search

pulumi / pulumi-azure-native

Azure Native Provider
Apache License 2.0
125 stars 33 forks source link

Add support for Managed Certificates in Azure Container Apps #2496

Open gwicks opened 1 year ago

gwicks commented 1 year ago

Hello!

Issue details

I'm trying to migrate my small organization's web app to Azure Container Apps, and wanted to use Pulumi for it. However, I'm noticing it's support in azure_native.app.ContainerApp is a little lacking in terms of supporting the new Managed Certificates feature exposed in the environments. For cost reasons, these are the only practical option for managed SSL certs for our app, since they are free and sufficient for our purposes. My main desire is to have Pulumi push image updates to the container app and do the deployment.

I did try this approach as a workaround.

    configuration: {
      activeRevisionsMode: 'Single',
      ingress: {
        customDomains: [
          {
            bindingType: app.BindingType.SniEnabled,
            certificateId: '/subscriptions/<subID>/resourceGroups/<resourceGroupName>/providers/Microsoft.App/managedEnvironments/<manageEnvID>/managedCertificates/mydomain-managede-230605061818',
            name: 'mydomain'
          }
        ],

...

This may be sufficient to stop Pulumi from deleting my custom domain config on update, but it is far from optimal. The abstraction may need to be a separate one for managed certs, as there is an automated DNS validation process ala AWS ACM. I understand this is API mapping is all auto-generated to some degree, but regardless, I'd like to see support added for this.

Affected area/feature

Azure Container Apps + Managed Environments

thomas11 commented 1 year ago

Hi @gwicks, thank you for reporting this. Unfortunately, we are in this case limited by an insufficient Azure API spec. Others have noted this, too, and reported to Microsoft. I added a comment there, pinging their PM. Hopefully, they'll release an updated version of the Container Apps spec soon.

gwicks commented 1 year ago

Thanks for the response, the workaround is fine for now for my purposes, hopefully once they add API support this will get auto-incorporated.