在 Terraform 中将 SSL 证书附加到 Azure 应用程序网关
Attaching SSL certificate to Azure application gateway in Terraform
我尝试使用 Terraform 自动部署应用程序网关已经有一段时间了,但它只是失败并显示一条错误消息。我已确保所有协议设置为 HTTPS。但是,我怀疑 PFX 证书有什么可疑之处。
是不是我没有提供身份验证证书导致失败?在网上尝试了很多以获得解决方案,但没有提到这一点。
地形代码:
# Create a resource group
resource "azurerm_resource_group" "rg" {
name = "my-rg-application-gateway-12345"
location = "West US"
}
# Create a application gateway in the web_servers resource group
resource "azurerm_virtual_network" "vnet" {
name = "my-vnet-12345"
resource_group_name = "${azurerm_resource_group.rg.name}"
address_space = ["10.254.0.0/16"]
location = "${azurerm_resource_group.rg.location}"
}
resource "azurerm_subnet" "sub1" {
name = "my-subnet-1"
resource_group_name = "${azurerm_resource_group.rg.name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.254.0.0/24"
}
resource "azurerm_subnet" "sub2" {
name = "my-subnet-2"
resource_group_name = "${azurerm_resource_group.rg.name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.254.2.0/24"
}
resource "azurerm_public_ip" "pip" {
name = "my-pip-12345"
location = "${azurerm_resource_group.rg.location}"
resource_group_name = "${azurerm_resource_group.rg.name}"
public_ip_address_allocation = "dynamic"
}
# Create an application gateway
resource "azurerm_application_gateway" "network" {
name = "my-application-gateway-12345"
resource_group_name = "${azurerm_resource_group.rg.name}"
location = "West US"
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = "${azurerm_virtual_network.vnet.id}/subnets/${azurerm_subnet.sub1.name}"
}
ssl_certificate {
name = "certificate"
data = "${base64encode(file("mycert.pfx"))}"
password = "XXXXXXX"
}
frontend_port {
name = "${azurerm_virtual_network.vnet.name}-feport"
port = 80
}
frontend_ip_configuration {
name = "${azurerm_virtual_network.vnet.name}-feip"
public_ip_address_id = "${azurerm_public_ip.pip.id}"
}
backend_address_pool {
name = "${azurerm_virtual_network.vnet.name}-beap"
}
backend_http_settings {
name = "${azurerm_virtual_network.vnet.name}-be-htst"
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 1
}
http_listener {
name = "${azurerm_virtual_network.vnet.name}-httpslstn"
frontend_ip_configuration_name = "${azurerm_virtual_network.vnet.name}-feip"
frontend_port_name = "${azurerm_virtual_network.vnet.name}-feport"
protocol = "https"
}
request_routing_rule {
name = "${azurerm_virtual_network.vnet.name}-rqrt"
rule_type = "Basic"
http_listener_name = "${azurerm_virtual_network.vnet.name}-httpslstn"
backend_address_pool_name = "${azurerm_virtual_network.vnet.name}-beap"
backend_http_settings_name = "${azurerm_virtual_network.vnet.name}-be-htst"
}
}
错误:
Error: Error applying plan:
1 error(s) occurred:
* azurerm_application_gateway.network: 1 error(s) occurred:
* azurerm_application_gateway.network: Error Creating/Updating ApplicationGateway "my-application-gateway-12345" (Resource Group "my-rg-application-gateway-12345"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayHttpsListenerMustReferenceSslCert" Message="Http Listener /subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/my-rg-application-gateway-12345/providers/Microsoft.Network/applicationGateways/my-application-gateway-12345/httpListeners/my-vnet-12345-httpslstn uses protocol Https. Ssl Certificate must be specified." Details=[]
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
如 the azurerm_application_gateway docs 中所述,您需要在使用 https
时将 ssl_certificate_name
添加到 http_listener
块。
我尝试使用 Terraform 自动部署应用程序网关已经有一段时间了,但它只是失败并显示一条错误消息。我已确保所有协议设置为 HTTPS。但是,我怀疑 PFX 证书有什么可疑之处。
是不是我没有提供身份验证证书导致失败?在网上尝试了很多以获得解决方案,但没有提到这一点。
地形代码:
# Create a resource group
resource "azurerm_resource_group" "rg" {
name = "my-rg-application-gateway-12345"
location = "West US"
}
# Create a application gateway in the web_servers resource group
resource "azurerm_virtual_network" "vnet" {
name = "my-vnet-12345"
resource_group_name = "${azurerm_resource_group.rg.name}"
address_space = ["10.254.0.0/16"]
location = "${azurerm_resource_group.rg.location}"
}
resource "azurerm_subnet" "sub1" {
name = "my-subnet-1"
resource_group_name = "${azurerm_resource_group.rg.name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.254.0.0/24"
}
resource "azurerm_subnet" "sub2" {
name = "my-subnet-2"
resource_group_name = "${azurerm_resource_group.rg.name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.254.2.0/24"
}
resource "azurerm_public_ip" "pip" {
name = "my-pip-12345"
location = "${azurerm_resource_group.rg.location}"
resource_group_name = "${azurerm_resource_group.rg.name}"
public_ip_address_allocation = "dynamic"
}
# Create an application gateway
resource "azurerm_application_gateway" "network" {
name = "my-application-gateway-12345"
resource_group_name = "${azurerm_resource_group.rg.name}"
location = "West US"
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = "${azurerm_virtual_network.vnet.id}/subnets/${azurerm_subnet.sub1.name}"
}
ssl_certificate {
name = "certificate"
data = "${base64encode(file("mycert.pfx"))}"
password = "XXXXXXX"
}
frontend_port {
name = "${azurerm_virtual_network.vnet.name}-feport"
port = 80
}
frontend_ip_configuration {
name = "${azurerm_virtual_network.vnet.name}-feip"
public_ip_address_id = "${azurerm_public_ip.pip.id}"
}
backend_address_pool {
name = "${azurerm_virtual_network.vnet.name}-beap"
}
backend_http_settings {
name = "${azurerm_virtual_network.vnet.name}-be-htst"
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 1
}
http_listener {
name = "${azurerm_virtual_network.vnet.name}-httpslstn"
frontend_ip_configuration_name = "${azurerm_virtual_network.vnet.name}-feip"
frontend_port_name = "${azurerm_virtual_network.vnet.name}-feport"
protocol = "https"
}
request_routing_rule {
name = "${azurerm_virtual_network.vnet.name}-rqrt"
rule_type = "Basic"
http_listener_name = "${azurerm_virtual_network.vnet.name}-httpslstn"
backend_address_pool_name = "${azurerm_virtual_network.vnet.name}-beap"
backend_http_settings_name = "${azurerm_virtual_network.vnet.name}-be-htst"
}
}
错误:
Error: Error applying plan:
1 error(s) occurred:
* azurerm_application_gateway.network: 1 error(s) occurred:
* azurerm_application_gateway.network: Error Creating/Updating ApplicationGateway "my-application-gateway-12345" (Resource Group "my-rg-application-gateway-12345"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayHttpsListenerMustReferenceSslCert" Message="Http Listener /subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/my-rg-application-gateway-12345/providers/Microsoft.Network/applicationGateways/my-application-gateway-12345/httpListeners/my-vnet-12345-httpslstn uses protocol Https. Ssl Certificate must be specified." Details=[]
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
如 the azurerm_application_gateway docs 中所述,您需要在使用 https
时将 ssl_certificate_name
添加到 http_listener
块。