Azure · ahmadabdalla · Feb 18, 2023 · Jan 30, 2023 · Jan 30, 2023 · Jan 31, 2023
@@ -11,25 +11,31 @@ Mandatory. The name of the Key Vault to add a new certificate to, or fetch the s
 .PARAMETER CertName
 Mandatory. The name of the certificate to generate or fetch the secret reference from
 
+.PARAMETER CertSubjectName
+Optional. The subject distinguished name is the name of the user of the certificate. The distinguished name for the certificate is a textual representation of the subject or issuer of the certificate. Default name is "CN=fabrikam.com"
+
 .EXAMPLE
-./Set-CertificateInKeyVault.ps1 -KeyVaultName 'myVault' -CertName 'myCert'
+./Set-CertificateInKeyVault.ps1 -KeyVaultName 'myVault' -CertName 'myCert' -CertSubjectName 'CN=fabrikam.com'
 
-Generate a new Key Vault Certificate or fetch its secret reference if already existing as 'myCert' in Key Vault 'myVault'
+Generate a new Key Vault Certificate with the default or provided subject name, or fetch its secret reference if already existing as 'myCert' in Key Vault 'myVault'
 #>
 param(
     [Parameter(Mandatory = $true)]
     [string] $KeyVaultName,
 
     [Parameter(Mandatory = $true)]
-    [string] $CertName
+    [string] $CertName,
+
+    [Parameter(Mandatory = $false)]
+    [string] $CertSubjectName = 'CN=fabrikam.com'
 )
 
 $certificate = Get-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $CertName -ErrorAction 'SilentlyContinue'
 
 if (-not $certificate) {
     $policyInputObject = @{
         SecretContentType = 'application/x-pkcs12'
-        SubjectName       = 'CN=fabrikam.com'
+        SubjectName       = $CertSubjectName
         IssuerName        = 'Self'
         ValidityInMonths  = 12
         ReuseKeyOnRenewal = $true

@@ -13,25 +13,25 @@ param managedIdentityName string
 var addressPrefix = '10.0.0.0/16'
 
 resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
-  name: networkSecurityGroupName
-  location: location
-  properties: {
-    securityRules: [
-      {
-        name: 'AllowPortsForASE2'
-        properties: {
-          access: 'Allow'
-          destinationAddressPrefix: addressPrefix
-          destinationPortRange: '454-455'
-          direction: 'Inbound'
-          priority: 1020
-          protocol: '*'
-          sourceAddressPrefix: 'AppServiceManagement'
-          sourcePortRange: '*'
-        }
-      }
-    ]
-  }
+    name: networkSecurityGroupName
+    location: location
+    properties: {
+        securityRules: [
+            {
+                name: 'AllowPortsForASE2'
+                properties: {
+                    access: 'Allow'
+                    destinationAddressPrefix: addressPrefix
+                    destinationPortRange: '454-455'
+                    direction: 'Inbound'
+                    priority: 1020
+                    protocol: '*'
+                    sourceAddressPrefix: 'AppServiceManagement'
+                    sourcePortRange: '*'
+                }
+            }
+        ]
+    }
 }
 
 resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
@@ -55,7 +55,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
                         {
                             name: 'ase'
                             properties: {
-                            serviceName: 'Microsoft.Web/hostingEnvironments'
+                                serviceName: 'Microsoft.Web/hostingEnvironments'
                             }
                         }
                     ]
@@ -76,3 +76,5 @@ output subnetResourceId string = virtualNetwork.properties.subnets[0].id
 @description('The principal ID of the created Managed Identity.')
 output managedIdentityPrincipalId string = managedIdentity.properties.principalId
 
+@description('The resource ID of the created Managed Identity.')
+output managedIdentityResourceId string = managedIdentity.id
@@ -62,6 +62,21 @@ module testDeployment '../../deploy.bicep' = {
   params: {
     enableDefaultTelemetry: enableDefaultTelemetry
     name: '<<namePrefix>>${serviceShort}001'
+    location: resourceGroup.location
+    lock: 'CanNotDelete'
+    roleAssignments: [
+      {
+        roleDefinitionIdOrName: 'Reader'
+        principalIds: [
+          nestedDependencies.outputs.managedIdentityPrincipalId
+        ]
+        principalType: 'ServicePrincipal'
+      }
+    ]
+    tags: {
+      resourceType: 'App Service Environment'
+      hostingEnvironmentName: '<<namePrefix>>${serviceShort}001'
+    }
     subnetResourceId: nestedDependencies.outputs.subnetResourceId
     clusterSettings: [
       {
@@ -74,17 +89,12 @@ module testDeployment '../../deploy.bicep' = {
     diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
     diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
     diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
+    systemAssignedIdentity: true
+    userAssignedIdentities: {
+      '${nestedDependencies.outputs.managedIdentityResourceId}': {}
+    }
     ipsslAddressCount: 2
     kind: 'ASEv2'
     multiSize: 'Standard_D1_V2'
-    roleAssignments: [
-      {
-        roleDefinitionIdOrName: 'Reader'
-        principalIds: [
-          nestedDependencies.outputs.managedIdentityPrincipalId
-        ]
-        principalType: 'ServicePrincipal'
-      }
-    ]
   }
 }
@@ -10,28 +10,34 @@ param virtualNetworkName string
 @description('Required. The name of the Managed Identity to create.')
 param managedIdentityName string
 
+@description('Required. The name of the Key Vault to create.')
+param keyVaultName string
+
+@description('Required. The name of the Deployment Script to create for the Certificate generation.')
+param certDeploymentScriptName string
+
 var addressPrefix = '10.0.0.0/16'
 
 resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
-  name: networkSecurityGroupName
-  location: location
-  properties: {
-    securityRules: [
-      {
-        name: 'AllowPortsForASE'
-        properties: {
-          access: 'Allow'
-          destinationAddressPrefix: '10.0.7.0/24'
-          destinationPortRange: '454-455'
-          direction: 'Inbound'
-          priority: 1010
-          protocol: '*'
-          sourceAddressPrefix: 'AppServiceManagement'
-          sourcePortRange: '*'
-        }
-      }
-    ]
-  }
+    name: networkSecurityGroupName
+    location: location
+    properties: {
+        securityRules: [
+            {
+                name: 'AllowPortsForASE'
+                properties: {
+                    access: 'Allow'
+                    destinationAddressPrefix: '10.0.7.0/24'
+                    destinationPortRange: '454-455'
+                    direction: 'Inbound'
+                    priority: 1010
+                    protocol: '*'
+                    sourceAddressPrefix: 'AppServiceManagement'
+                    sourcePortRange: '*'
+                }
+            }
+        ]
+    }
 }
 
 resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
@@ -55,7 +61,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
                         {
                             name: 'ase'
                             properties: {
-                            serviceName: 'Microsoft.Web/hostingEnvironments'
+                                serviceName: 'Microsoft.Web/hostingEnvironments'
                             }
                         }
                     ]
@@ -70,9 +76,60 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
     location: location
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
+    name: keyVaultName
+    location: location
+    properties: {
+        sku: {
+            family: 'A'
+            name: 'standard'
+        }
+        tenantId: tenant().tenantId
+        enablePurgeProtection: null
+        enabledForTemplateDeployment: true
+        enabledForDiskEncryption: true
+        enabledForDeployment: true
+        enableRbacAuthorization: true
+        accessPolicies: []
+    }
+}
+
+resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment')
+    scope: keyVault
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator
+        principalType: 'ServicePrincipal'
+    }
+}
+
+resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+    name: certDeploymentScriptName
+    location: location
+    kind: 'AzurePowerShell'
+    identity: {
+        type: 'UserAssigned'
+        userAssignedIdentities: {
+            '${managedIdentity.id}': {}
+        }
+    }
+    properties: {
+        azPowerShellVersion: '8.0'
+        retentionInterval: 'P1D'
+        arguments: '-KeyVaultName "${keyVault.name}" -CertName "asev3certificate" -CertSubjectName "CN=*.internal.contoso.com"'
+        scriptContent: loadTextContent('../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1')
+    }
+}
+
 @description('The resource ID of the created Virtual Network Subnet.')
 output subnetResourceId string = virtualNetwork.properties.subnets[0].id
 
 @description('The principal ID of the created Managed Identity.')
 output managedIdentityPrincipalId string = managedIdentity.properties.principalId
 
+@description('The resource ID of the created Managed Identity.')
+output managedIdentityResourceId string = managedIdentity.id
+
+@description('The URL of the created certificate.')
+output certificateSecretUrl string = certDeploymentScript.properties.outputs.secretUrl
@@ -35,6 +35,8 @@ module nestedDependencies 'dependencies.bicep' = {
     networkSecurityGroupName: 'dep-<<namePrefix>>-nsg-${serviceShort}'
     virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
     managedIdentityName: 'dep-<<namePrefix>>-msi-${serviceShort}'
+    keyVaultName: 'dep-<<namePrefix>>-kv-${serviceShort}'
+    certDeploymentScriptName: 'dep-<<namePrefix>>-ds-${serviceShort}'
   }
 }
 
@@ -62,27 +64,45 @@ module testDeployment '../../deploy.bicep' = {
   params: {
     enableDefaultTelemetry: enableDefaultTelemetry
     name: '<<namePrefix>>${serviceShort}001'
+    location: resourceGroup.location
+    lock: 'CanNotDelete'
+    roleAssignments: [
+      {
+        roleDefinitionIdOrName: 'Reader'
+        principalIds: [
+          nestedDependencies.outputs.managedIdentityPrincipalId
+        ]
+        principalType: 'ServicePrincipal'
+      }
+    ]
+    tags: {
+      resourceType: 'App Service Environment'
+      hostingEnvironmentName: '<<namePrefix>>${serviceShort}001'
+    }
     subnetResourceId: nestedDependencies.outputs.subnetResourceId
+    internalLoadBalancingMode: 'Web, Publishing'
     clusterSettings: [
       {
         name: 'DisableTls1.0'
         value: '1'
       }
     ]
+    allowNewPrivateEndpointConnections: true
+    ftpEnabled: true
+    inboundIpAddressOverride: '10.0.0.10'
+    remoteDebugEnabled: true
+    upgradePreference: 'Late'
     diagnosticLogsRetentionInDays: 7
     diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
     diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
     diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
     diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
-    lock: 'CanNotDelete'
-    roleAssignments: [
-      {
-        roleDefinitionIdOrName: 'Reader'
-        principalIds: [
-          nestedDependencies.outputs.managedIdentityPrincipalId
-        ]
-        principalType: 'ServicePrincipal'
-      }
-    ]
+    systemAssignedIdentity: true
+    userAssignedIdentities: {
+      '${nestedDependencies.outputs.managedIdentityResourceId}': {}
+    }
+    customDnsSuffix: 'internal.contoso.com'
+    customDnsSuffixCertificateUrl: nestedDependencies.outputs.certificateSecretUrl
+    customDnsSuffixKeyVaultReferenceIdentity: nestedDependencies.outputs.managedIdentityResourceId
   }
 }
@@ -0,0 +1,49 @@
+@description('Conditional. The name of the parent Hosting Environment. Required if the template is used in a standalone deployment.')
+param hostingEnvironmentName string
+
+@description('Required. Enable the default custom domain suffix to use for all sites deployed on the ASE.')
+param dnsSuffix string
+
+@description('Required. The URL referencing the Azure Key Vault certificate secret that should be used as the default SSL/TLS certificate for sites with the custom domain suffix.')
+param certificateUrl string
+
+@description('Required. The user-assigned identity to use for resolving the key vault certificate reference. If not specified, the system-assigned ASE identity will be used if available.')
+param keyVaultReferenceIdentity string
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' existing = {
+  name: hostingEnvironmentName
+}
+
+resource configuration 'Microsoft.Web/hostingEnvironments/configurations@2022-03-01' = {
+  name: 'customdnssuffix'
+  parent: appServiceEnvironment
+  properties: {
+    certificateUrl: certificateUrl
+    keyVaultReferenceIdentity: keyVaultReferenceIdentity
+    dnsSuffix: dnsSuffix
+  }
+}
+
+@description('The name of the configuration.')
+output name string = configuration.name
+
+@description('The resource ID of the deployed configuration.')
+output resourceId string = configuration.id
+
+@description('The resource group of the deployed configuration.')
+output resourceGroupName string = resourceGroup().name