Open SophCarp opened 1 year ago
Certificate name of custom domains is generated automatically in the format $domain_name-$resource_group_name[:8]-$datetime
. And it's with resource_group_name[:8] that problems arise.
_If the slice of 8 characters from the resourcegroup ends in -, then the code doesn't check this and as a result it generates a double dash in the name, and the resource name looks like this test.example-prod-ds--231211091022
Even according to the Microsoft guidelines, the resource name should look in the format my-super-resource-name
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
Also, many TF providers have checks for the correctness of the name, for example azurerm
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/batch/validate/certificate_name.go#L13
With Pulumi, I've provisioned afd domains and used a managed certificate, it works great. ACA needs that :)
@linxcat - there is a resolution here which is that the functionality is provided by an extension:
I think the baffling documentation is still an issue though.
Since there is no way to easily setup an managedCertificate using Bicep. Has anyone found a way of preventing the deletion of a manually added custom domain when redeploying the container app with a new image version? This would also help when you hosted zone is not managed in azure.
@kobeyy did you find the solution for this ?
@hoxton-webmaster I managed to find a work around by using the azure cli to first lookup the id of the managed certificate and fill it in using a shell script. Since it was this difficult and hacky to get it working I decided to not use this Azure service as it is premature in my opinion. We halted our roll out to production because of this.
I've added the complete script below as text file.
...
# Workaround to prevent deletion of the custom domain binding by Bicep on a redeploy
get_custom_domain_id() {
local subscription_id=$(az account show --query 'id' -o tsv)
local managedEnvironments="/subscriptions/$subscription_id/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/managedEnvironments/"
local firstContainerAppEnv=$(az resource show --ids "$managedEnvironments" --query 'value[0].id' -o tsv)
local customDomainCertificateId=$(az resource show --ids "$firstContainerAppEnv/managedCertificates/" --query 'value[0].id' -o tsv)
echo $customDomainCertificateId
}
get_custom_domain_name() {
local subscription_id=$(az account show --query 'id' -o tsv)
local managedEnvironments="/subscriptions/$subscription_id/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/managedEnvironments/"
local firstContainerAppEnv=$(az resource show --ids "$managedEnvironments" --query 'value[0].id' -o tsv)
local customDomainCertificateName=$(az resource show --ids "$firstContainerAppEnv/managedCertificates/" --query 'value[0].properties.subjectName' -o tsv)
echo $customDomainCertificateName
}
# Function to deploy template
deploy_template() {
TEMPLATE_FILE="$SCRIPT_DIR/$1"
echo "Deploying template: $TEMPLATE_FILE"
AZURE_COMMAND="az deployment group create --template-file \"$TEMPLATE_FILE\" \
--resource-group \"$RESOURCE_GROUP\" \
--parameters \"@$PARAMETER_FILE\""
# Workaround to prevent deletion of the custom domain binding by Bicep on a redeploy
# Inject the manually created custom domain binding into the deployment
local customDomainCertId=$(get_custom_domain_id)
if [ -n "$customDomainCertId" ]; then
AZURE_COMMAND+=" customDomainCertificateId='$customDomainCertId'"
fi
local customDomainCertName=$(get_custom_domain_name)
if [ -n "$customDomainCertName" ]; then
AZURE_COMMAND+=" customDomainName='$customDomainCertName'"
fi
# Conditionally add parameters
if [ -n "$CONTAINER_REGISTRY_PASSWORD" ]; then
AZURE_COMMAND+=" containerRegistryPassword='$CONTAINER_REGISTRY_PASSWORD'"
fi
if [ -n "$CONTAINER_REGISTRY_USER" ]; then
AZURE_COMMAND+=" containerRegistryUsername='$CONTAINER_REGISTRY_USER'"
fi
if [ -n "$PHP_CONTAINER_IMAGE" ]; then
AZURE_COMMAND+=" phpContainerImage='$PHP_CONTAINER_IMAGE'"
fi
if [ -n "$NGINX_CONTAINER_IMAGE" ]; then
AZURE_COMMAND+=" nginxContainerImage='$NGINX_CONTAINER_IMAGE'"
fi
if [ -n "$IMAGE_TAG" ]; then
AZURE_COMMAND+=" imageTag='$IMAGE_TAG'"
fi
echo "Executing command: $AZURE_COMMAND"
eval $AZURE_COMMAND
}
deploy_template "deploy.bicep"
Is it possible to create wild card subdomain certificate using container app? I couldn't get it to be working. I'm using azure portal to create certificates.
ETA: Public Preview by end of March 2023