CDN (Front door Premium): Custom Domain validation during Bicep deployment

[hb66772-home]

Bicep version Bicep CLI version 0.4.63 (7ebed03284)

Describe the bug Lack ability to validate custom domain for front door custom domain using managed certificate. While deploying Bicep to create front door cdn (premium) from scratch, we create custom domain to hook up the endpoint. However, the custom domain is in pending state until I click on "Update" to update dns record, THEN i would need to 'Add' for custom domain to become 'validated'.

1. Is there a way or how can we automate this process using Bicep?

To Reproduce Create front door premium with a custom domain. The custom domain is stuck in 'pending' until a separate event (manual using portal or az cli) to validate the domain.

Additional context see attached image for context

[johndowns]

@hb66772-home I am currently working on this feature in conjunction with the Front Door team. We hope to have something to test in a few weeks - I'll update this issue when there's news.

[ttq-ak]

Glad to hear you're working on this. We're currently holding off from switching to CDN (Front Door Standard) because of the awkwardness of validating the domain

[johndowns]

We just published some Bicep/ARM template quickstarts for various Front Door Standard/Premium custom domain scenarios:

• Custom domain with managed TLS certificate
• Custom domain with customer-owned TLS certificate
• Custom domain with Azure DNS

These use the new custom domain onboarding process for Front Door, where the deployment completes even before domain validation occurs.

Hope this helps!

@alex-frankel I think this issue can be closed now.

[larsmaes-sogeti]

This issue is also applicable to Azure Static Web Apps. An issue has been created on the static-web-apps repo: https://github.com/Azure/static-web-apps/issues/608 Is there anything you can do from this team?

[johndowns]

It looks like the Static Web Apps issue is separate - it's got similar symptoms, but these are two different resources and so they behave differently.

[gsuttie]

We just published some Bicep/ARM template quickstarts for various Front Door Standard/Premium custom domain scenarios:

• Custom domain with managed TLS certificate
• Custom domain with customer-owned TLS certificate
• Custom domain with Azure DNS

These use the new custom domain onboarding process for Front Door, where the deployment completes even before domain validation occurs.

Hope this helps!

@alex-frankel I think this issue can be closed now.

Is there a way to update an existing route to add custom domains?

[johndowns]

@gsuttie As per our separate chat (recording here for everyone else's benefit), it's important to note that Bicep requires that you specify a complete resource. There's no concept of incrementally updating a resource - you need to replace the whole resource.

With that in mind, there are two parts to this operation.

First, you need to add the custom domains to the AFD profile. You can do this easily in Bicep. Here's an example that shows how to do this, assuming you're using a Front Door-managed TLS cert.

Second, you need to associate each of those custom domains with the route. It's up to you whether you do this at AFD creation or if you update the route afterwards (bearing in mind the note above). Here's an example that shows how a route references custom domains.

Also, if you're adding a large number of custom domain resources, you can do that with a loop - a resource loop for creating each of the custom domain resources, and a property loop to refer to those domains within the route. However, note that there's a chance you'll run into a rate limit. (It might be fine - I'm not sure.) If you do, you can control the batch size in Bicep so it only deploys, say, 4 at a time.