在 Terraform 中将 SSL 证书附加到 Azure 应用程序网关

Posted

技术标签:

【中文标题】在 Terraform 中将 SSL 证书附加到 Azure 应用程序网关【英文标题】:Attaching SSL certificate to Azure application gateway in Terraform 【发布时间】:2018-07-27 06:31:51 【问题描述】:

我尝试使用 Terraform 自动部署应用程序网关已经有一段时间了,但它只是失败并显示错误消息。我已确保所有协议设置为 HTTPS。但是,我怀疑 PFX 证书有问题。

是不是因为我没有提供身份验证证书而导致它失败?在网上尝试了很多以获得解决方案,但没有提及这一点。

地形代码:

# Create a resource group
resource "azurerm_resource_group" "rg" 
  name     = "my-rg-application-gateway-12345"
  location = "West US"


# Create a application gateway in the web_servers resource group
resource "azurerm_virtual_network" "vnet" 
  name                = "my-vnet-12345"
  resource_group_name = "$azurerm_resource_group.rg.name"
  address_space       = ["10.254.0.0/16"]
  location            = "$azurerm_resource_group.rg.location"


resource "azurerm_subnet" "sub1" 
  name                 = "my-subnet-1"
  resource_group_name  = "$azurerm_resource_group.rg.name"
  virtual_network_name = "$azurerm_virtual_network.vnet.name"
  address_prefix       = "10.254.0.0/24"


resource "azurerm_subnet" "sub2" 
  name                 = "my-subnet-2"
  resource_group_name  = "$azurerm_resource_group.rg.name"
  virtual_network_name = "$azurerm_virtual_network.vnet.name"
  address_prefix       = "10.254.2.0/24"


resource "azurerm_public_ip" "pip" 
  name                         = "my-pip-12345"
  location                     = "$azurerm_resource_group.rg.location"
  resource_group_name          = "$azurerm_resource_group.rg.name"
  public_ip_address_allocation = "dynamic"


# Create an application gateway
resource "azurerm_application_gateway" "network" 
  name                = "my-application-gateway-12345"
  resource_group_name = "$azurerm_resource_group.rg.name"
  location            = "West US"

  sku 
    name           = "Standard_Small"
    tier           = "Standard"
    capacity       = 2
  

  gateway_ip_configuration 
      name         = "my-gateway-ip-configuration"
      subnet_id    = "$azurerm_virtual_network.vnet.id/subnets/$azurerm_subnet.sub1.name"
  

  ssl_certificate 
    name     = "certificate"
    data     = "$base64encode(file("mycert.pfx"))"
    password = "XXXXXXX"
  

  frontend_port 
      name         = "$azurerm_virtual_network.vnet.name-feport"
      port         = 80
  

  frontend_ip_configuration 
      name         = "$azurerm_virtual_network.vnet.name-feip"
      public_ip_address_id = "$azurerm_public_ip.pip.id"
  

  backend_address_pool 
      name = "$azurerm_virtual_network.vnet.name-beap"
  

  backend_http_settings 
      name                  = "$azurerm_virtual_network.vnet.name-be-htst"
      cookie_based_affinity = "Disabled"
      port                  = 443
      protocol              = "Https"
     request_timeout        = 1
  

  http_listener 
        name                                  = "$azurerm_virtual_network.vnet.name-httpslstn"
        frontend_ip_configuration_name        = "$azurerm_virtual_network.vnet.name-feip"
        frontend_port_name                    = "$azurerm_virtual_network.vnet.name-feport"
        protocol                              = "https"
  

  request_routing_rule 
          name                       = "$azurerm_virtual_network.vnet.name-rqrt"
          rule_type                  = "Basic"
          http_listener_name         = "$azurerm_virtual_network.vnet.name-httpslstn"
          backend_address_pool_name  = "$azurerm_virtual_network.vnet.name-beap"
          backend_http_settings_name = "$azurerm_virtual_network.vnet.name-be-htst"
  

错误:

Error: Error applying plan:

1 error(s) occurred:

* azurerm_application_gateway.network: 1 error(s) occurred:

* azurerm_application_gateway.network: Error Creating/Updating ApplicationGateway "my-application-gateway-12345" (Resource Group "my-rg-application-gateway-12345"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayHttpsListenerMustReferenceSslCert" Message="Http Listener /subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/my-rg-application-gateway-12345/providers/Microsoft.Network/applicationGateways/my-application-gateway-12345/httpListeners/my-vnet-12345-httpslstn uses protocol Https. Ssl Certificate must be specified." Details=[]

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

【问题讨论】:

您的http_listener 块也需要ssl_certificate_name 现在工作正常!感谢您指出小姐。 :) 我已经尝试过了,但是我的 ingress 仍然使用端口 80 的默认池,我想知道您能否告诉我您的 ingress 设置是什么样的? 【参考方案1】:

如the azurerm_application_gateway docs 中所述,您需要在使用https 时将ssl_certificate_name 添加到您的http_listener 块中。

【讨论】:

您好,您知道如何在 Ansible 脚本中包含 pfx 文件吗? ssl_certificates:-数据:“lookup('file', './certificate.pfx') | b64encode ”

以上是关于在 Terraform 中将 SSL 证书附加到 Azure 应用程序网关的主要内容,如果未能解决你的问题,请参考以下文章

在wordpress网站中将http更改为https,激活ssl证书

用于 eu-west-1 中资源的 us-east-1 中的 Terraform AWS ACM 证书

Terraform 与 A​​PI-Gateway、Route53 和 SSL 认证相互依赖问题

如何在 nginx 中将 ssl 密码添加到 ssl_ciphers

如何在aws中为cname设置ssl证书?

Socket.io + SSL + 自签名 CA 证书在连接时出错