API Management custom domain managed certificates

kashw2 commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I've been searching for and haven't been able to find a way to create custom domains that use a managed certificate with the provider. This feature only recently entered preview but would be an absolute treat to be able to use and manage in terraform.

A resource to manage this very similar to azurerm_app_service_managed_certificate would be extremely helpful as it'd give users both a method for creating custom domains on API Management instances that by nature would require less thought and upkeep, coupled with this, it's also a free alternative to having to use Key Vault or another custom certificate provision.

There already exists azurerm_api_management_certificate however this only seems to support the previously mentioned methodologies for API Management certificate application

Currently to achieve a custom hostname with a managed certificate and still have the underlying azurerm_api_management instance tracked in terraform changes to identity and hostname_configuration must be ignored and the change must be made through the Azure Portal.

New or Affected Resource(s)

Affected:

azurerm_api_management
azurerm_api_management_custom_domain
azurerm_api_management_certificate

New?:

azurerm_api_management_managed_certificate

Potential Terraform Configuration

resource "azurerm_resource_group" "example" {
  location = "Central US"
  name     = "resource-group"
}

resource "azurerm_api_management" "example" {
  name                = "example-apim"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  publisher_name      = "My Company"
  publisher_email     = "company@terraform.io"

  sku_name = "Developer_1"
}

resource "azurerm_api_management_managed_certificate" "example" {
api_management_id = azurerm_api_management.id
}

resource "azurerm_api_management_custom_domain" "example" {
  api_management_id = azurerm_api_management.example.id
  certificate_id = azurerm_api_management_managed_certificate.example.id
}

Alternatively with modification to azurerm_api_management_certificate

resource "azurerm_resource_group" "example" {
  location = "Central US"
  name     = "resource-group"
}

resource "azurerm_api_management" "example" {
  name                = "example-apim"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  publisher_name      = "My Company"
  publisher_email     = "company@terraform.io"

  sku_name = "Developer_1"
}

resource "azurerm_api_management_certificate" "example" {
  name                = "example-cert"
  api_management_name = azurerm_api_management.example.name
  resource_group_name = azurerm_resource_group.example.name
  type                = "Managed"
}

resource "azurerm_api_management_custom_domain" "example" {
  api_management_id = azurerm_api_management.example.id
  certificate_id    = azurerm_api_management_certificate.example.id
}

References

discussion post

announcement

documentation for applying a managed certificate in the portal

stuhol commented 2 years ago

I've just come across this same limitation, it would be great to have managed certificates supported.

AliakseiKrylou commented 1 year ago

Looking forward to this feature too

mukeshinit commented 1 year ago

Any update on this Feature ?

do0ominik commented 1 year ago

Any update on this Feature ?

kirankbs commented 1 year ago

I am also desperate about this feature. Any updates on this or some known workaround so I can achieve at least by terraform instead of manual changes and by ignoring Terraform?

do0ominik commented 1 year ago

@kirankbs We are doing this as a workaround:

# TODO: Refactor, when TF-Provider available (see https://github.com/hashicorp/terraform-provider-azurerm/issues/15256)

data "azurerm_client_config" "current" {}

resource "null_resource" "apim_customdomain" {

  triggers = {
    apim_name                  = azurerm_api_management.api_mgmt.name
    rg                         = data.terraform_remote_state.essentials.outputs.apimanagement_resource_group_name
    api_url                    = "api.${local.base_url}"
    service_principal_user     = data.azurerm_client_config.current.client_id
    service_principal_password = var.az_service_principal_password
    tenant                     = data.azurerm_client_config.current.tenant_id
  }

  provisioner "local-exec" {
    command = "az login -u ${self.triggers.service_principal_user} -p ${self.triggers.service_principal_password} -t ${self.triggers.tenant} --service-principal && az apim update --name ${self.triggers.apim_name} --resource-group ${self.triggers.rg} --set hostnameConfigurations='[{\"hostName\":\"${self.triggers.api_url}\",\"type\":\"Proxy\",\"certificateSource\":\"Managed\"}]'"
  }

  provisioner "local-exec" {
    when    = destroy
    command = "az login -u ${self.triggers.service_principal_user} -p ${self.triggers.service_principal_password} -t ${self.triggers.tenant} --service-principal && az apim update --name ${self.triggers.apim_name} --resource-group ${self.triggers.rg} --remove hostnameConfigurations='[{\"hostName\":\"${self.triggers.api_url}\",\"type\":\"Proxy\",\"certificateSource\":\"Managed\"}]'"
  }
}

Maybe that helps!

kirankbs commented 1 year ago

@do0ominik Thanks a lot for sharing the information. I will try this!

daanmohlmann commented 1 year ago

Shameless bump after more than one year since this issue was opened. Waiting for this feature as well (a warning can be thrown because it's still in Preview, but we're using it actively). Right now updating the APIM resource is a pain because it requires having a valid certificate somewhere, and then a manual change back to managed certificates. Impact is huge if someone forgets to do this.

FlorentATo commented 10 months ago

It's likely this feature won't be implemented in the provider until it becomes GA on Azure. In the meantime, keep smashing that "👍" !

garrettsutula commented 7 months ago

Happy belated birthday to this now 2-year-old issue 🎉

RiccardoBarbieri commented 3 months ago

Take a look at this issue #25788 and the pull request, they are working on a workaround that makes the use of azapi to work around the absence of a specific resource. I had the same problem and followed this gist, but it is broken (see linked issue and relative PR for details)

hashicorp / terraform-provider-azurerm