-
Notifications
You must be signed in to change notification settings - Fork 745
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource Type to get existing certificates from Microsoft.KeyVault is missing #7354
Comments
@yks0000 are you defining In the above I am using ManagedCertificates, however If I replace the secret id, with a keyvault secret reference as part of the CustomDomain, I believe that should work? CDN will create the secret resource for you, so you never have to define it in your template? // secret: {
// id:
// } here is the doc reference: https://docs.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/customdomains?tabs=bicep#afddomainhttpsparameters Update I will have to test this scenario some more. |
@yks0000 okay I completed testing with the whatif etc. // What the resource has for the definition.
resource TestABC 'Microsoft.Cdn/profiles/secrets@2021-06-01' = {
name: 'acu1brwaoat5cdnshared01/TestABC'
properties: {
parameters: {
type: 'CustomerCertificate'
secretSource: {
id: '/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourcegroups/ACU1-BRW-AOA-RG-P0/providers/Microsoft.KeyVault/vaults/acu1-brw-aoa-p0-kvvlt01/secrets/TestABC'
}
secretVersion: 'f1defaaba183415b993f969a3dfb4da1'
useLatestVersion: true
subjectAlternativeNames: [
'TestABC.contoso.com'
'TestABC2.contoso.com'
'TestABC3.contoso.com'
]
}
}
}
// The minimum that you actually want to deploy and define in your template.
resource TestABC 'Microsoft.Cdn/profiles/secrets@2021-06-01' = {
name: 'acu1brwaoat5cdnshared01/TestABC'
properties: {
parameters: {
type: 'CustomerCertificate'
useLatestVersion: true
secretSource: {
id: '/subscriptions/b8f402aa-20f7-4888-b45c-3cf086dad9c3/resourcegroups/ACU1-BRW-AOA-RG-P0/providers/Microsoft.KeyVault/vaults/acu1-brw-aoa-p0-kvvlt01/secrets/TestABC'
}
}
}
} the difference that whatif gives you, which should not be listed.
Will add triage back on this to review.This appears to fit more as a provider bug... which is reflected in the usage of
|
@brwilkinson Thank you for checking this. Agreed that Do you want me to open another issue for KeyVault Certificate resource provider not being available? My view on question raised on
If
True, providing a list of SANs is not useful as resource
I tested this, we can not provide |
@yks0000 I think we have enough to go on here, thank you. These 2 types of changes will take some time, since it's up to each of the 2 teams to implement or update the API specifications Etc. In this case the:
Thanks again for bringing these gaps to our attention. |
Adding another related Minimum input for using a platform Managed Certificate. resource customDomain 'Microsoft.Cdn/profiles/customDomains@2021-06-01' = {
name: 'acu1brwaoat5cdnshared01/acu1brwaoat5sadata1-psthing-com'
properties: {
hostName: 'acu1brwaoat5sadata1.psthing.com'
tlsSettings: {
certificateType: 'ManagedCertificate'
minimumTlsVersion: 'TLS12'
}
}
} whatif difference - secret id shows as a change however is an optional property.
|
Action items:
|
@alex-frankel , is there any progress on this? |
Has there been any progress on this? Is any work for it planned? |
Bicep version
Bicep CLI version 0.7.4 (5afc312)
Describe the bug
There is no resource type available to query existing
certificate
fromMicrosoft.KeyVault/vaults
.Seeing some old issues #5630, it seems
Microsoft.KeyVault/vaults/certificates@2019-09-01
was present. Is it replaced by something else?May not be related but I do not see any alias here in PSRule.Rules.Azure to get Certificate information such as SAN etc, so most likely it never exists or removed.
Basically, we are using
existing
Custom Certificate in Azure FD CDN from KeyVault. We want to getsecretVersion
andsubjectAlternativeNames
from it and pass toMicrosoft.Cdn/profiles/secrets@2021-06-01
, or otherwise we need to hard code these values to avoid deployment drifts. Updating these two properties manually would be additional step to update Azure CDN Bicep templates whenever there is latest version of Certificate available. As we setuseLatestVersion: true
, not getting this value in runtime or not updating bicep with these value, will result in drift between Bicep and deployed config whenever we try to run deployment.Though this drift which say one resource to modify does not do anything, but it looks confusing and not desirable.
Example:
OR
if
useLatestVersion
is set totrue
, deployment should not show changes available formodify
wrtsecretVersion
andsubjectAlternativeNames
To Reproduce
Create a file cdn.bicep:
If we run this, it will always show
Resource changes: 1 to modify
which is change in properties.parameters.secretVersion and properties.parameters.subjectAlternativeNamesThe text was updated successfully, but these errors were encountered: