0

I am trying to create an ARM template that creates Application Gateway and uploads dynamic number of SSL certs with passwords. Creating App Gateway is not a big problem, but I am stuck at passing dynamic number of SSL certificates with passwords from Powershell to ARM template.

The Powershell is setup to send in an array of [0..n] certificates paired with passwords in securestring to ARM template and parameter file. The resource definition for App Gateway requires password for each SSL certificate to be a securestring, but there doesn't seem to be a way to define parameter as either an array or object and define elements/attributes to be of type securestring.

There was an example for VM password passed via Key Vaults where you upload the password/certs to Key Vault via Powershell, then use "reference" for password value at the resource definition. However, this does not seem to work for SSL certs at Application Gateway and I run into error "After parsing a value an unexpected character was encountered: {" right after "password:"

Does anyone know a way to pass a dynamic number of securestrings to ARM template, or upload a dynamic number of SSL certs & passwords to Application Gateway via ARM template?

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
Koss
  • 57
  • 1
  • 6

1 Answers1

0

well, one way of doing that would be passing in array of keyvault secret names you need to use to grab certificate data and iterating over them one by one, when invoking a nested templates (since you can only resolve KV secret to a value when you initiate\start a new template, not inside the template). that would not require secure strings, since nothing secret is being passed to the template.

there is no clean way of doing this. either way it would require iterators, or, for example, using powershell to launch the same template x number of times (1 for each application gateway) and feed the values to the template

i was storing certificates as base64 encoded strings in Key Vault to pass them to the Application gateway definition

But I dont understand the whole premise of the question. Application gateway doesnt care it you put securestring or just string into the ssl certificate properties.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • app gateway has property "sslCertificates" that takes certificate "data" and "password" attribute. The password attribute requires type securestring. – Koss Dec 10 '19 at 20:15
  • I don't think there's any issue with passing certificate data. I had no problem passing it as an array of encoded strings. But the password requires it to be of type securestring at the resource definition. I cannot use nested template because I need to upload all ssl certificate to app gateway as an array, then create backendpools and listeners referencing those certs. The ssl certs and references has to be in the same definition. – Koss Dec 10 '19 at 20:25
  • no, that's not true, it just expects a string. https://learn.microsoft.com/en-us/rest/api/application-gateway/applicationgateways/createorupdate#applicationgatewaysslcertificate. and about the nested net, it would also work, there would be a bunch of ways of achieving that, depending on the approach you take – 4c74356b41 Dec 11 '19 at 04:02