Terraform-provider-azurerm: Application Gateway v2 changes authentication certificate to trusted root certificate

This query does not have solution mentioned in #1576, can someone please help in resolving this issue.

If you are visiting this page because you want to implement E2E encryption, you might be able to get it to work before the trusted root certificate upload is implemented in Terraform.

Since the HttpSettings ”Use Well Known CA Certificate” is enabled by default on V2, and if you are using a certificate from a "Well known CA Authority", then HttpSettings just works out of the box when provisioning App Gateway using Terraform. (Tested with AzureRM Provider v1.27.1)
In this case, you don't need to upload a root cert.
Ref.: https://docs.microsoft.com/en-us/azure/application-gateway/ssl-overview#end-to-end-ssl-with-the-v2-sku

Still an issue in

provider "azurerm" {
  version         = "1.31"

There is no resource argument to add root certificate on App gateway v2 using Terraform, kindly help.

FWIW, LetsEncrypt certs are not considered a "Well Known CA Certificate", but if you manually upload the ISRG Root X1 certificate as a "Trusted Root certificate" in the Azure Portal, you _can_ use LetsEncrypt certs for E2E.

Interestingly enough, the documentation at https://docs.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal says:

Application Gateway v2 SKU requires trusted root certificates for enabling end-to-end configuration. Portal support for adding trusted root certificates is not available yet. Therefore, in case of v2 SKU see configure end-to-end SSL using PowerShell.

This is no longer accurate, as I absolutely just did upload the ISRG Root X1 certificate as a Trusted Root certificate using the Azure Portal.

Also, the online docs don't mention Azure CLI instructions, but you can install the Trusted Root certificate using the Azure CLI this way:

$ az network application-gateway root-cert create \
    --resource-group RESOURCE-GROUP-NAME \
    --gateway-name APP-GATEWAY-NAME \
    --name isrgrootx1 --cert-file isrgrootx1.pem

$ az network application-gateway http-settings update \
    --resource-group RG-BASE-MASX-BUTCHERBOX-CENTRALUS \
    --gateway-name app-gw-centralus-production \
    --name https \
    --set hostName=backend-hostname.example.com \
    --add trustedRootCertificates \
        id=/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Network/applicationGateways/APP-GATEWAY_NAME/trustedRootCertificates/isrgrootx1

Not sure what it would take to make this do-able through Terraform's AzureRM provider, but maybe this will help others work around this deficiency in the meantime.

This has been released in version 1.34.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.34.0"
}
# ... other configuration ...

I've just tried this change. The question I have is how to associate this trusted_root_certificate block with backend_http_settings? I see authentication_certificate block only

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!