Open kashw2 opened 2 years ago
I've just come across this same limitation, it would be great to have managed certificates supported.
Looking forward to this feature too
Any update on this Feature ?
Any update on this Feature ?
I am also desperate about this feature. Any updates on this or some known workaround so I can achieve at least by terraform instead of manual changes and by ignoring Terraform?
@kirankbs We are doing this as a workaround:
# TODO: Refactor, when TF-Provider available (see https://github.com/hashicorp/terraform-provider-azurerm/issues/15256)
data "azurerm_client_config" "current" {}
resource "null_resource" "apim_customdomain" {
triggers = {
apim_name = azurerm_api_management.api_mgmt.name
rg = data.terraform_remote_state.essentials.outputs.apimanagement_resource_group_name
api_url = "api.${local.base_url}"
service_principal_user = data.azurerm_client_config.current.client_id
service_principal_password = var.az_service_principal_password
tenant = data.azurerm_client_config.current.tenant_id
}
provisioner "local-exec" {
command = "az login -u ${self.triggers.service_principal_user} -p ${self.triggers.service_principal_password} -t ${self.triggers.tenant} --service-principal && az apim update --name ${self.triggers.apim_name} --resource-group ${self.triggers.rg} --set hostnameConfigurations='[{\"hostName\":\"${self.triggers.api_url}\",\"type\":\"Proxy\",\"certificateSource\":\"Managed\"}]'"
}
provisioner "local-exec" {
when = destroy
command = "az login -u ${self.triggers.service_principal_user} -p ${self.triggers.service_principal_password} -t ${self.triggers.tenant} --service-principal && az apim update --name ${self.triggers.apim_name} --resource-group ${self.triggers.rg} --remove hostnameConfigurations='[{\"hostName\":\"${self.triggers.api_url}\",\"type\":\"Proxy\",\"certificateSource\":\"Managed\"}]'"
}
}
Maybe that helps!
@do0ominik Thanks a lot for sharing the information. I will try this!
Shameless bump after more than one year since this issue was opened. Waiting for this feature as well (a warning can be thrown because it's still in Preview, but we're using it actively). Right now updating the APIM resource is a pain because it requires having a valid certificate somewhere, and then a manual change back to managed certificates. Impact is huge if someone forgets to do this.
It's likely this feature won't be implemented in the provider until it becomes GA on Azure. In the meantime, keep smashing that "π" !
Happy belated birthday to this now 2-year-old issue π
Take a look at this issue #25788 and the pull request, they are working on a workaround that makes the use of azapi to work around the absence of a specific resource. I had the same problem and followed this gist, but it is broken (see linked issue and relative PR for details)
Community Note
Description
I've been searching for and haven't been able to find a way to create custom domains that use a managed certificate with the provider. This feature only recently entered preview but would be an absolute treat to be able to use and manage in terraform.
A resource to manage this very similar to
azurerm_app_service_managed_certificate
would be extremely helpful as it'd give users both a method for creating custom domains on API Management instances that by nature would require less thought and upkeep, coupled with this, it's also a free alternative to having to use Key Vault or another custom certificate provision.There already exists
azurerm_api_management_certificate
however this only seems to support the previously mentioned methodologies for API Management certificate applicationCurrently to achieve a custom hostname with a managed certificate and still have the underlying
azurerm_api_management
instance tracked in terraform changes toidentity
andhostname_configuration
must be ignored and the change must be made through the Azure Portal.New or Affected Resource(s)
Affected:
New?:
Potential Terraform Configuration
Alternatively with modification to
azurerm_api_management_certificate
References
discussion post
announcement
documentation for applying a managed certificate in the portal