Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Certificate support for app service #1136

Closed
glenjamin opened this issue Apr 18, 2018 · 18 comments · Fixed by #4204
Closed

SSL Certificate support for app service #1136

glenjamin opened this issue Apr 18, 2018 · 18 comments · Fixed by #4204

Comments

@glenjamin
Copy link
Contributor

Terraform Version

Terraform v0.11.7
provider.azurerm v1.3.3.

Affected Resource(s)

Please list the resources as a list, for example:

  • azurerm_custom_hostname_bindings (possibly)

Feature Suggestion

It would be good to support custom SSL certificates on app service. This would probably need to built upon the hostname binding resource.

I'm attaching an ARM template that we currently use to acheive this, it also include a forced HTTPs redirect via an extension, which might be a cool thing to include as well.

{
    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "type": "string"
        },
        "hostname": {
            "type": "string"
        },
        "service": {
            "type": "string"
        },
        "environment": {
            "type": "string"
        },
        "keyVaultId": {
            "type": "string"
        },
        "keyVaultCertName": {
            "type": "string"
        }
    },
    "variables": {
        "tagvalues": {
            "Service": "[parameters('service')]",
            "Environment": "[parameters('environment')]"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Web/certificates",
            "name": "[parameters('keyVaultCertName')]",
            "apiVersion": "2016-03-01",
            "location": "[resourceGroup().location]",
            "tags": "[variables('tagvalues')]",
            "properties":{
                "keyVaultId": "[parameters('keyVaultId')]",
                "keyVaultSecretName": "[parameters('keyVaultCertName')]",
                "serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', parameters('name'))]"
            }
        },
        {
            "name": "[concat(parameters('name'), '/RedirectHttpToHttps')]",
            "type": "Microsoft.Web/sites/siteextensions",
            "apiVersion": "2015-08-01",
            "properties": { }
        },
        {
            "type":"Microsoft.Web/sites/hostnameBindings",
            "name":"[concat(parameters('name'), '/', parameters('hostname'))]",
            "apiVersion":"2016-03-01",
            "location":"[resourceGroup().location]",
            "properties":{
                "sslState": "SniEnabled",
                "thumbprint":"[reference(resourceId('Microsoft.Web/certificates', parameters('keyVaultCertName'))).Thumbprint]"
            },
            "dependsOn": [
                "[concat('Microsoft.Web/certificates/', parameters('keyVaultCertName'))]"
            ]
        }
    ]
}

@katbyte katbyte added this to the Future milestone Apr 18, 2018
@katbyte katbyte removed this from the Future milestone Apr 18, 2018
@kevinneufeld
Copy link

We are looking forward to having this. So close, with the initial addition of azurerm_app_service_custom_hostname_binding; just a few more steps:

  • add a certificate to the azurerm_app_service_plan via Key Vault
  • add thumbprint and enable sslState on the azurerm_app_service_custom_hostname_binding

@iakko
Copy link
Contributor

iakko commented Aug 24, 2018

@kevinneufeld: do you know how to add it to the azurerm_app_service_plan ? I'm not able to find a way with Terraform.

@kevinneufeld
Copy link

kevinneufeld commented Aug 27, 2018

@iakko

I cannot recall how most likely from one of the following:

@kevinneufeld
Copy link

@tombuildsstuff when do you estimate this enhancement making it on a release?

@andydkelly-ig
Copy link

Is there any indication when this will get to a release or if there is a pre-release we can have a play with? Cheers

@tombuildsstuff
Copy link
Contributor

@kevinneufeld @andydkelly-ig unfortunately this isn't on our short-term roadmap to implement support for - whilst we'd happily accept a community PR for this - when we looked into this previously we had questions around how we'd test this (from memory, I believe it requires a real SSL certificate to test against, rather than a generated one?)

Thanks!

@Djiit
Copy link
Contributor

Djiit commented Feb 11, 2019

Hio there, just adding my two cents, is there anyway for us to officially upvote this feature? We still have to do this by hand here...

@DarkestOfNights
Copy link

I had experimented with extending the provider to allow for this a while back. While I was successful in implementing it, I had never gotten around to writing tests for it. I may have to revisit this in the near future since it is coming up in some new work. If I get something working, I will definitely get a PR in place to share.

@Djiit
Copy link
Contributor

Djiit commented Apr 16, 2019

Hey @DarkestOfNights , did you have any chance to make it work ?

@bojingo
Copy link

bojingo commented Jul 3, 2019

I have to wonder, how is it that this is not priority on the roadmap? Is there guidance/recommendation around automating this with an alternative method to Terraform, but when Terraform is otherwise used for managing the resources for a deployment in essentially every other way? This seems like it'd be a super common need among enterprise customers of app services.

@mattthias
Copy link
Contributor

mattthias commented Jul 17, 2019

This seems like it'd be a super common need among enterprise customers of app services.

i cannot imagine a case where app service is useful without ssl

@glenjamin
Copy link
Contributor Author

This project is open source, so contributing it rather than commenting to say you want it which emails everyone else who is interested might be more constructive.

@ravulachetan
Copy link

Whats is the status of ssl binding using terraform.

I was successful using power shell command 'New-AzureRmWebAppSSLBinding' but like to use terraform if its available.

@joakimhellum
Copy link

Hi, we started working on this in our organization some days ago, and we're mostly finished. This includes:

  • New resource: azurerm_app_service_certificate.
  • app_service_custom_hostname_binding: support for ssl_state and thumbprint.

Here is example Terraform configuration:

Upload private key certificate (.pfx)
resource "azurerm_app_service_certificate" "test" {
  name = "test"

  resource_group_name = azurerm_resource_group.test.name

  location = azurerm_resource_group.test.location

  pfx_blob = filebase64("mycert.pfx")
  password = "Password123"
}
Import Key Vault certificate
data "azurerm_client_config" "test" {}

data "azuread_service_principal" "test" {
  display_name = "Microsoft Azure App Service"
}

resource "azurerm_key_vault" "test" {
  name                = "test-${random_id.test.hex}"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  tenant_id = data.azurerm_client_config.test.tenant_id

  sku_name = "standard"

  access_policy {
    tenant_id               = data.azurerm_client_config.test.tenant_id
    object_id               = data.azuread_service_principal.test.object_id
    secret_permissions      = ["get"]
    certificate_permissions = ["get"]
  }
}

resource "azurerm_key_vault_certificate" "test" {
  name         = "test"
  key_vault_id = azurerm_key_vault.test.id

  certificate {
    contents = filebase64("mycert.pfx")
    password = "Password123"
  }

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }
  }
}

resource "azurerm_app_service_certificate" "test" {
  name = "test"

  resource_group_name = azurerm_resource_group.test.name

  location = azurerm_resource_group.test.location

  key_vault_id = azurerm_key_vault.test.id

  key_vault_secret_name = azurerm_key_vault_certificate.test.name
}

We'll make PR for this during weekend unless this is already being worked on.

@tombuildsstuff
Copy link
Contributor

@joakimhellum-in awesome - this looks great 👍

Taking a look at the schema my only suggestion would be changing key_vault_secret_name to key_vault_secret_id due to a bug in Terraform Core when recreating dependencies based on fields other than ID (to ensure this is correctly recreated in a single run if the parent App Service / App Service Plan gets recreated) - but this otherwise looks awesome, nice work!

@tombuildsstuff
Copy link
Contributor

Fixed via #4192 - thanks @joakimhellum-in :)

@tombuildsstuff tombuildsstuff added this to the v1.34.0 milestone Sep 1, 2019
@ghost
Copy link

ghost commented Sep 18, 2019

This has been released in version 1.34.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.34.0"
}
# ... other configuration ...

@ghost
Copy link

ghost commented Oct 2, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Oct 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.