Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Managed Certificate and Custom Domain for Container App #27362

Open
1 task
ferraroluc opened this issue Sep 11, 2024 · 6 comments
Open
1 task

Azure Managed Certificate and Custom Domain for Container App #27362

ferraroluc opened this issue Sep 11, 2024 · 6 comments
Labels
documentation service/container-apps v/4.x

Comments

@ferraroluc
Copy link

ferraroluc commented Sep 11, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.5

AzureRM Provider Version

4.0.1

Affected Resource(s)/Data Source(s)

azurerm_container_app_custom_domain

Terraform Configuration Files

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_dns_zone" "example" {
  name                = "contoso.com"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_dns_txt_record" "example" {
  name                = "asuid.example"
  resource_group_name = azurerm_dns_zone.example.resource_group_name
  zone_name           = azurerm_dns_zone.example.name
  ttl                 = 300

  record {
    value = azurerm_container_app.example.custom_domain_verification_id
  }
}

resource "azurerm_dns_cname_record" "example" {
  name                = "example"
  zone_name           = azurerm_dns_zone.example.name
  resource_group_name = azurerm_resource_group.example.name
  ttl                 = 300
  record              = azurerm_container_app.example.ingress[0].fqdn
}

resource "azurerm_container_app_environment" "example" {
  name                = "Example-Environment"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_container_app" "example" {
  name                         = "example-app"
  container_app_environment_id = azurerm_container_app_environment.example.id
  resource_group_name          = azurerm_resource_group.example.name
  revision_mode                = "Single"

  template {
    container {
      name   = "examplecontainerapp"
      image  = "mcr.microsoft.com/k8se/quickstart:latest"
      cpu    = 0.25
      memory = "0.5Gi"
    }
  }
  ingress {
    allow_insecure_connections = false
    external_enabled           = true
    target_port                = 5000
    transport                  = "http"
    traffic_weight {
      latest_revision = true
      percentage      = 100
    }
  }
}

resource "azurerm_container_app_custom_domain" "example" {
  name             = "example.contoso.com"
  container_app_id = azurerm_container_app.example.id

  lifecycle {
    ignore_changes = [certificate_binding_type, container_app_environment_certificate_id]
  }
}

Debug Output/Panic Output

No needed.

Expected Behaviour

Creation of a Container App with Custom Domain and Azure Managed Certificates

Actual Behaviour

Creation of a Container App with Custom Domain without Azure Managed Certificates

Steps to Reproduce

  1. terraform apply

To make it work, once the resources have been created, the following must be configured manually:
Container App --> Settings --> Custom domains --> Add binding --> Validate --> Add

Important Factoids

No response

References

Documentation at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_app_custom_domain seems to indicate that is possible to create a Container App with Azure Managed Certificates, but it doesn't seem to be automatically binding between certificate and custom domain, even with the correct DNS records already setted.
@jiaweitao001
Copy link
Contributor

Hi @ferraroluc , thank you for opening the issue. This seems a service side issue of this resource. I'll investigate further and keep you posted here. Thanks.

@webstean
Copy link

https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?pivots=azure-portal
This feature is now GA

@ferraroluc
Copy link
Author

Hi @webstean, thanks for the link. I can confirm functionality from Azure Portal works correctly. But, using Terraform azurerm_container_app_custom_domain resource, I’m unable to get it to work. I’m confident that my project meets all the requirements, but Terraform is not automatically creating certificates or binding them to the custom domain.

We can say that, according to the tutorial, Terraform completes steps 1 to 8, but steps 9 and onwards must be completed manually.

Thanks.

@twoellert-bipro
Copy link

twoellert-bipro commented Oct 11, 2024
edited
Loading

I can confirm this issue. I wanted to use the free managed certificates for container apps as well and ran into the same problem.

I took some workaround advice from another issue posting - a dirty hack utilizing the azure CLI.

If you are using a version of the azurerm provider prior to v4.3.0 you need to omit creating the resource azurerm_container_app_custom_domain completely and use local az cli calls. If you do not omit creating the resource you will run into #25972 which has been fixed in v4.3.0.

resource "null_resource" "custom_domain_and_managed_certificate" {
    provisioner "local-exec" {
        command = "az containerapp hostname add -g ${var.resource_group_name} -n ${var.name} --hostname ${var.dns_name}.${var.dns_zone_name}"
    }
    provisioner "local-exec" {
        command = "az containerapp hostname bind --hostname ${var.dns_name}.${var.dns_zone_name} -g ${var.resource_group_name} -n ${var.name} --environment ${var.container_app_environment_name} --validation-method CNAME"
    }
    triggers = {
        settings = module.composite_container_app_dns_records[0].dns_cname_record_id
    }
    depends_on = [ module.composite_container_app_dns_records ]
}

If you are using v4.3.0 or later you can create the azurerm_container_app_custom_domain resource in terraform. But you still need to call at least "az containerapp hostname bind":

resource "null_resource" "custom_domain_and_managed_certificate" {
    provisioner "local-exec" {
        command = "az containerapp hostname bind --hostname ${var.dns_name}.${var.dns_zone_name} -g ${var.resource_group_name} -n ${var.name} --environment ${var.container_app_environment_name} --validation-method CNAME"
    }
    triggers = {
        settings = module.composite_container_app_dns_records[0].dns_cname_record_id
    }
    depends_on = [ module.composite_container_app_dns_records ]
}

In both cases destroying the environment works just fine since Azure destroys the certificate binding as soon as you destroy the container app. And later Azure also destroys the managed certificate when you destroy the container app environment.

And prior to executing the deploy you need to login to the az CLI and set the proper subscription.

@tylergohl
Copy link

Any updates on prioritization of fixes for the binding?

@FilippTrigub
Copy link

Can confirm the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation service/container-apps v/4.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@tylergohl @webstean @FilippTrigub @ferraroluc @jiaweitao001 @rcskosir @twoellert-bipro