to 0.14.0/azurerm to 2.65.0 Causing an Issue regarding SSL Cert in Application Gateway Configuration

After upgrading terraform to 0.14.0 and azurerm to 2.65.0 I got three errors regarding ssl certificate configuration in the application gateway section.
Error: expected "ssl_certificate.0.key_vault_secret_id" to not be an empty string, got
on ~/modules/someservice/gateways.tf line 120, in resource "azurerm_application_gateway" "network":
102: ssl_certificate {
Error: Computed attributes cannot be set
on ~/modules/someservice/gateways.tf line 120, in resource "azurerm_application_gateway" "network":
120: ssl_certificate {
Computed attributes cannot be set, but a value was set for
"ssl_certificate.0.id".
Error: Computed attributes cannot be set
on ~/modules/someservice/gateways.tf line 120, in resource "azurerm_application_gateway" "network":
120: ssl_certificate {
Computed attributes cannot be set, but a value was set for
"ssl_certificate.0.public_cert_data".
But key_vault_secret_id configuratiom is not existing in my code:
ssl_certificate {
name = local.certificate_name
data = filebase64("./ssl-cert/appgwcert.pfx")
password = "SecretPwd"
}
Snippet of the application gateway:
terraform {
required_version = "= 0.14.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.65.0"
}
}
}
provider "azurerm" {
features {}
}
# #################################################################
resource "azurerm_public_ip" "pub-ip" {
name = "appgw-pubIP"
resource_group_name = local.resour_group_name
location = local.resour_group_location
allocation_method = "Dynamic"
}
resource "azurerm_subnet" "subnet-01" {
name = "seubnet-app-gateway"
resource_group_name = local.resour_group_name
virtual_network_name = "vnet-app-gateway"
address_prefixes = ["10.21.0.0/24"]
}
# since these variables are re-used - a locals block makes this more maintainable
locals {
resour_group_name = "app-gateway-test-01"
resour_group_location = "westus2"
backend_address_pool_name = "backend-pool-test-01"
frontend_port_name = "port_443"
frontend_ip_configuration_name = "appGwPublicFrontendIp"
http_setting_name = "http-settings-test-01"
listener_name = "https-listener-01"
request_routing_rule_name = "routrul-test-01"
certificate_name = "appgw-cert-test-01"
}
resource "azurerm_application_gateway" "network" {
name = "app-gateway-test-01"
resource_group_name = local.resour_group_name
location = local.resour_group_location
sku {
name = "Standard_V2"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "appGatewayIpConfig"
subnet_id = azurerm_subnet.subnet-01.id
}
frontend_port {
name = local.frontend_port_name
port = 443
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.pub-ip.id
}
backend_address_pool {
name = local.backend_address_pool_name
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 20
}
http_listener {
name = local.listener_name
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Https"
ssl_certificate_name = local.certificate_name
}
ssl_certificate {
name = local.certificate_name
# reference the dummy certificate
data = filebase64("./ssl-cert/appgwcert.pfx")
# this is only a dummy and not the actual certificate to be used thus no harm in storing the password
password = "SecretPwd"
}
request_routing_rule {
name = local.request_routing_rule_name
rule_type = "Basic"
http_listener_name = local.listener_name
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
lifecycle {
ignore_changes = [ssl_certificate, http_listener]
}
}
I have no idea how to fix it?

There are few problems in your code, I have fixed those and tested on my environment.
The Public IP should have Sku = Standard and allocation_method = static.
The Sku name in application Gateway is standard_v2 but the
tier is Standard , it should be the same i.e. standard_v2 .
I have used terraform version 1.0.5 instead of using terraform
version 0.14.0.
So, after the changes the code is as below:
terraform {
required_version = "1.0.5"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.65.0"
}
}
}
provider "azurerm" {
features {}
}
# #################################################################
resource "azurerm_public_ip" "pub-ip" {
name = "appgw-pubIP"
resource_group_name = local.resour_group_name
location = local.resour_group_location
allocation_method = "Static"
sku = "standard"
}
resource "azurerm_subnet" "subnet-01" {
name = "seubnet-app-gateway"
resource_group_name = local.resour_group_name
virtual_network_name = "ansuman-vnet"
address_prefixes = ["172.31.10.0/24"]
}
# since these variables are re-used - a locals block makes this more maintainable
locals {
resour_group_name = "myresourcegroup"
resour_group_location = "westus2"
backend_address_pool_name = "backend-pool-test-01"
frontend_port_name = "port_443"
frontend_ip_configuration_name = "appGwPublicFrontendIp"
http_setting_name = "http-settings-test-01"
listener_name = "https-listener-01"
request_routing_rule_name = "routrul-test-01"
certificate_name = "appgw-cert-test-01"
}
resource "azurerm_application_gateway" "network" {
name = "app-gateway-test-01"
resource_group_name = local.resour_group_name
location = local.resour_group_location
sku {
name = "Standard_v2"
tier = "Standard_v2"
capacity = 2
}
gateway_ip_configuration {
name = "appGatewayIpConfig"
subnet_id = azurerm_subnet.subnet-01.id
}
frontend_port {
name = local.frontend_port_name
port = 443
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.pub-ip.id
}
backend_address_pool {
name = local.backend_address_pool_name
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 20
}
http_listener {
name = local.listener_name
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Https"
ssl_certificate_name = local.certificate_name
}
ssl_certificate {
name = local.certificate_name
# reference the dummy certificate
data = filebase64("C:/powershellpfx.pfx")
# this is only a dummy and not the actual certificate to be used thus no harm in storing the password
password = "password#1234"
}
request_routing_rule {
name = local.request_routing_rule_name
rule_type = "Basic"
http_listener_name = local.listener_name
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
lifecycle {
ignore_changes = [ssl_certificate, http_listener]
}
}
Outputs:

two frontend ports of application gateway are using the same port 443 - Azure application gateway in terraform

I am configuring azure application gateway using terraform.
Following is the module that i wrote:
locals {
backend_address_pool_name = format("appgwbeap-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
frontend_port_name = format("appgwfeport-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
frontend_ip_configuration_name = format("appgwfeip-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
http_setting_name = format("appgwhtst-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
listener_name = format("appgwhttplstnr-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
request_routing_rule_name = format("appgwrqrt-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
redirect_configuration_name = format("appgwrdrcfg-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
}
resource "azurerm_application_gateway" "appgw" {
name = format("appgw-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
resource_group_name = var.rg_name
location = var.location
sku {
name = var.sku_name
tier = var.sku_tier
capacity = var.sku_capacity
}
gateway_ip_configuration {
name = format("appgwipcfg-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
subnet_id = var.subnet_id
}
frontend_port {
name = "appgwfeport-app1-uatizweb-gw"
port = "443"
}
frontend_port {
name = "appgwfeport-app2-uatizweb-gw"
port = "443"
}
ssl_certificate {
name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
data = filebase64("./certificates/web.app1.sso.gwwu.xxx.com.de-12Jan2021.pfx")
password = "${var.app1_pfx_password}"
}
authentication_certificate {
name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
data = file("./certificates/web_app1_sso_gwwu_xxx_com_de-12Jan21.cer")
}
ssl_certificate {
name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
data = filebase64("./certificates/selfsigned-app2-uat-01Mar21.pfx")
password = "${var.app1_pfx_password}"
}
authentication_certificate {
name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
data = file("./certificates/selfsigned-app2-uat-01Mar21.cer")
}
frontend_ip_configuration {
name = "${local.frontend_ip_configuration_name}"
subnet_id = var.subnet_id
private_ip_address = var.frontend_private_ip
private_ip_address_allocation = "Static"
}
backend_address_pool {
name = "beap-path-app1-app"
#fqdns = var.fqdn_list
ip_addresses = ["10.xxx.xxx.36"]
}
backend_address_pool {
name = "beap-path-app2-app"
#fqdns = var.fqdn_list
ip_addresses = ["10.xxx.xxx.37"]
}
backend_http_settings {
name = "behs-path-app1-app"
cookie_based_affinity = var.backend_cookie_based_affinity
affinity_cookie_name = "ApplicationGatewayAffinity"
path = var.backend_path
port = "443"
#probe_name = "probe-app1"
protocol = "Https"
request_timeout = var.backend_request_timeout
authentication_certificate {
name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
}
}
backend_http_settings {
name = "behs-path-app2-app"
cookie_based_affinity = var.backend_cookie_based_affinity
affinity_cookie_name = "ApplicationGatewayAffinity"
path = var.backend_path
port = "443"
#probe_name = "probe-app2"
protocol = "Https"
request_timeout = var.backend_request_timeout
authentication_certificate {
name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
}
}
http_listener {
name = "appgwhttplsnr-app1-uatizweb-gw"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
frontend_port_name = "appgwfeport-app1-uatizweb-gw"
protocol = "Https"
ssl_certificate_name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
require_sni = true
host_name = "web.app1.sso.gwwu.xxx.com.de"
}
http_listener {
name = "appgwhttplsnr-app2-uatizweb-gw"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
frontend_port_name = "appgwfeport-app2-uatizweb-gw"
ssl_certificate_name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
require_sni = true
protocol = "Https"
host_name = "web.app2.sso.gwwu.xxx.com.de"
}
request_routing_rule {
name = "appgwrqrt-app2-uatizweb-gw"
rule_type = var.backend_rule_type
http_listener_name = "appgwhttplsnr-app2-uatizweb-gw"
backend_address_pool_name = "beap-path-app2-app"
backend_http_settings_name = "behs-path-app2-app"
}
request_routing_rule {
name = "appgwrqrt-app1-uatizweb-gw"
rule_type = var.backend_rule_type
http_listener_name = "appgwhttplsnr-app1-uatizweb-gw"
backend_address_pool_name = "beap-path-app1-app"
backend_http_settings_name = "behs-path-app1-app"
}
}
Below is the main.tf that calls the module:
module "app_gateway" {
source = "../../../modules/appgateway"
rg_name = var.rg_name
agency = local.agency
project_code = local.project_code
env = var.env
zone = var.zone
tier = "appgw"
location = local.location
vnet_name = var.vnet_name
subnet_id = module.agw_subnet.subnet_id
sku_name = var.appgw_sku_name
sku_capacity = var.appgw_sku_capacity
frontend_private_ip = var.appgw_frontend_ip
frontend_port = var.frontend_port
frontend_protocol = var.frontend_protocol
app1_pfx_password = "${var.app1_pfx_password}"
backend_protocol = var.backend_protocol
backend_port = var.backend_port
backend_path = "/"
providers = {
azurerm = azurerm.corpapps
}
}
I have used Multi-site, However when i deploy -i get the following error:
two frontend ports of application gateway are using the same port number 443.
When i change one of my port to 5443 - it does get deployed and works from terraform.
Also, i can create two frontend port with 443 (multi-site) from portal.Can't do this from terraform.
What am i missing from terraform.
Any light on this will help!

We ran into the same error when updating an App Gateway via a PowerShell script.
Scenario:
There was an existing multi-site listener using the FrontendPort for 80. When the script tried to add a second multi-site listener on that same port, we got the same error message.
It turned out that the original listener was on the public Frontend IP while the the second one being added was using the Private Frontend IP. I didn't realize this, but you can NOT use the same Frontend Port for both a public listener and a private listener even if they are both multi-site.
The original listener shouldn't have been public IP, anyway, so once I tweaked the original listener to use the private IP, the script executed without error.
I found the explanation about Private and Public IP's not being able to share the same port here:
https://github.com/MicrosoftDocs/azure-docs/issues/23652
Maybe this will help someone else.

We could use the same frontend configuration(frontend IP, protocol, port or name) for multi-sites listener instead of creating two frontend_port names.
For example, change the related codes:
resource "azurerm_application_gateway" "appgw" {
#..
frontend_port {
name = "appgwfeport-app1-uatizweb-gw"
port = "443"
}
# frontend_port {
# name = "appgwfeport-app2-uatizweb-gw"
# port = "443"
# }
#..
http_listener {
name = "appgwhttplsnr-app1-uatizweb-gw"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
frontend_port_name = "appgwfeport-app1-uatizweb-gw"
protocol = "Https"
ssl_certificate_name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
require_sni = true
host_name = "web.app1.sso.gwwu.xxx.com.de"
}
http_listener {
name = "appgwhttplsnr-app2-uatizweb-gw"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
frontend_port_name = "appgwfeport-app1-uatizweb-gw" #change here
ssl_certificate_name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
require_sni = true
protocol = "Https"
host_name = "web.app2.sso.gwwu.xxx.com.de"
}
}
For more information, read https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-multiple-sites-powershell and https://learn.microsoft.com/en-us/azure/application-gateway/create-multiple-sites-portal#configuration-tab

Maybe this link will be helpful: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#can-i-use-the-same-port-for-both-public-facing-and-private-facing-listeners
The short answer is - it is not possible to use the same port private and public listeners.
As a workaround I used another port like 10443 for https private listener configuration. In my case it worked fine because users did not use private listener

azure-cli was outdated in our case. After upgrade it all started to work like a charm.
We had an Application Gateway set up by Terraform with two multi-site public listeners, both using the same 443 port. The mentioned error Two Http Listeners of Application Gateway <..> and <..> are using the same Frontend Port <..> and FrontendIpConfiguration <..> was happening when outdated az cli was trying to az network application-gateway ssl-cert update --key-vault-secret-id <..>. azure-cli initial: 2.2.0, final: 2.39.0. After upgrade az network application-gateway ssl-cert update started to update GW's cert as expected.

Trying to attach SSL certificate on application gateway using azure terraform

I am trying to pass PFX certificate from local machine to code azure terraform but when i am applying this method in terraform its showing one error certificate or password invalid. i have tested certificate and password both but its working fine. i have attache code and error details below
Thanks-Onkar
resource "azurerm_application_gateway" "network" {
name = "my-application-gateway-12345"
resource_group_name = azurerm_resource_group.rg.name
location = "West US"
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = "${azurerm_virtual_network.vnet.id}/subnets/${azurerm_subnet.sub1.name}"
}
ssl_certificate {
name = "certificate"
data = "${base64encode(filemd5("test.pfx"))}"
password = "*****"
}
frontend_port {
name = "feport"
port = 80
}
frontend_ip_configuration {
name = "feip"
public_ip_address_id = "${azurerm_public_ip.pip.id}"
}
backend_address_pool {
name = "beap"
}
backend_http_settings {
name = "be-htst"
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 1
}
http_listener {
name = "httplstn"
frontend_ip_configuration_name = "feip"
frontend_port_name = "feport"
protocol = "https"
ssl_certificate_name = "certificate"
}
request_routing_rule {
name = "rqrt"
rule_type = "Basic"
http_listener_name = "httplstn"
backend_address_pool_name = "beap"
backend_http_settings_name = "be-htst"
}
}
Update
after changes as per your instruction following error is occurred

For the error message, you could use ssl_certificate block like this
ssl_certificate {
name = "certificate"
data = "${base64encode(file("test.pfx"))}"
password = "*****"
}
Here is an example in that question.
Update
For the error message, you could use the filebase64 function to obtain the Base64 encoded contents.
change it to
ssl_certificate {
name = "certificate"
data = "${filebase64("test.pfx")}"
password = "xxxx"
}

Below is the module for application gateway:
locals {
backend_address_pool_name = format("appgwbeap-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
frontend_port_name = format("appgwfeport-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
frontend_ip_configuration_name = format("appgwfeip-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
http_setting_name = format("appgwhtst-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
listener_name = format("appgwhttplstnr-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
request_routing_rule_name = format("appgwrqrt-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
redirect_configuration_name = format("appgwrdrcfg-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
}
resource "azurerm_application_gateway" "appgw" {
name = format("appgw-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
resource_group_name = var.rg_name
location = var.location
sku {
name = var.sku_name
tier = var.sku_tier
capacity = var.sku_capacity
}
gateway_ip_configuration {
name = format("appgwipcfg-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
subnet_id = var.subnet_id
}
frontend_port {
name = "appgwfeport-app1-uatizweb-gw"
port = "443"
}
frontend_port {
name = "appgwfeport-app2-uatizweb-gw"
port = "443"
}
ssl_certificate {
name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
data = filebase64("./certificates/web.app1.sso.gwwu.xxx.com.de-12Jan2021.pfx")
password = "${var.app1_pfx_password}"
}
authentication_certificate {
name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
data = file("./certificates/web_app1_sso_gwwu_xxx_com_de-12Jan21.cer")
}
ssl_certificate {
name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
data = filebase64("./certificates/selfsigned-app2-uat-01Mar21.pfx")
password = "${var.app1_pfx_password}"
}
authentication_certificate {
name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
data = file("./certificates/selfsigned-app2-uat-01Mar21.cer")
}
frontend_ip_configuration {
name = "${local.frontend_ip_configuration_name}"
subnet_id = var.subnet_id
private_ip_address = var.frontend_private_ip
private_ip_address_allocation = "Static"
}
backend_address_pool {
name = "beap-path-app1-app"
#fqdns = var.fqdn_list
ip_addresses = ["10.xxx.xxx.36"]
}
backend_address_pool {
name = "beap-path-app2-app"
#fqdns = var.fqdn_list
ip_addresses = ["10.xxx.xxx.37"]
}
backend_http_settings {
name = "behs-path-app1-app"
cookie_based_affinity = var.backend_cookie_based_affinity
affinity_cookie_name = "ApplicationGatewayAffinity"
path = var.backend_path
port = "443"
#probe_name = "probe-app1"
protocol = "Https"
request_timeout = var.backend_request_timeout
authentication_certificate {
name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
}
}
backend_http_settings {
name = "behs-path-app2-app"
cookie_based_affinity = var.backend_cookie_based_affinity
affinity_cookie_name = "ApplicationGatewayAffinity"
path = var.backend_path
port = "443"
#probe_name = "probe-app2"
protocol = "Https"
request_timeout = var.backend_request_timeout
authentication_certificate {
name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
}
}
http_listener {
name = "appgwhttplsnr-app1-uatizweb-gw"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
frontend_port_name = "appgwfeport-app1-uatizweb-gw"
protocol = "Https"
ssl_certificate_name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
require_sni = true
host_name = "web.app1.sso.gwwu.xxx.com.de"
}
http_listener {
name = "appgwhttplsnr-app2-uatizweb-gw"
frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
frontend_port_name = "appgwfeport-app2-uatizweb-gw"
ssl_certificate_name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
require_sni = true
protocol = "Https"
host_name = "web.app2.sso.gwwu.xxx.com.de"
}
request_routing_rule {
name = "appgwrqrt-app2-uatizweb-gw"
rule_type = var.backend_rule_type
http_listener_name = "appgwhttplsnr-app2-uatizweb-gw"
backend_address_pool_name = "beap-path-app2-app"
backend_http_settings_name = "behs-path-app2-app"
}
request_routing_rule {
name = "appgwrqrt-app1-uatizweb-gw"
rule_type = var.backend_rule_type
http_listener_name = "appgwhttplsnr-app1-uatizweb-gw"
backend_address_pool_name = "beap-path-app1-app"
backend_http_settings_name = "behs-path-app1-app"
}
}
Below is the main.tf that calls the module:
module "app_gateway" {
source = "../../../modules/appgateway"
rg_name = var.rg_name
agency = local.agency
project_code = local.project_code
env = var.env
zone = var.zone
tier = "appgw"
location = local.location
vnet_name = var.vnet_name
subnet_id = module.agw_subnet.subnet_id
sku_name = var.appgw_sku_name
sku_capacity = var.appgw_sku_capacity
frontend_private_ip = var.appgw_frontend_ip
frontend_port = var.frontend_port
frontend_protocol = var.frontend_protocol
app1_pfx_password = "${var.app1_pfx_password}"
backend_protocol = var.backend_protocol
backend_port = var.backend_port
backend_path = "/"
providers = {
azurerm = azurerm.corpapps
}
}