API Management custom domain key vault address incorrectly validates

[simongh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

1.30.0

Affected Resource(s)

• azurerm_api_management

Terraform Configuration Files

data "azurerm_key_vault_secret" "certs" {
  name         = "ssl-cert"
  key_vault_id = data.azurerm_key_vault.certs.id
}

locals {
  cert_url = replace(data.azurerm_key_vault_secret.certs.id,"/${data.azurerm_key_vault_secret.cert.version}","")
}

resource "azurerm_api_management" "api" {
...
  hostname_configuration {
    proxy {
      host_name    = "api.hostname.com"
      key_vault_id = local.cert_url
    }

    portal {
      host_name    = "developers.hostname.com"
      key_vault_id = local.cert_url
    }
  }
...

Debug Output

Error: Error parsing Key Vault Child ID: Azure KeyVault Child Id should have 3 segments, got 2: 'secrets/ssl-cert'

Panic Output

Expected Behavior

The key vault url should not require the version. By requiring a version, it defeats the purpose of using key vault, which allows new certs to be uploaded without requiring a new deployment of api management

It's also not possible to obtain a versionless url from the secret datasource without using the above function.

Actual Behavior

Using the Azure portal sets the versionless url, which Terraform will then undo.

The provider uses the Keyvault validation function for a secret that requires 3 parts. In this instance, on 2 parts are required & are preferred. This validation was appears to have been added in #2189

Steps to Reproduce

1. Define an api management resource with a custom domain.
2. Upload a certificate for the custom domain to a key vault store
3. Link the key vault cert to the custom domain

Important Factoids

References

• #0000

[piotrgwiazda]

The same happens for "azurerm_app_service_certificate" when using "key_vault_secret_id".

[ghost]

This has been released in version 2.10.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.10.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!