Using Bicep to deploy removes manually configured domain

[quality-leftovers]

This issue is a: (mark with an x)

• bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

When deploying Microsoft.App/containerApps@2023-05-01 using bicep and New-AzResourceGroupDeployment a previously manually set custom domain is removed.

Steps to reproduce

1. Deploy container app
2. Manually configure managed certificate
3. Deploy container app again

Expected behavior [What you expected to happen.]

• If the ingress definition has not set customDomains do not remove the assigned domain
• If the ingress definitions has set customDomains to an empty array remove the assigned domain

Actual behavior [What actually happened.]
If the ingress definition has not set customDomains assigned domain is removed

Screenshots
n.a.

Additional context

Other Azure Resources like Static Websites do not remove custom domain when re-deploying.

The proposed behavior would make it easy for people with small deployments to use managed certificates without setting up a complicated automated verification process (#796, #607). This issue is only about enabling the simple case of manually configuing the custom domain in the portal on top of an otherwise automated deployment.

[starskyreverie]

+1 on this

[kobeyy]

Struggled with the same issue.
Bicep support for managedCertificates is a real pain.

Unfortunately setting customDomains: null did not prevent the deletion of the manually added resources. An option to ignore_changes similar to Terraform would be great.

shell script workaround:

# Workaround to prevent deletion of the custom domain binding by Bicep on a redeploy
get_custom_domain_id() {
    local subscription_id=$(az account show --query 'id' -o tsv)
    local managedEnvironments="/subscriptions/$subscription_id/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/managedEnvironments/"
    local firstContainerAppEnv=$(az resource show --ids "$managedEnvironments" --query 'value[0].id' -o tsv)
    local customDomainCertificateId=$(az resource show --ids "$firstContainerAppEnv/managedCertificates/" --query 'value[0].id' -o tsv)
    echo $customDomainCertificateId
}
get_custom_domain_name() {
    local subscription_id=$(az account show --query 'id' -o tsv)
    local managedEnvironments="/subscriptions/$subscription_id/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/managedEnvironments/"
    local firstContainerAppEnv=$(az resource show --ids "$managedEnvironments" --query 'value[0].id' -o tsv)
    local customDomainCertificateName=$(az resource show --ids "$firstContainerAppEnv/managedCertificates/" --query 'value[0].properties.subjectName' -o tsv)
    echo $customDomainCertificateName
}



# Function to deploy template
deploy_template() {
    TEMPLATE_FILE="$SCRIPT_DIR/$1"
    echo "Deploying template: $TEMPLATE_FILE"

    AZURE_COMMAND="az deployment group create --template-file \"$TEMPLATE_FILE\" \
                               --resource-group \"$RESOURCE_GROUP\" \
                               --parameters \"$PARAMETER_FILE\""


    # Workaround to prevent deletion of the custom domain binding by Bicep on a redeploy
    # Inject the manually created custom domain binding into the deployment
    local customDomainCertId=$(get_custom_domain_id)
    if [ -n "$customDomainCertId" ]; then
        AZURE_COMMAND+=" customDomainCertificateId='$customDomainCertId'"
    fi

    local customDomainCertName=$(get_custom_domain_name)
    if [ -n "$customDomainCertName" ]; then
        AZURE_COMMAND+=" customDomainName='$customDomainCertName'"
    fi
}

[vinisoto]

Hi - we are working on simplifying the Managed Certificate creation process so that certificates and apps can be created in a single bicep template: https://stackoverflow.com/questions/76919608/azure-container-app-managed-certificates-deployed-using-bicep

We haven't made as much progress as we would have liked, but we are picking this up now. We should have a good ETA for this improvement in the coming weeks.

[starskyreverie]

thank you! really looking forward to this

[groogiam]

Any update on this?

[mboker]

Just want to bump this. I've spent the past 3 days templatizing my azure resources in bicep, and cannot deploy changes to my resources because my custom domain mapping (which I had to add by hand to get around the managed cert shortcoming), gets wiped away. So, now if i run my bicep deployment, I break my prod environment. I've looked all around for some workarounds to this, and haven't found anything for a managed cert, so I'm left w the decision to either bring (and subsequently manage) my own certs, or let all my work on this bicep template be for nothing. That is not a fun decision to have to make.

[AdnanSoftic]

I am also experiencing the same problem. I did try "two" step deployment following guide suggested above. However it does not work as creation of managed certificate on the container environment gets stuck in "Pending" State. The only difference is that i am doing domain validation on "TXT". However looking at the deployment status it is accepted but as mentioned above gets stick in Pending state.

resource managedEnvironmentManagedCertificate 'Microsoft.App/managedEnvironments/managedCertificates@2023-11-02-preview' = {
  parent: containerEnvironment
  name: '${applicationName}-${environment}-certificate'
  location: location
  dependsOn: [
    serviceWebApi
  ]
  properties: {
    subjectName: customDomainName
    domainControlValidation: 'TXT'
  }
  tags: tagValues
}

[hernandoz]

Any updates please , this is very frustrating that we have to reconfigure the custom domain after a deployment

[groogiam]

I was able to get this working by having a 2 step setup process where I can disable the certifications logic via a flag as well as pass in the manually created certificate details via an array.

@description('Array of custom domains e.g. subdomain.domain.com which will be configured for the app.')
param appCustomDomainsNames array = []
param createManagedCerts bool

All of the container app logic is in a module and the caller essentially runs it twice. Once with the flag and once without. The first time it runs, the second invocation fails because no certificates have been created. However, container app will still be created. From here I manually create the certificate / custom domains and verify. This gives me a certificate name that I can then update the calling param with. I check this into our source control and from here on out the deployments all go smoothly. Kind of a pain in the butt to the first deployment working but it works just fine after that.

param appCustomDomainsNames = [
  {
    domain: 'myapp.my-domain.com'
    certificateName: 'generated certificate name from manual creation'
  }
]

[JimGeersinga]

@vinisoto Any update on this?

[msaqlain]

Hi - we are working on simplifying the Managed Certificate creation process so that certificates and apps can be created in a single bicep template: https://stackoverflow.com/questions/76919608/azure-container-app-managed-certificates-deployed-using-bicep

We haven't made as much progress as we would have liked, but we are picking this up now. We should have a good ETA for this improvement in the coming weeks.

Still not completed? Any ETA

[quality-leftovers]

Can you share any information on progress?