Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
p
powerful-football-81694
03/15/2020, 11:10 PMHi everyone,
I’m sure this must have come up numerous times before, but I must not be coming up with the correct search keywords, so apologies if this has been asked and answered already:
I’m struggling with a “bidirectional dependency” situation while setting up an Azure Web App with a custom hostname binding, using an App Service Managed Certificate, which is a relatively new type of certificate resource that MS provisions and manages for your web app, for any hostname you can prove ownership of (using a CNAME record).
To begin with, managed certificates are not yet a supported resource type in the Azure provider, so I’m creating that using a
TemplateDeploymentCustomHostnameBindingCustomHostnameBindingCustomHostnameBindingHere’s some code, to illustrate the issue further:
t
tall-librarian-49374
03/16/2020, 8:02 AMThere’s no way to update the properties of a resource later in the program. This doesn’t quite make sense because resources are created at a later stage than the program execution, not line-by-line so to speak.
Usually, circular dependencies are a sign of sub-optimal resource model. In your case, ideally, there would be a certificate resource to gen the thumbprint, a custom hostname binding resource, and a managed certificate resource. Aren’t you able to do so? I.e., can you set the thumbprint for the
TemplateDeploymentp
powerful-football-81694
03/16/2020, 11:12 AM@tall-librarian-49374 no, because the managed certificate is newly created by MS at the time of deployment. The thumbprint is not known until after it’s been deployed.
Even in the portal, it’s necessary to do this in 2 separate operations, presumably for the same reason.
I get what you’re saying, it’s just a declarative program. What’s the workaround? Two pulimi programs and two separate stacks?
Where the second one just updates the resource?
t
tall-librarian-49374
03/16/2020, 12:00 PMYeah, this sucks. Do you know if it’s possible to achieve with pure ARM templates?
For Pulumi, I’m thinking maybe a dynamic provider that updates the binding.
p
powerful-football-81694
03/16/2020, 1:01 PMIt’s possible with ARM, but you have to use a nested template (which is pretty cumbersome).
A dynamic provider you say? Sounds intriguing! What is it?
t
tall-librarian-49374
03/16/2020, 1:02 PMHow do nested templates work around the chicken-and-egg problem? Do they update the same resource twice?
p
powerful-football-81694
03/16/2020, 1:24 PMI’m not sure, let me find the blog post I saw..
It’s very short, I think it’s basically just a memory note from a guy working on App Service.
t
tall-librarian-49374
03/16/2020, 1:27 PMYeah, it has two hostname bindings: one in the main without the cert, one in the linked with thumbprint
They then rely on them implicitly merging
p
powerful-football-81694
03/16/2020, 1:27 PMYep
t
tall-librarian-49374
03/16/2020, 1:28 PMI wonder if the same would work in Pulumi? Or will it detect the existing binding and fail?
p
powerful-football-81694
03/16/2020, 1:28 PMHm… that’s interesting. You mean, Pulumi might detect the duplicate, before it even gets to Azure?
So basically, create two resources with the same Azure name, where one depends on the other?
t
tall-librarian-49374
03/16/2020, 1:29 PMYes. But the second one depends on the managed certificate.
p
powerful-football-81694
03/16/2020, 1:30 PMYes
I can certainly try
t
tall-librarian-49374
03/16/2020, 1:30 PMAre you on 1.x or 2.x of Azure provider?
p
powerful-football-81694
03/16/2020, 1:30 PM2.1.0
t
tall-librarian-49374
03/16/2020, 1:31 PM2.x become more strict with checking existing resources (there will be a blog post mentioning this, probably later today).
p
powerful-football-81694
03/16/2020, 1:31 PMbah, ok
Otherwise, looks like this would be a good use case for a dynamic provider, indeed. Is there a public repository of these somewhere? And, do they need to be written in the same runtime as the main program (.NET in our case)?
t
tall-librarian-49374
03/16/2020, 1:33 PMAh, you are on .NET, I didn’t ask. Dynamic providers aren’t supported there yet 😞
And yes, they have to be in the language of the stack.
p
powerful-football-81694
03/16/2020, 1:34 PM🤯
@tall-librarian-49374 It didn’t work.
error: A resource with the ID "/subscriptions/1788357e-d506-4118-9f88-092c1dcddc16/resourceGroups/orgflow-licensing-dev-rg/providers/Microsoft.Web/sites/orgflow-licensing-dev-app/hostNameBindings/dev.licensing.orgflow.app" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_app_service_custom_hostname_binding" for more information.Given that dynamic providers are not supported for .NET, I don’t know what else to try.
t
tall-librarian-49374
03/16/2020, 7:52 PMOkay, so it worked as it should but then you don’t have a hack for your scenario
@white-balloon-205 @gentle-diamond-70147 We have a case of a circular dependency here. Any experience of working around those in the past? (should work in .NET)
p
powerful-football-81694
03/16/2020, 9:13 PM@tall-librarian-49374 I think I figured out a way.
First, create hostname binding (without cert)
Second, create template deployment (depends on hostname) which contains:
• The certificate
• The hostname binding again, but this time in template (depends on certificate, in ARM terms)
t
tall-librarian-49374
03/16/2020, 9:13 PMMakes sense
m
millions-journalist-34868
05/12/2020, 2:18 PM@powerful-football-81694 I need to add a custom domain on my AppService as well with a Managed Certificate. Whould it be possible for you to share some code on how you succeed to do that ?
p
powerful-football-81694
05/12/2020, 5:37 PM@millions-journalist-34868 Yeah sure. It’s C# code, will that work for you?
m
millions-journalist-34868
05/12/2020, 5:38 PMYes I am using C# as well
@powerful-football-81694 if you can send the link to a github repo or just copy paste a C# sample here it would be great !
p
powerful-football-81694
05/13/2020, 4:30 PMOK, let’s see
@millions-journalist-34868 here’s the relevant (redacted) parts of the Pulumi program itself.
And here’s the implementation of the ManagedCertificate resource.
It loads the ARM template in from an embedded resource file:
Hope that helps!
m
millions-journalist-34868
05/13/2020, 5:11 PMThat is great, thanks for sharing.