Enabling SSL on a CDN endpoint

[markodjukic]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

I've deployed successfully a CDN endpoint with a custom domain using Azure native code. However, I can not find any support for enabling SSL on this custom domain, ideally the CDN managed certs.

Through the Azure portal I can enable it manually after the Pulumi deployment and there is a REST API call for it in the Azure docs: https://docs.microsoft.com/en-us/rest/api/cdn/custom-domains/enable-custom-https

Unless I'm missing it, the Pulumi interface does not seem to expose it: https://www.pulumi.com/registry/packages/azure-native/api-docs/cdn/endpoint/

If I manually kick off the SSL enablement, I can successfully query the deployment of this SSL through Pulumi.

If the enabling of SSL isn't exposed, any reason why it isn't? Or did I miss some other call that should be used instead?

Steps to reproduce

Set up a CDN custom domain:

cdn_custom_domain = cdn.CustomDomain(
    "cdncustomdomain",
    endpoint_name=endpoint_frontend.name,
    host_name=record_set_frontend_cname.fqdn.apply(lambda url: url.strip(".")),
    profile_name=cdn_profile.name,
    resource_group_name=resource_group.name,
)

Expected:

• Passing of additional args to enable CDN managed certs: https://docs.microsoft.com/en-us/rest/api/cdn/custom-domains/enable-custom-https#cdnmanagedhttpsparameters

Actual:

• Unable to find code to enable SSL

[danielrbradley]

As far as I'm aware, enabling the SSL for a custom domain is a limitation of the upstream Azure API. This problem also exists for ARM templates too. Here is a similar question on Stackoverflow about ARM templates.

Until Azure manage to resolve this in their underlying API, I would suggest using either the CLI or REST API to enable custom HTTPS after creating the resource.

[markodjukic]

Interesting, thanks for the link. Yes, I've worked around it by having a "sweep up" CLI script at the end of the Pulumi run which does all these types of calls which don't work natively.

What I'm failing to understand is what is the limitation stopping the same REST API call being implemented within the Azure native Pulumi?

[danielrbradley]

With a little more digging into the specification, the issue is that the enabling and disabling of the SSL support is not modelled as an enabled property on the resource, but rather a separate POST action. Therefore, because Pulumi is modelled around the idea of a desired state for each resource, we only interact with the parts of the API which are GET, PUT or DELETE.

There is a customHttpsProvisioningState property which is read-only and is therefore returned, but the metadata doesn't give us a way of tying together a way of changing this property via the POST methods. For this behaviour to be made available through Pulumi, we'd either need the customHttpsProvisioningState property to be writable via the PUT method, or have additional metadata on how to automatically using the POST requests indirectly to modify this property.

[secustor]

I have ran into this today too. reference: https://github.com/Azure/azure-rest-api-specs/issues/17498