Problem
I have a certificate in Key Vault that I’d like to use as a reference in my bicep template.
resource prodCertificate 'Microsoft.Web/certificates@2020-12-01' existing = {
name: 'my-custom-certificate-name/123809dsfj2jf09j32123123'
scope: resourceGroup('certificateResourceGroup')
}
The current bicep template will run in the appServiceResourceGroup resource group, while the key vault will run in the certificateResourceGroup resource group.
Bicep complains because there should not be a slash in the name, therefore the above doesn’t function.
I receive an error if I only type in my-custom-certificate-name.
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/certificates/my-custom-certificate-name' under resource group 'certificateResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
}
]
}
Asked by SamIAm
Solution #1
I tested the same scenario as you, namely, importing a certificate from a resource group’s keyvault to an App service in another resource group.
I did it with the following code:
param name string
param location string = resourceGroup().location
param keyvaultid string
param certificatesecretname string
@secure()
param pass string
param exisitingappplanresourceid string
resource prodCertificate 'Microsoft.Web/certificates@2021-02-01' = {
name: name
location: location
properties: {
keyVaultId: keyvaultid
keyVaultSecretName: certificatesecretname
password: pass
serverFarmId: exisitingappplanresourceid
}
}
Output:
Existing Keyvault Certificate:
Deployments and parameters:
App service for Azure portal:
To access the keyvault, ensure sure you have Microsoft.Web Resource Provider installed. You may add the below resource provider to the access policy by navigating to Keyvault>>access policies>>add an accesspolicy and entering abfa0a7c-a6b6-4736-8310-5855508787cd in the service principal search dialog box.
You may do something like this to add the certificate from keyvault and then build a ssl binding as well:
@description('Existing App Service Plan resource id that contains the App Service being updated')
param existingServerFarmId string
@description('User friendly certificate resource name')
param certificateName string
@description('Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)')
param existingKeyVaultId string
@description('Key Vault Secret that contains a PFX certificate')
param existingKeyVaultSecretName string
@description('Existing App name to use for creating SSL binding. This App should have the hostname assigned as a custom domain')
param existingWebAppName string
@description('Custom hostname for creating SSL binding. This hostname should already be assigned to the Web App')
param hostname string
@description('Location for all resources.')
param location string = resourceGroup().location
resource certificateName_resource 'Microsoft.Web/certificates@2019-08-01' = {
name: certificateName
location: location
properties: {
keyVaultId: existingKeyVaultId
keyVaultSecretName: existingKeyVaultSecretName
serverFarmId: existingServerFarmId
}
}
resource existingWebAppName_resource 'Microsoft.Web/sites@2019-08-01' = {
name: existingWebAppName
location: location
properties: {
name: existingWebAppName
hostNameSslStates: [
{
name: hostname
sslState: 'SniEnabled'
thumbprint: certificateName_resource.properties.thumbprint
toUpdate: true
}
]
}
}
Reference:
Bicep & ARM template reference | Microsoft Docs | Microsoft.Web/certificates
Answered by AnsumanBal-MT
Post is based on https://stackoverflow.com/questions/69565948/how-can-i-reference-an-existing-certificate-resource-in-bicep