https://pulumi.com logo
Powered by
Title
p

prehistoric-nail-50687

11/09/2020, 3:00 PM
I’m migrating from terraform to pulumi using 
pulumi/azure-nextgen
now I need to add a custom domain (and a managed certificate) to a 
web.WebApp
but I can’t find any hint on how to do so. Anyone knows more?
t

tall-librarian-49374

11/09/2020, 6:52 PM
Have you tried https://www.pulumi.com/docs/reference/pkg/azure-nextgen/web/webapphostnamebinding/ and https://www.pulumi.com/docs/reference/pkg/azure-nextgen/web/certificate/ ? (I haven’t myself, but they sound related?)
p

prehistoric-nail-50687

11/10/2020, 7:39 AM
thanks @tall-librarian-49374 I’ll look into these
@tall-librarian-49374 I had a closer look at these types, and yes they do what I was hoping for, but… There is a problem in the way they have to be used. Please see this example: 
const verificationRecord = new cloudflare.Record("TXT verification record", {
  zoneId: cloudflareZoneId,
  name: `asuid.${subdomain}`,
  type: "TXT",
  value: `${azureAppVerificationToken}`,
});

const jobToolConfigServerApp = new web.WebApp(
  "Docker App",
  {
    name: `pulumi-config`,
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    serverFarmId: plan.id,
    siteConfig: {
      alwaysOn: true,
      linuxFxVersion: `DOCKER|${dockerImage}`,
    },
  },
  { dependsOn: verificationRecord }
);

const dnsRecord = new cloudflare.Record("CNAME record", {
  name: subdomain,
  zoneId: cloudflareZoneId,
  type: "CNAME",
  value: jobToolConfigServerApp.defaultHostName,
  ttl: 300,
  proxied: false,
});

const cert = new web.Certificate("Certificate", {
  name: "mycert",
  password: "xxxx",
  location: resourceGroup.location,
  resourceGroupName: resourceGroup.name,
  serverFarmId: plan.id,
  canonicalName: `${subdomain}.<http://mydomain.com|mydomain.com>`,
});

const hostNameBinding = new web.WebAppHostNameBinding("custom domain binding", {
  name: "custom-domain-binding",
  resourceGroupName: resourceGroup.name,
  hostName: `${subdomain}.<http://mydomain.com|mydomain.com>`,
  thumbprint: cert.thumbprint,
  sslState: "SniEnabled",
});
This would do exactly what i want, if I omit/comment the creation of the 
cert
and the 
thumbprint
in the 
hostNameBinding
on the first run. If I don’t do that, I get this: 
azure-nextgen:web/latest:Certificate (mycert):
    error: Code="BadRequest" Message="Properties.CanonicalName is invalid.  Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp" Details=[{"Message":"Properties.CanonicalName is invalid.  Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp"},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51021","Message":"Properties.CanonicalName is invalid.  Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp","MessageTemplate":"{0} is invalid.  {1}","Parameters":["Properties.CanonicalName","Certificate creation requires hostname <http://pulumi-config.job-tool.net|pulumi-config.job-tool.net> added to an app in the serverFarmId /subscriptions/55f6bc5c-cb2d-4352-b37e-6b3c0854adcf/resourceGroups/pulumi-rg/providers/Microsoft.Web/serverfarms/linux-asp"]}}]
The error message explains the issue quite clear: the 
WebAppHostNameBinding
has to exist before we are able to create a certificate for the given custom domain. Its easy to create a 
WebAppHostNameBinding
without the 
thumbprint
, but once cert was created, i have to go back and set the 
thumbprint
of the certificate back on the 
WebAppHostNameBinding
- is this somehow possible without running the stack twice with different resources?
t

tall-librarian-49374

11/13/2020, 12:57 PM
Hmm, that’s a nasty API design…
I can’t think of a workaround, TBH. Do you want to file an issue on github to track?
p

prehistoric-nail-50687

11/13/2020, 2:10 PM
@tall-librarian-49374 I created an issue for it: https://github.com/pulumi/pulumi-azure-nextgen/issues/129 TBO, so far, my experiance with 
azure-nextgen
is not the best, I have identified two issues with it and both are related to bad API design on Azure/MS site. This one here and the one where ApplicationGateway needs references to resources within itself ( https://pulumi-community.slack.com/archives/CRVK66N5U/p1605110647220000). This kind of gives me the feeling that exposing the azure types directly is not the best thing to do.
t

tall-librarian-49374

11/13/2020, 3:01 PM
Do you know if those issues exist in the TF-baseв Azure provider?
p

prehistoric-nail-50687

11/13/2020, 3:15 PM
@tall-librarian-49374 yes the same problem currently exists in terraform (and this is one of the reasons why I’m looking at pulumi: https://github.com/terraform-providers/terraform-provider-azurerm/issues/4824 (the issue also has quite some +1s, so there is definitely need of this in terraform and i guess in pulumi too) There are some workarounds available (one I documented in that issue myself), but the plan is to split 
azurerm_app_service_custom_hostname_binding
to break the circular dependency: https://github.com/terraform-providers/terraform-provider-azurerm/issues/8069
t

tall-librarian-49374

11/13/2020, 3:16 PM
Thank you!
p

prehistoric-nail-50687

11/13/2020, 3:17 PM
…I’ll add this info to the pulumi issue i created
3 Views
#azureJoin Slack
Powered by