SSL Certificate support for app service #1136
Comments
|
We are looking forward to having this. So close, with the initial addition of
|
|
@kevinneufeld: do you know how to add it to the |
|
I cannot recall how most likely from one of the following:
|
|
@tombuildsstuff when do you estimate this enhancement making it on a release? |
|
Is there any indication when this will get to a release or if there is a pre-release we can have a play with? Cheers |
|
@kevinneufeld @andydkelly-ig unfortunately this isn't on our short-term roadmap to implement support for - whilst we'd happily accept a community PR for this - when we looked into this previously we had questions around how we'd test this (from memory, I believe it requires a real SSL certificate to test against, rather than a generated one?) Thanks! |
|
Hio there, just adding my two cents, is there anyway for us to officially upvote this feature? We still have to do this by hand here... |
|
I had experimented with extending the provider to allow for this a while back. While I was successful in implementing it, I had never gotten around to writing tests for it. I may have to revisit this in the near future since it is coming up in some new work. If I get something working, I will definitely get a PR in place to share. |
|
Hey @DarkestOfNights , did you have any chance to make it work ? |
|
I have to wonder, how is it that this is not priority on the roadmap? Is there guidance/recommendation around automating this with an alternative method to Terraform, but when Terraform is otherwise used for managing the resources for a deployment in essentially every other way? This seems like it'd be a super common need among enterprise customers of app services. |
i cannot imagine a case where app service is useful without ssl |
|
This project is open source, so contributing it rather than commenting to say you want it which emails everyone else who is interested might be more constructive. |
|
Whats is the status of ssl binding using terraform. I was successful using power shell command 'New-AzureRmWebAppSSLBinding' but like to use terraform if its available. |
|
Hi, we started working on this in our organization some days ago, and we're mostly finished. This includes:
Here is example Terraform configuration: Upload private key certificate (.pfx)resource "azurerm_app_service_certificate" "test" {
name = "test"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
pfx_blob = filebase64("mycert.pfx")
password = "Password123"
}Import Key Vault certificatedata "azurerm_client_config" "test" {}
data "azuread_service_principal" "test" {
display_name = "Microsoft Azure App Service"
}
resource "azurerm_key_vault" "test" {
name = "test-${random_id.test.hex}"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
tenant_id = data.azurerm_client_config.test.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.test.tenant_id
object_id = data.azuread_service_principal.test.object_id
secret_permissions = ["get"]
certificate_permissions = ["get"]
}
}
resource "azurerm_key_vault_certificate" "test" {
name = "test"
key_vault_id = azurerm_key_vault.test.id
certificate {
contents = filebase64("mycert.pfx")
password = "Password123"
}
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
}
}
resource "azurerm_app_service_certificate" "test" {
name = "test"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
key_vault_id = azurerm_key_vault.test.id
key_vault_secret_name = azurerm_key_vault_certificate.test.name
}We'll make PR for this during weekend unless this is already being worked on. |
|
@joakimhellum-in awesome - this looks great 👍 Taking a look at the schema my only suggestion would be changing |
|
Fixed via #4192 - thanks @joakimhellum-in :) |
|
This has been released in version 1.34.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 1.34.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Terraform Version
Terraform v0.11.7
provider.azurerm v1.3.3.
Affected Resource(s)
Please list the resources as a list, for example:
Feature Suggestion
It would be good to support custom SSL certificates on app service. This would probably need to built upon the hostname binding resource.
I'm attaching an ARM template that we currently use to acheive this, it also include a forced HTTPs redirect via an extension, which might be a cool thing to include as well.
{ "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "name": { "type": "string" }, "hostname": { "type": "string" }, "service": { "type": "string" }, "environment": { "type": "string" }, "keyVaultId": { "type": "string" }, "keyVaultCertName": { "type": "string" } }, "variables": { "tagvalues": { "Service": "[parameters('service')]", "Environment": "[parameters('environment')]" } }, "resources": [ { "type": "Microsoft.Web/certificates", "name": "[parameters('keyVaultCertName')]", "apiVersion": "2016-03-01", "location": "[resourceGroup().location]", "tags": "[variables('tagvalues')]", "properties":{ "keyVaultId": "[parameters('keyVaultId')]", "keyVaultSecretName": "[parameters('keyVaultCertName')]", "serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', parameters('name'))]" } }, { "name": "[concat(parameters('name'), '/RedirectHttpToHttps')]", "type": "Microsoft.Web/sites/siteextensions", "apiVersion": "2015-08-01", "properties": { } }, { "type":"Microsoft.Web/sites/hostnameBindings", "name":"[concat(parameters('name'), '/', parameters('hostname'))]", "apiVersion":"2016-03-01", "location":"[resourceGroup().location]", "properties":{ "sslState": "SniEnabled", "thumbprint":"[reference(resourceId('Microsoft.Web/certificates', parameters('keyVaultCertName'))).Thumbprint]" }, "dependsOn": [ "[concat('Microsoft.Web/certificates/', parameters('keyVaultCertName'))]" ] } ] }The text was updated successfully, but these errors were encountered: