Terraform: Added managed certificate creation example, does not work …

…on destroy. Waiting for PR that solves the issue (hashicorp/terraform-provider-azurerm#25972)
RiccardoBarbieri · Jun 6, 2024 · 498769e · 498769e
1 parent 485413a
commit 498769e
Show file tree

Hide file tree

Showing 6 changed files with 188 additions and 67 deletions.
diff --git a/deployment/.terraform.lock.hcl b/deployment/.terraform.lock.hcl
diff --git a/deployment/certificate.tf b/deployment/certificate.tf
@@ -0,0 +1,75 @@
+resource "time_sleep" "dns_propagation" {
+  create_duration = "60s"
+
+  depends_on = [azurerm_dns_txt_record.txt_autoboost, azurerm_dns_cname_record.cname_helloworld]
+
+  triggers = {
+    url = "${azurerm_dns_cname_record.cname_helloworld.name}.${data.azurerm_dns_zone.autoboost.name}",
+  }
+}
+
+
+//see https://gist.github.com/fdelu/25f4eee056633abc03dc87b4a7e7704b
+resource "azapi_update_resource" "custom_domain" {
+  type        = "Microsoft.App/containerApps@2023-05-01"
+  resource_id = azurerm_container_app.container.id
+
+  body = jsonencode({
+    properties = {
+      configuration = {
+        ingress = {
+          customDomains = [
+            {
+              bindingType = "Disabled",
+              name        = time_sleep.dns_propagation.triggers["url"],
+            }
+          ]
+        }
+      }
+    }
+  })
+
+  response_export_values = ["*"]
+}
+
+resource "azapi_resource" "managed_certificate" {
+  type = "Microsoft.App/ManagedEnvironments/managedCertificates@2024-03-01"
+
+  name       = "hello-world-cert"
+  parent_id  = azurerm_container_app_environment.app_env.id
+  location   = data.azurerm_resource_group.main_group.location
+  depends_on = [time_sleep.dns_propagation, azurerm_container_app_environment.app_env]
+
+  body = jsonencode(
+    {
+      properties = {
+        subjectName             = time_sleep.dns_propagation.triggers.url
+        domainControlValidation = "CNAME"
+      }
+    }
+  )
+
+  response_export_values = ["*"]
+}
+
+resource "azapi_update_resource" "custom_domain_binding" {
+  type        = "Microsoft.App/containerApps@2023-05-01"
+  resource_id = azurerm_container_app.container.id
+
+  body = jsonencode({
+    properties = {
+      configuration = {
+        ingress = {
+          customDomains = [
+            {
+              bindingType   = "SniEnabled",
+              name          = time_sleep.dns_propagation.triggers["url"],
+              certificateId = jsondecode(azapi_resource.managed_certificate.output).id
+            }
+          ]
+        }
+      }
+    }
+  })
+  response_export_values = ["*"]
+}
diff --git a/deployment/container_app.tf b/deployment/container_app.tf
@@ -1,28 +1,35 @@
+# variable "cert_pass" {
+#   type        = string
+#   description = "Password for the certificate"
+# }
+
 # App environment
 resource "azurerm_container_app_environment" "app_env" {
   name                = "HelloWorld-Environment"
   location            = data.azurerm_resource_group.main_group.location
   resource_group_name = data.azurerm_resource_group.main_group.name
 }
 
-resource "azurerm_container_app_environment_certificate" "env_cert" {
-  certificate_blob_base64      = base64encode(data.azurerm_key_vault_secret.autoboost_cert.value)
-#   certificate_blob_base64      = base64encode(format("%s%s", data.azurerm_key_vault_certificate_data.autoboost_cert.pem, data.azurerm_key_vault_certificate_data.autoboost_cert.key))
-  certificate_password         = ""
-  container_app_environment_id = azurerm_container_app_environment.app_env.id
-  name                         = "env-cert"
-
-  depends_on = [
-    data.azurerm_key_vault_secret.autoboost_cert
-  ]
-}
+# resource "azurerm_container_app_environment_certificate" "env_cert" {
+# #   certificate_blob_base64      = filebase64("certificates/cert.pfx")
+# #   certificate_blob_base64      = base64encode(data.azurerm_key_vault_secret.autoboost_cert.value)
+# #   certificate_blob_base64      = base64encode(format("%s%s", data.azurerm_key_vault_certificate_data.autoboost_cert.pem, data.azurerm_key_vault_certificate_data.autoboost_cert.key))
+#   certificate_blob_base64      = base64encode(format("%s%s", file("./certificates/fullchain.pem"), file("./certificates/privkey.pem")))
+#   certificate_password         = ""
+#   container_app_environment_id = azurerm_container_app_environment.app_env.id
+#   name                         = "env-cert"
+# }
 
 resource "azurerm_container_app_custom_domain" "custom_domain" {
-  name                                     = trimprefix(azurerm_dns_txt_record.txt_autoboost.fqdn, "asuid.")
-  container_app_id                         = azurerm_container_app.container.id
-  container_app_environment_certificate_id = azurerm_container_app_environment_certificate.env_cert.id
-  certificate_binding_type                 = "SniEnabled"
+  name             = "helloworld.autoboost.it"
+  container_app_id = azurerm_container_app.container.id
 
+  lifecycle {
+    ignore_changes = [
+      certificate_binding_type,
+      container_app_environment_certificate_id
+    ]
+  }
 
   depends_on = [
     azurerm_dns_cname_record.cname_helloworld,
@@ -57,9 +64,4 @@ resource "azurerm_container_app" "container" {
       latest_revision = true
     }
   }
-
-#   depends_on = [
-#     azurerm_dns_cname_record.cname_autoboost,
-#     azurerm_dns_txt_record.txt_autoboost
-#   ]
 }
diff --git a/deployment/dns.tf b/deployment/dns.tf
@@ -1,45 +1,41 @@
+
+
+# locals {
+#   input_string = "hello-world--1k7gmlj.kindgrass-b69cf8c6.westeurope.azurecontainerapps.io"
+# #   input_string = azurerm_container_app.container.latest_revision_fqdn
+#   before_rev = split("--", local.input_string)[0]
+#   after_rev = index(local.input_string, ".")
+# #   after_rev = slice(split(".", local.input_string), 1, length(split(".", local.input_string)) - 1)
+#
+#   fqdn = join(".", [local.before_rev, local.after_rev])
+#
+# }
+
+# output "fqdn" {
+#   value = local.fqdn
+# }
+
 data "azurerm_dns_zone" "autoboost" {
   name                = "autoboost.it"
   resource_group_name = data.azurerm_resource_group.main_group.name
 }
 
 resource "azurerm_dns_cname_record" "cname_helloworld" {
-  name = "helloworld"
-  #   name                = "helloworld.autoboost.it"
+  name                = "helloworld"
   zone_name           = data.azurerm_dns_zone.autoboost.name
   resource_group_name = data.azurerm_dns_zone.autoboost.resource_group_name
-  ttl                 = 300
-  record              = azurerm_container_app.container.latest_revision_fqdn
-
-  #   target_resource_id =
-}
+  ttl                 = 60
+  record              = azurerm_container_app.container.ingress[0].fqdn
 
-resource "azurerm_dns_a_record" "example" {
-  name                = "test"
-  zone_name           = data.azurerm_dns_zone.autoboost.name
-  resource_group_name = data.azurerm_dns_zone.autoboost.resource_group_name
-  ttl                 = 300
-  records             = [azurerm_container_app.container.outbound_ip_addresses[0]]
 }
 
-
-
 resource "azurerm_dns_txt_record" "txt_autoboost" {
   name                = "asuid.helloworld"
   zone_name           = data.azurerm_dns_zone.autoboost.name
   resource_group_name = data.azurerm_dns_zone.autoboost.resource_group_name
-  ttl                 = 300
+  ttl                 = 60
 
   record {
-    #     value = .properties.customDomainConfiguration.customDomainVerificationId
     value = azurerm_container_app_environment.app_env.custom_domain_verification_id
   }
-}
-
-# resource "azurerm_dns_cname_record" "hello-world" {
-#   name                = "hello-world"
-#   zone_name           = azurerm_dns_zone.riccardob.name
-#   resource_group_name = data.azurerm_resource_group.main_group.name
-#   ttl                 = 300
-#   record              = "riccardob.dev"
-# }
+}
diff --git a/deployment/main.tf b/deployment/main.tf
@@ -5,9 +5,16 @@ terraform {
       source  = "hashicorp/azurerm"
       version = "=3.104.0"
     }
+    azapi = {
+      source  = "azure/azapi"
+      version = "=1.13.1"
+    }
   }
 }
 
+provider "azapi" {
+}
+
 provider "azurerm" {
   skip_provider_registration = true
   features {
@@ -29,30 +36,37 @@ data "azurerm_client_config" "current" {}
 
 # _____________________________________________________________
 # OUTPUTS
-output "latest_revision_fqdn" {
-  value = azurerm_container_app.container.latest_revision_fqdn
-}
 
-output "outbound_ip_addresses" {
-  value = azurerm_container_app.container.outbound_ip_addresses
+output "env_default_domain" {
+  value = azurerm_container_app_environment.app_env.default_domain
 }
 
 output "fqdn" {
   value = azurerm_container_app.container.ingress[0].fqdn
 }
 
-output "env_default_domain" {
-  value = azurerm_container_app_environment.app_env.default_domain
+output "outbound_ip_addresses" {
+  value = azurerm_container_app.container.outbound_ip_addresses
 }
 
 output "env_static_ip" {
   value = azurerm_container_app_environment.app_env.static_ip_address
 }
 
-output "txt_record_fqdn" {
-  value = azurerm_dns_txt_record.txt_autoboost.fqdn
+output "container_custom_domain_name" {
+  value = azurerm_container_app_custom_domain.custom_domain.name
 }
 
-output "container_custom_domain_name" {
-    value = azurerm_container_app_custom_domain.custom_domain.name
-}
+output "managed_certificate_response" {
+    value = azapi_resource.managed_certificate.output
+}
+
+output "custom_domain_binding_state_update_to_Disabled" {
+    value = azapi_update_resource.custom_domain.output
+}
+
+output "custom_domain_binding_state_update_to_Enabled" {
+    value = azapi_update_resource.custom_domain_binding.output
+}
+
+
diff --git a/deployment/vault.tf b/deployment/vault.tf
@@ -1,12 +1,7 @@
-variable "cloudflare_cert_path" {
-  type        = string
-  description = "Path to the Cloudflare certificate"
-}
-
-variable "cert_pass" {
-  type        = string
-  description = "Password for the certificate"
-}
+# variable "cloudflare_cert_path" {
+#   type        = string
+#   description = "Path to the Cloudflare certificate"
+# }
 
 # Key Vault for secrets
 data "azurerm_key_vault" "main_vault" {