0

Here is my demo sandbox code how to deploy with Bicep. Im using custom certificate for this

param profileName string = 'testresearchcdn'

@allowed([
  'Standard_Verizon'
  'Premium_Verizon'
  'Custom_Verizon'
  'Standard_Akamai'
  'Standard_ChinaCdn'
  'Standard_Microsoft'
  'Premium_ChinaCdn'
  'Standard_AzureFrontDoor'
  'Premium_AzureFrontDoor'
  'Standard_955BandWidth_ChinaCdn'
  'Standard_AvgBandWidth_ChinaCdn'
  'StandardPlus_ChinaCdn'
  'StandardPlus_955BandWidth_ChinaCdn'
  'StandardPlus_AvgBandWidth_ChinaCdn'
])
param sku string = 'Standard_Microsoft'


param endpointName string = 'testresearchcdn'

@description('Whether the HTTP traffic is allowed.')
param isHttpAllowed bool = true

@description('Whether the HTTPS traffic is allowed.')
param isHttpsAllowed bool = true

@description('Query string caching behavior.')
@allowed([
  'IgnoreQueryString'
  'BypassCaching'
  'UseQueryString'
])
param queryStringCachingBehavior string = 'IgnoreQueryString'

@description('Content type that is compressed.')
param contentTypesToCompress array = [
  'text/plain'
  'text/html'
  'text/css'
  'application/x-javascript'
  'text/javascript'
]

@description('Whether the compression is enabled')
param isCompressionEnabled bool = true



@description('Location for all resources.')
param location string = 'global'

resource testresearchcdn 'Microsoft.Cdn/profiles@2020-09-01' = {
  name: profileName
  location: location
  properties: {}
  sku: {
    name: sku
  }
}

resource Microsoft_Cdn_profiles_endpoints_testresearchcdn 'Microsoft.Cdn/profiles/endpoints@2020-09-01' = {
  name: endpointName
  parent: testresearchcdn
  location: location
  properties: {
    originHostHeader: 'testresearchcdn.blob.core.windows.net'
    isHttpAllowed: isHttpAllowed
    isHttpsAllowed: isHttpsAllowed
    queryStringCachingBehavior: queryStringCachingBehavior
    contentTypesToCompress: contentTypesToCompress
    isCompressionEnabled: isCompressionEnabled
    origins: [
      {
        name: 'testresearchcdn-blob-core-windows-net'
        properties: {
          hostName: 'testresearchcdn.blob.core.windows.net'
        }
      }
    ]
  }
  
}

resource test_researchcdn_example_com 'Microsoft.Cdn/profiles/endpoints/customDomains@2016-04-02' = {
  name: 'test-researchcdn-example-com'
  parent: Microsoft_Cdn_profiles_endpoints_testresearchcdn
  properties: {
    hostName: 'test-researchcdn.example.com'
  }
  
}

resource example_wildcard_2019 'Microsoft.Cdn/profiles/secrets@2020-09-01' = {
  name: 'DDKeyVault1'
  parent: testresearchcdn
  properties: {
    parameters: {
      type: 'CustomerCertificate'
      certificateAuthority: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
      secretSource: {
        id: 'https://DDkeyvault1.vault.azure.net/certificates/example-wildcard-2019/xxxxxxxxxxxxxxxxxxxxx'
      }
      secretVersion: ''
      subjectAlternativeNames: [
        '*.example.com'
        'example.com'
      ]
      useLatestVersion: false
    }
  }
  dependsOn: [
    test_researchcdn_example_com
  ]
  
}

This is my error:

"code": "BadRequest", "message": "SecretSource id is invalid."

I have used Certificate Identifier, Secret Identifier and kvID where the secret is located for SecretSource but im getting the same error. What am i missing?

Abkade
  • 1
  • 2

1 Answers1

0

You are defining the Secret SourceId in a wrong way . In ARM template , we cannot specify id as https:///certificates/certificateName instead you have to specify as /subscriptions/<SubscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<KeyvaultName>/certificates/<CertificateName>

So in your code instead of the below :

secretSource: {
id: 'https://DDkeyvault1.vault.azure.net/certificates/example-wildcard-2019/xxxxxxxxxxxxxxxxxxxxx'
}

You have to use this :

secretSource: {
id: '/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups/<YOUR-KEYVAULT-RESOURCE-GROUP-NAME>/providers/Microsoft.KeyVault/vaults/DDkeyvault1/certificates/example-wildcard-2019/xxxxxxxxxxxxxxxxxxxxx'
}

Note: Please make sure that before running the above you will have to Grant Azure CDN access to your key vault.

RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11
  • Thanks but this is what im getting { "status": "Failed", "error": { "code": "BadRequest", "message": "That action isn’t allowed in this profile." } } – Abkade Jan 03 '22 at 14:09
  • @Abkade, For this error you can go through this [Link](https://github.com/Azure/azure-powershell/issues/9654) – RahulKumarShaw Jan 04 '22 at 06:25
  • Yes and this is what im getting { "status": "Failed", "error": { "code": "BadRequest", "message": "That action isn’t allowed in this profile." } } – Abkade Jan 04 '22 at 14:41