-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deployment script module - AKV certificates #84
Conversation
Closing this down for the moment as i've still got an optimisation to do in the AGW script. oops. |
Re-Opening as the script looks fixed. I'm anticipating feedback on "what if the AKV is in a different RG to the AGW" - but am interested in other thoughts/feedback before I add parameters for this use case. I'm also tempted to add in a BatchSize(1) for the script loop due to the Application Gateway occasionally not loving concurrent updates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, but paging @bmoore-msft to check if you know there is no way to accomplish this in bicep.
Also, can you confirm this script is idempotent, meaning if this script executes a second time, the end state (including the outputs) will be the same?
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
modules/deployment-scripts/create-agw-kv-certificate/main.bicep
Outdated
Show resolved
Hide resolved
Some great feedback from @bmoore-msft I think this module will be best down-scoped to just KeyVault. I'm not sure if we'll need another module in the registry for the AGW use case. I think it might be better suited to going into the Azure Quickstart templates repo as a sample that creates an AGW, and uses this module to create the certificate which is referenced by AGW. I'll work on the suggested changes, then respond to the PR discussions individually. I think all but 2 i'm happy to implement without further discussion. |
Getting another strange CI failure @shenglol - any insight? It works fine locally.
|
Thanks for all the feedback @bmoore-msft and iteration @Gordonby. In general, I am aligned with Brian's thinking, though I had one thought that may split the difference: Should we have a |
That's an error in cleaning up the resource group. It seems that deleting a key vault is an async operation inside the backend and we should wait some time before purging the key vault. I'm working on a fix now. |
Closing and reopening the PR to run the latest Deployment Test - CI. |
modules/deployment-scripts/create-kv-certificate/test/main.test.bicep
Outdated
Show resolved
Hide resolved
Do we have a |
We don't but we can make one, or @Gordonby or @MrMCake can have right of first refusal :) |
There is a module for this resource in CARML. If it's suitable, then @MrMCake should probably PR. |
Why would we need to purge the vault? |
I'll need to update the MCR manifest before merging the PR since the module name is changed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding the module!
Description
Adds a new module which leverages Key Vaults ability to create self-signed certificates.
It is also able to use these generated certificates in Azure Application Gateway as either frontend or backend certificates.The script is derived from what is used in this sample.
Closes #69
Adding a new module
brm validate
locally to verify the module files.