I m migrating from terraform to pulumi using `pulumi azure n Pulumi Community #azure

I’m migrating from terraform to pulumi using `pulu...

prehistoric-nail-50687

11/09/2020, 3:00 PM

I’m migrating from terraform to pulumi using

pulumi/azure-nextgen

now I need to add a custom domain (and a managed certificate) to a

web.WebApp

but I can’t find any hint on how to do so. Anyone knows more?

tall-librarian-49374

11/09/2020, 6:52 PM

Have you tried https://www.pulumi.com/docs/reference/pkg/azure-nextgen/web/webapphostnamebinding/ and https://www.pulumi.com/docs/reference/pkg/azure-nextgen/web/certificate/ ? (I haven’t myself, but they sound related?)

prehistoric-nail-50687

11/10/2020, 7:39 AM

thanks @tall-librarian-49374 I’ll look into these

prehistoric-nail-50687

11/13/2020, 6:42 AM

@tall-librarian-49374 I had a closer look at these types, and yes they do what I was hoping for, but… There is a problem in the way they have to be used. Please see this example:

Copy code

const verificationRecord = new cloudflare.Record("TXT verification record", {
  zoneId: cloudflareZoneId,
  name: `asuid.${subdomain}`,
  type: "TXT",
  value: `${azureAppVerificationToken}`,
});

const jobToolConfigServerApp = new web.WebApp(
  "Docker App",
  {
    name: `pulumi-config`,
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    serverFarmId: plan.id,
    siteConfig: {
      alwaysOn: true,
      linuxFxVersion: `DOCKER|${dockerImage}`,
    },
  },
  { dependsOn: verificationRecord }
);

const dnsRecord = new cloudflare.Record("CNAME record", {
  name: subdomain,
  zoneId: cloudflareZoneId,
  type: "CNAME",
  value: jobToolConfigServerApp.defaultHostName,
  ttl: 300,
  proxied: false,
});

const cert = new web.Certificate("Certificate", {
  name: "mycert",
  password: "xxxx",
  location: resourceGroup.location,
  resourceGroupName: resourceGroup.name,
  serverFarmId: plan.id,
  canonicalName: `${subdomain}.<http://mydomain.com|mydomain.com>`,
});

const hostNameBinding = new web.WebAppHostNameBinding("custom domain binding", {
  name: "custom-domain-binding",
  resourceGroupName: resourceGroup.name,
  hostName: `${subdomain}.<http://mydomain.com|mydomain.com>`,
  thumbprint: cert.thumbprint,
  sslState: "SniEnabled",
});

This would do exactly what i want, if I omit/comment the creation of the

cert

and the

thumbprint

in the

hostNameBinding

on the first run. If I don’t do that, I get this:

Copy code

azure-nextgen:web/latest:Certificate (mycert):
    error: Code="BadRequest" Message="Properties.CanonicalName is invalid.  Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp" Details=[{"Message":"Properties.CanonicalName is invalid.  Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp"},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51021","Message":"Properties.CanonicalName is invalid.  Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp","MessageTemplate":"{0} is invalid.  {1}","Parameters":["Properties.CanonicalName","Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp"]}}]

The error message explains the issue quite clear: the

WebAppHostNameBinding

has to exist before we are able to create a certificate for the given custom domain. Its easy to create a

WebAppHostNameBinding

without the

thumbprint

, but once cert was created, i have to go back and set the

thumbprint

of the certificate back on the

WebAppHostNameBinding

- is this somehow possible without running the stack twice with different resources?

tall-librarian-49374

11/13/2020, 12:57 PM

Hmm, that’s a nasty API design…

tall-librarian-49374

11/13/2020, 1:01 PM

I can’t think of a workaround, TBH. Do you want to file an issue on github to track?

prehistoric-nail-50687

11/13/2020, 2:10 PM

@tall-librarian-49374 I created an issue for it: https://github.com/pulumi/pulumi-azure-nextgen/issues/129 TBO, so far, my experiance with

azure-nextgen

is not the best, I have identified two issues with it and both are related to bad API design on Azure/MS site. This one here and the one where ApplicationGateway needs references to resources within itself ( https://pulumi-community.slack.com/archives/CRVK66N5U/p1605110647220000). This kind of gives me the feeling that exposing the azure types directly is not the best thing to do.

tall-librarian-49374

11/13/2020, 3:01 PM

Do you know if those issues exist in the TF-baseв Azure provider?

prehistoric-nail-50687

11/13/2020, 3:15 PM

@tall-librarian-49374 yes the same problem currently exists in terraform (and this is one of the reasons why I’m looking at pulumi: https://github.com/terraform-providers/terraform-provider-azurerm/issues/4824 (the issue also has quite some +1s, so there is definitely need of this in terraform and i guess in pulumi too) There are some workarounds available (one I documented in that issue myself), but the plan is to split

azurerm_app_service_custom_hostname_binding

to break the circular dependency: https://github.com/terraform-providers/terraform-provider-azurerm/issues/8069

tall-librarian-49374

11/13/2020, 3:16 PM

Thank you!

prehistoric-nail-50687

11/13/2020, 3:17 PM

…I’ll add this info to the pulumi issue i created

4 Views

Open in Slack

Previous Next