admin管理员组文章数量:1122846
I have been trying to use the following below to bind a custom domain to an existing Azure web app, the problem is I need to only use asuid TXT record, as the CNAME for the custom domain is pointing to the application gateway vip...
// Editable parameters
param customDomainName string
param appName string
param appServicePlanName string
param location string = resourceGroup().location
// Reference to the existing web app
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
name: appName
}
resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' existing = {
name: appServicePlanName
}
// Step 1: Add the custom domain (hostname binding) to the web app
resource customDomainBinding 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
parent: webApp
name: customDomainName
properties: {
hostNameType: 'Verified'
}
}
// Step 2: Create a managed certificate for the custom domain
resource certificates 'Microsoft.Web/certificates@2022-03-01' = {
name: '${customDomainName}-managed-cert'
location: location
properties: {
canonicalName: customDomainName
serverFarmId: appServicePlan.id
}
}
// Step 3: Update the SSL state for the custom domain (SSL binding)
// Only bind SSL once, do not create a separate binding
resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
parent: webApp
name: customDomainName // This should be the same as above
properties: {
hostNameType: 'Verified'
sslState: 'SniEnabled'
thumbprint: certificates.properties.thumbprint
customHostNameDnsRecordType: 'CName'
}
}
I then get this, because as I mentioned the CNAME is pointed to the app gateway vip
Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain has an active CNAME record which is set to .azurewebsites etc
Another route I've tried is referencing a cert in a key vault, but have not been successful with the below
// Editable parameters
param subIdOfCertKeyVault string
param certKeyVaultResourceGroup string
param customDomainName string
param appName string
param certKeyVaultName string
param certificateSecretName string
// Reference to the existing web app
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
name: appName
}
// Reference Key Vault
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
name: certKeyVaultName
scope: resourceGroup(subIdOfCertKeyVault, certKeyVaultResourceGroup)
}
// Reference the secret in Key Vault
resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' existing = {
parent: keyVault
name: certificateSecretName
}
// Directly bind the certificate to the hostname
resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
parent: webApp
name: customDomainName
properties: {
hostNameType: 'Verified'
sslState: 'SniEnabled'
thumbprint: keyVaultSecret.properties.secretUri
}
}
This Azure CLI below works with only using a TXT record and a managed cert...
### Set the variables ###
$SubscriptionIDofWebApp = '' # Subscription ID of where the lms web app will be created
$Company = ''
$Environment = '' # lower or prod
$SubEnvironment = '' # dev, uat, qa, etc. Note: if prod, enter prod
$Location = '' # Region where the subscription is
$Record = ''
# Set Subscription for Web App
Write-Host 'Setting the subscription of the web app...'
az account set --subscription $SubscriptionIDofWebApp
# Set Thumbprint Variable
Write-Host 'Creating the variable for the thumbprint...'
$Thumbprint = az webapp config ssl list --resource-group "rg-$Company-$Environment-app-$Location-001" --query "[].thumbprint" --output tsv
# Bind the SSL Cert
Write-Host 'Binding the SSL Cert...'
az webapp config ssl bind --resource-group "rg-$Company-$Environment-app-$Location-001" --name "app-$Company-$SubEnvironment-lms-$Location-001" --certificate-thumbprint "$Thumbprint" --ssl-type SNI
Please let me know if you know the proper, best way to do this with BICEP when only a TXT record can be used for validation, not CNAME.
I have been trying to use the following below to bind a custom domain to an existing Azure web app, the problem is I need to only use asuid TXT record, as the CNAME for the custom domain is pointing to the application gateway vip...
// Editable parameters
param customDomainName string
param appName string
param appServicePlanName string
param location string = resourceGroup().location
// Reference to the existing web app
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
name: appName
}
resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' existing = {
name: appServicePlanName
}
// Step 1: Add the custom domain (hostname binding) to the web app
resource customDomainBinding 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
parent: webApp
name: customDomainName
properties: {
hostNameType: 'Verified'
}
}
// Step 2: Create a managed certificate for the custom domain
resource certificates 'Microsoft.Web/certificates@2022-03-01' = {
name: '${customDomainName}-managed-cert'
location: location
properties: {
canonicalName: customDomainName
serverFarmId: appServicePlan.id
}
}
// Step 3: Update the SSL state for the custom domain (SSL binding)
// Only bind SSL once, do not create a separate binding
resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
parent: webApp
name: customDomainName // This should be the same as above
properties: {
hostNameType: 'Verified'
sslState: 'SniEnabled'
thumbprint: certificates.properties.thumbprint
customHostNameDnsRecordType: 'CName'
}
}
I then get this, because as I mentioned the CNAME is pointed to the app gateway vip
Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain has an active CNAME record which is set to .azurewebsites.net etc
Another route I've tried is referencing a cert in a key vault, but have not been successful with the below
// Editable parameters
param subIdOfCertKeyVault string
param certKeyVaultResourceGroup string
param customDomainName string
param appName string
param certKeyVaultName string
param certificateSecretName string
// Reference to the existing web app
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
name: appName
}
// Reference Key Vault
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
name: certKeyVaultName
scope: resourceGroup(subIdOfCertKeyVault, certKeyVaultResourceGroup)
}
// Reference the secret in Key Vault
resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' existing = {
parent: keyVault
name: certificateSecretName
}
// Directly bind the certificate to the hostname
resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
parent: webApp
name: customDomainName
properties: {
hostNameType: 'Verified'
sslState: 'SniEnabled'
thumbprint: keyVaultSecret.properties.secretUri
}
}
This Azure CLI below works with only using a TXT record and a managed cert...
### Set the variables ###
$SubscriptionIDofWebApp = '' # Subscription ID of where the lms web app will be created
$Company = ''
$Environment = '' # lower or prod
$SubEnvironment = '' # dev, uat, qa, etc. Note: if prod, enter prod
$Location = '' # Region where the subscription is
$Record = ''
# Set Subscription for Web App
Write-Host 'Setting the subscription of the web app...'
az account set --subscription $SubscriptionIDofWebApp
# Set Thumbprint Variable
Write-Host 'Creating the variable for the thumbprint...'
$Thumbprint = az webapp config ssl list --resource-group "rg-$Company-$Environment-app-$Location-001" --query "[].thumbprint" --output tsv
# Bind the SSL Cert
Write-Host 'Binding the SSL Cert...'
az webapp config ssl bind --resource-group "rg-$Company-$Environment-app-$Location-001" --name "app-$Company-$SubEnvironment-lms-$Location-001" --certificate-thumbprint "$Thumbprint" --ssl-type SNI
Please let me know if you know the proper, best way to do this with BICEP when only a TXT record can be used for validation, not CNAME.
Share Improve this question edited Nov 22, 2024 at 15:49 jobatthemall asked Nov 22, 2024 at 15:26 jobatthemalljobatthemall 235 bronze badges1 Answer
Reset to default 0This ended up being the solution:
// Editable parameters
param customDomainName string
param appName string
param appServicePlanName string
param location string
param subIdOfCertKeyVault string
param certKeyVaultResourceGroup string
param certKeyVaultName string
param certificateSecretName string
// Reference to the existing web app
resource webApp 'Microsoft.Web/sites@2024-04-01' existing = {
name: appName
}
resource appServicePlan 'Microsoft.Web/serverfarms@2024-04-01' existing = {
name: appServicePlanName
}
resource certKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
name: certKeyVaultName
scope: resourceGroup(subIdOfCertKeyVault, certKeyVaultResourceGroup)
}
// Create a managed certificate for the custom domain
resource certificate 'Microsoft.Web/certificates@2023-12-01' = {
name: customDomainName
location: location
properties: {
keyVaultId: certKeyVault.id
keyVaultSecretName: certificateSecretName
serverFarmId: appServicePlan.id
}
}
// Update the SSL state for the custom domain (SSL binding)
// Only bind SSL once, do not create a separate binding
resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2023-12-01' = {
parent: webApp
name: customDomainName // This should be the same as above
properties: {
hostNameType: 'Verified'
sslState: 'SniEnabled'
thumbprint: certificate.properties.thumbprint
}
}
本文标签: How to bind a custom domain to an Azure Web App with Bicep using only ASUID TXT recordStack Overflow
版权声明:本文标题:How to bind a custom domain to an Azure Web App with Bicep using only ASUID TXT record? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736302737a1931641.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论