One app service plan, 2 app services, 1 wildcard cert, 2 deployments. How do i avoid Certificate conflicts?

Question

I currently have a situation where i'm deploying 2 App Services into a new App Service Plan together.

Both App Services use the same certificate - *.test.myapp.internal

The App Services must be deployed independently of one another.

Right now, both have the exact same ARM Template resource code to deploy a Microsoft.Web/certificates resource with them, and link it to the hostnamebinding.

I deployed the first app service, and all went smoothly, my certificate was read from a keyvault, and copied to the resource group of the first application. The application was then able to use the certificate, and worked well.

Next, i went to deploy the second app service, which also lives in it's own resource group. This time i was met with an error message stating that there's a conflict with the certificate resource, and that a certificate with that thumbprint already exists.

Another certificate exists with same thumbprint xxxx in xxxx... etc.

I'm running my ARM Template in the Create or Update mode (Incremental) - so i would assume that as i'm supplying the exact same name for the certificate in both templates - and therefore it exists already, it would just be skipped.

So - how can I skip the certificate resource being created? Clearly it exists, and i could use it with the second App Service. As far as i can tell, there's no "exists" style function in ARM.

EDIT: Had an idea where I can set a parameter and do conditional logic on whether to deploy that resource or not. However, i'm not sure that works when i have the "dependsOn" part set for other resources. i.e. the site or hostnamebinding depending on the cert to be deployed. Guess i've got some testing to do.

Answer 1

The answer to this is: You can't do conditional checks on an item already existing in an ARM Template.

The Solution to this was: Have a seperate resource group that hosts your App Service Plan, and have that resource group contain the Certificates. The certificates can be created from a KeyVault secret of course, which then links them to the Key Vault. This way you can utilise the Certificates from a 'central' location you already reference with the App Service Plan.

This then gives you the possibility to have x number of resource groups with your App Services in - which reference the App Service Plan, and the certificates in your seperate 'central' resource group.

This makes the initial deploy of the APIs the same as every deploy after - as there's no need to deploy certificates too.

So, for 'One app service plan, 2 app services, 1 wildcard cert, 2 deployments' you need 3 ARM Templates:

1. App Service Plan & Certificates
2. App Service x & whatever other stuff supporting it
3. App Service y & whatever other stuff supporting it

Deploy order is: 1, 2, 3. Or, 1, 3, 2. Or 1, 3, 3, 3, 3, 2... etc As long as Template 1. is deployed first.

I hope this can help someone who had trouble with something that looked 'simple' on the surface.