https://pulumi.com logo
Join Slack
Powered by
Hello :slightly_smiling_face:. I'm considering sto...
# general
c
Hello 🙂. I'm considering storing SSL certs as Pulumi secrets. Is this a very stupid idea?
l
Not stupid, but not generally used. Generally certs get stored in your cloud providers' vault or keystore.
b
@careful-vase-44898 we have the TLS provider which will allow you to generate certs if needed as well. Pulumi's secrets management makes it fairly trivial, the private keys are encrypted in state
c
@little-cartoon-10569 thanks, that does make more sense. I'll have to keep looking at the Azure and AzureNative docs then to see how that might be done.
@billowy-army-68599 interesting - so I can use that to create self-signed certs for testing purposes then?
💯 1
Thanks, I'll give this a shot!
b
c
Got the self-signed certs working! Thanks @billowy-army-68599! Would have been real tough w/o that example. Still need to get the Azure KeyVault-based certs working, but that's for another day 😉
@little-cartoon-10569 hi there. A few weeks ago you mentioned using my providers vault to manage ssl certs. I've got a cert in Azure KeyVault now, but I'm having trouble referring to it via Pulumi.
My code looks like this:
Copy code
var customDomainSslCert = new AzureNative.Web.Certificate("sslCertKv", new CertificateArgs
{
    ResourceGroupName = resourceGroup.Name,
    Location = resourceGroup.Location,
    CanonicalName = customDomain,
    HostNames = new InputList<string>() { customDomain },
    ServerFarmId = appServicePlan.Id,
    KeyVaultSecretName = "theNameOfTheCertificate",
    KeyVaultId = keyVault.Id
});

var certBinding = new AzureClassic.AppService.CertificateBinding("sslCertBindingKv", new AzureClassic.AppService.CertificateBindingArgs
{
    CertificateId = customDomainSslCert.Id,
    HostnameBindingId = customHostnameBinding.Id,
    SslState = "IpBasedEnabled"
});
and I'm getting an error like this:
Copy code
Diagnostics:
  azure-native:web:Certificate (sslCertKv):
    error: autorest/azure: Service returned an error. Status=<nil> <nil>
l
I'm afraid I don't know the specifics of Azure vaults. That error message is singularly unhelpful.. might as well tell you that your printer port is on fire.
c
And that's w/ verbose logging 🙂
l
Did you add the cert via Pulumi? Has it been successfully added to the vault? Can you use the Azure cli tools to list it?
And does the app service handle retrieving certs from vaults? I can't imagine that it doesn't, but it would be worth checking in the Azure docs, I guess...
c
No, I didn't add the cert via Pulumi. I didn't think that'd be the best way to manage the cert long-term - it'll be easiest to allow one of our admins just log into Azure and swap the cert out. It's definitely been added to Azure though, and I can manually attach it to the App Service.
Yes, Azure AppService allows you to use a certificate from KeyVault
l
If the certificate is being added externally, shouldn't there be an import opt in the Certificate? Otherwise, Pulumi will be trying to create a new certificate.
Pulumi can create a cycle certificates fine, at least in AWS. That's what the certificate manager is for. I presume Azure has something similar.
c
I think you're right. I must be misunderstanding what the "KeyVaultSecretName" and "KeyVaultId" options are for then when I'm creating my 
AzureNative.Web.Certificate
Well, this isn't great. Can't figure it out. Gonna have to manage the SSL cert setup manually for now. Thanks for the help, though!
l
This post suggests it's possible and not well documented... https://nexxai.dev/using-a-certificate-stored-in-key-vault-in-an-azure-app-service/
c
Oh wow, that's... miserable. A magic service principal id... great find! Thanks, I'll give that a shot this afternoon.
3 Views
Open in Slack
PreviousNext
Powered by