azurerm cdn endpoint custom domain - secret and certificate is required for import but getting error

[veldpworld]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

3.5.8

AzureRM Provider Version

3

Affected Resource(s)/Data Source(s)

azurerm_cdn_endpoint_custom_domain

Terraform Configuration Files

resource "azurerm_cdn_endpoint_custom_domain" "current" {
  count               =  var.custom_domain_enabled == true ? 1 : 0
  name                =  var.custom_domain_name
  cdn_endpoint_id     =  coalesce(var.custom_cdn_endpoint_id, azurerm_cdn_endpoint.current.id )
  host_name           =  var.custom_hostname
  user_managed_https  {
    key_vault_secret_id       = var.user_managed_https.key_vault_secret_id
    key_vault_certificate_id  = var.user_managed_https.key_vault_certificate_id
    tls_version               = var.user_managed_https.tls_version
    }
}

### Debug Output/Panic Output

```shell
When i tried to import the cdn_custom_endpoint

     ~ user_managed_https {
          ~ key_vault_certificate_id = "https://example.vault.azure.net/certificates/wildcard.xxx" -> (known after apply)
          ~ key_vault_secret_id      = "https://example.azure.net/secrets/wildcard-xxx" -> "https://example.vault.azure.net/certificates/wildcard.xxx"
            # (1 unchanged attribute hidden)
        }
    }

It ask for both , if i provide both value , its giving the below error. I have the tls cert in the KV cert not the Kv secret.

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Invalid combination of arguments
│
│   with azurerm_cdn_endpoint_custom_domain.current[0],
│   on main.tf line 17, in resource "azurerm_cdn_endpoint_custom_domain" "current":
│   17:     key_vault_secret_id       = var.user_managed_https.key_vault_secret_id
│
│ "user_managed_https.0.key_vault_secret_id": only one of
│ `user_managed_https.0.key_vault_certificate_id,user_managed_https.0.key_vault_secret_id` can be specified, but
│ `user_managed_https.0.key_vault_certificate_id,user_managed_https.0.key_vault_secret_id` were specified.
╵
╷
│ Error: Invalid combination of arguments
│
│   with azurerm_cdn_endpoint_custom_domain.current[0],
│   on main.tf line 18, in resource "azurerm_cdn_endpoint_custom_domain" "current":
│   18:     key_vault_certificate_id  = var.user_managed_https.key_vault_certificate_id
│
│ "user_managed_https.0.key_vault_certificate_id": only one of
│ `user_managed_https.0.key_vault_certificate_id,user_managed_https.0.key_vault_secret_id` can be specified, but
│ `user_managed_https.0.key_vault_certificate_id,user_managed_https.0.key_vault_secret_id` were specified.

### Expected Behaviour

It should import succesfully without any difference.

### Actual Behaviour

  ~ user_managed_https {
      ~ key_vault_secret_id      = "https://example.vault.azure.net/secrets/wildcard-xxxx" -> (known after apply)
        # (2 unchanged attributes hidden)
    }
}

Plan: 1 to add, 0 to change, 1 to destroy.
╷
│ Warning: Argument is deprecated
│
│ with azurerm_cdn_endpoint_custom_domain.current[0],
│ on main.tf line 18, in resource "azurerm_cdn_endpoint_custom_domain" "current":
│ 18: key_vault_certificate_id = var.user_managed_https.key_vault_certificate_id

It neither giving this cert change  / secret change.

### Steps to Reproduce

_No response_

### Important Factoids

_No response_

### References

_No response_

[magodo]

If I understand correctly, you are trying to import an existing azurerm_cdn_endpoint_custom_domain. To do that, you can simply ignore the user_managed_https before you import, and complement the remaining config based on terraform plan output. The plan output will guide you about which part is missing in the config.

Regarding the following error:

Error: Invalid combination of arguments

As it already indicated, you shall only specify user_managed_https.0.key_vault_certificate_id if you don't have secret at all.

[veldpworld]

@magodo
I have tried importing without adding the user_managed_https

after imported, I have ran the plan and it gives this change. It expects both the values. we have only KV cert configured and there is no KV secret for this custom domain.

     ~ user_managed_https {
          ~ key_vault_certificate_id = "https://example.vault.azure.net/certificates/wildcard.xxx" -> (known after apply)
          ~ key_vault_secret_id      = "https://example.azure.net/secrets/wildcard-xxx" -> "https://example.vault.azure.net/certificates/wildcard.xxx"
            # (1 unchanged attribute hidden)
        }
    }

Also, I have added only KV cert attribute but again it gives the below.

  ~ user_managed_https {
      ~ key_vault_secret_id      = "https://example.vault.azure.net/secrets/wildcard-xxxx" -> (known after apply)
        # (2 unchanged attributes hidden)
    }
}


Plan: 1 to add, 0 to change, 1 to destroy.
╷
│ Warning: Argument is deprecated
│
│   with azurerm_cdn_endpoint_custom_domain.current[0],
│   on main.tf line 18, in resource "azurerm_cdn_endpoint_custom_domain" "current":
│   18:     key_vault_certificate_id  = var.user_managed_https.key_vault_certificate_id
│
│ This is deprecated in favor of `key_vault_secret_id` as the service is actually looking for a secret, not a certificate
╵

[magodo]

@veldpworld In v3.0, both the key_vault_certificate_id and key_vault_secret_id are the same, which indicate the key vault secret resource id that the API actually requires. As in v4.0, the key_vault_certificate_id will be removed. See #17058 (comment).

[veldpworld]

Currently we use 3.75.0, I don't want to make any changes in the running resource. which version I should use to import? can you please refer that version? Thanks for your quick response!

[magodo]

In this case, you can continue using the key_vault_certificate_id and just ignore the key_vault_secret_id (even if it is imported, you can just keep it absent in the config).

Regarding the following plan output:

  ~ user_managed_https {
      ~ key_vault_secret_id      = "https://example.vault.azure.net/secrets/wildcard-xxxx" -> (known after apply)
        # (2 unchanged attributes hidden)
    }
}

Did you specify key_vault_secret_id in the config, or keep it absent?

[veldpworld]

I kept it absent since we don't have kv secret, I only kept kv_cert only..

[magodo]

Then what triggers above plan diff (the plan diff shall tell one of the property introduces a replacement for the resource)?

[rcskosir]

Thank you for taking the time to raise this! I am going to close this with @magodo‘s response as an answer. If you have future questions, I suggest using the Community Resources, such as the Azure Provider forum.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.