Reputation: 2491
I have an existing certificate that in Key Vault that I would like to reference from my bicep template.
resource prodCertificate 'Microsoft.Web/certificates@2020-12-01' existing = {
name: 'my-custom-certificate-name/123809dsfj2jf09j32123123'
scope: resourceGroup('certificateResourceGroup')
}
The current bicep template will run in a different resource group, appServiceResourceGroup
and the key vault is under the certificateResourceGroup
The above doesn't work because bicep complains that there should not be a slash in the name.
If I just use my-custom-certificate-name
, I get an error that states
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/certificates/my-custom-certificate-name' under resource group 'certificateResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
}
]
}
Upvotes: 3
Views: 5143
Reputation: 11421
I tested same scenario which you are trying i.e. import certificate from keyvault in a resource group to an App service present in another resource group.
I used the below code to do it :
param name string
param location string = resourceGroup().location
param keyvaultid string
param certificatesecretname string
@secure()
param pass string
param exisitingappplanresourceid string
resource prodCertificate 'Microsoft.Web/certificates@2021-02-01' = {
name: name
location: location
properties: {
keyVaultId: keyvaultid
keyVaultSecretName: certificatesecretname
password: pass
serverFarmId: exisitingappplanresourceid
}
}
Output:
Existing Certificate in Keyvault:
Deployments and parameters:
Azure portal App service:
Note: Please make sure to have Microsoft.Web Resource Provider
to have access to the keyvault. You can do it from portal by going to Keyvault>>access policies>>add a accesspolicy
and enter abfa0a7c-a6b6-4736-8310-5855508787cd
in service principal search dialog box , so that it will add the the below resource provider to the access policy .
If you want to add the certificate from keyvault and then create a ssl binding as well then you can use something like below:
@description('Existing App Service Plan resource id that contains the App Service being updated')
param existingServerFarmId string
@description('User friendly certificate resource name')
param certificateName string
@description('Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)')
param existingKeyVaultId string
@description('Key Vault Secret that contains a PFX certificate')
param existingKeyVaultSecretName string
@description('Existing App name to use for creating SSL binding. This App should have the hostname assigned as a custom domain')
param existingWebAppName string
@description('Custom hostname for creating SSL binding. This hostname should already be assigned to the Web App')
param hostname string
@description('Location for all resources.')
param location string = resourceGroup().location
resource certificateName_resource 'Microsoft.Web/certificates@2019-08-01' = {
name: certificateName
location: location
properties: {
keyVaultId: existingKeyVaultId
keyVaultSecretName: existingKeyVaultSecretName
serverFarmId: existingServerFarmId
}
}
resource existingWebAppName_resource 'Microsoft.Web/sites@2019-08-01' = {
name: existingWebAppName
location: location
properties: {
name: existingWebAppName
hostNameSslStates: [
{
name: hostname
sslState: 'SniEnabled'
thumbprint: certificateName_resource.properties.thumbprint
toUpdate: true
}
]
}
}
Reference:
Microsoft.Web/certificates - Bicep & ARM template reference | Microsoft Docs
Upvotes: 4