0

Is there a working example of deploying an Azure Container App with a Managed Certificate and a custom domain? This is what I have so far (I think I'll need to add resources for the DNS verification too)

var uiHostName = '${env}.example.com'
resource acaEnv 'Microsoft.App/managedEnvironments@2022-11-01-preview' = {
  name: '${appPrefix}-container-env'
  location: location
  tags: tags
  properties: {
    appLogsConfiguration: {
      destination: 'log-analytics'
      logAnalyticsConfiguration: {
        customerId: logAnalyticsWorkspace.properties.customerId
        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
      }
    }
  }
}
resource acaCert 'Microsoft.App/managedEnvironments/managedCertificates@2022-11-01-preview' = {
  name: '${appPrefix}-cert'
  location: location
  tags: tags
  parent: acaEnv
  properties: {
    domainControlValidation: 'CNAME'
    subjectName: uiHostName
  }
}
resource webUI 'Microsoft.App/containerApps@2022-11-01-preview' = {
  name: '${appPrefix}-web-ui-container'
  location: location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${uaiACR.id}': {}
    }
  }
  properties: {
    managedEnvironmentId: acaEnv.id
    configuration: {
      registries: [
        {
          server: '${acrName}.azurecr.io'
          identity: uaiACR.id
        }
      ]
      ingress: {
        external: true
        targetPort: 80
        allowInsecure: true
        customDomains: [{
          name: uiHostName
          certificateId: acaCert.id
          bindingType: 'SniEnabled'
        }]
      }
      dapr: {
        enabled: true
        appPort: 80
        appId: 'webui'
        appProtocol: 'http'
        enableApiLogging: true
        logLevel: env == 'dev' ? 'debug' : 'info'
      }
    }
    template: {
      containers: [
        {
          image: '${acrName}.azurecr.io/example/whistlerweb:latest'
          name: 'example'
          resources: {
            cpu: json('.5')
            memory: '1Gi'
          }
          env: [
            {
              name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
              value: applicationInsights.properties.ConnectionString
            }
          ]
          probes: [
            {
              type: 'liveness'
              initialDelaySeconds: 15
              periodSeconds: 30
              failureThreshold: 3
              timeoutSeconds: 1
              httpGet: {
                port: 80
                path: '/health'
              }
            }
          ]
        }
      ]
      scale: {
        minReplicas: 1
      }
    }
  }
}

When I try to deploy this I get the following error

Creating managed certificate requires hostname 'dev.example.com' added as a custom hostname to a container app in environment

I can't find any examples of how to do this anywhere (Google/Bing/Github/MS Documentation), I can manually add the certificate/DNS in the portal so I think I'm close...

EDIT: I dug into this more over the weekend. It seems there is a dependency loop between creating the certificate and the custom domain on the webUI. You can't create the certificate without the domain existing on the container app but you can't add the domain without the certificate. You can do this in the Azure Portal though.

David Hayes
  • 7,402
  • 14
  • 50
  • 62

1 Answers1

-1

You can create a managed certificate before creating the app though I would suggest doing it in two steps:

  1. Create app environment and app container and also add container ip or verification id into Azure DNS zones (or your other DNS zones). No need to specify custom domain yet.
  2. And then Update bicep code similar as the following code snippet to create a managed cert and reference in customer domain configuration (Refer to customDomains property).

A complete example is also available here: https://kontext.tech/code/1286/use-bicep-to-deploy-azure-container-apps-with-a-free-managed-certificate

resource myContainerAppEnvironment 'Microsoft.App/managedEnvironments@2022-11-01-preview' = {
  name: containerAppEnvName
  location: location
  properties: {
    appLogsConfiguration: {
      destination: 'log-analytics'
      logAnalyticsConfiguration: {
        customerId: logAnalyticsCutomerId
        sharedKey: logAnalyticsSharedKey
      }
    }
  }
}

resource myCert 'Microsoft.App/managedEnvironments/managedCertificates@2022-11-01-preview' = {
  name: 'kontext-tech-cert-managed'
  location: location
  parent: myContainerAppEnvironment
  properties: {
    domainControlValidation: 'HTTP'
    subjectName: 'example.com'
  }
}


resource myWebContainerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {
  name: myWebContainerName
  location: location
  properties: {
    environmentId: myContainerAppEnvironment.id
    configuration: {
      ingress: {
        external: true
        targetPort: 8000
        allowInsecure: false
        traffic: [
          {
            latestRevision: true
            weight: 100
          }
        ]
        customDomains:[
          {
            bindingType: 'SniEnabled'
            certificateId: myCert.id
            name: 'example.com'
          }
        ]
      }
     ......
}
Raymond Tang
  • 65
  • 4
  • Hi, thanks for answering this. I can't see where your snippet is different to the one I had in my question? I'm not sure what I'm missing here? – David Hayes Jun 13 '23 at 21:04
  • Hi @DavidHayes, For some reason I missed your section of adding customDomains section. Can you try creating resources first and then add customDomains as a change to the bicep code? – Raymond Tang Jun 18 '23 at 01:30
  • This is false, you cannot create the managed certificate without having an App that has the domain you want to get a managed cert for configured as custom domain. – Eduard Keilholz Aug 17 '23 at 08:04
  • I have been using this approach for my website and it’s been running smoothly. I first created my app without custom domain and then in my second run of bicep code, I added the managed cert for it. – Raymond Tang Aug 24 '23 at 22:51
  • Issue is now recognized as a bug that is under investigation. Can be tracked here: https://github.com/microsoft/azure-container-apps/issues/796 – Eduard Keilholz Aug 30 '23 at 10:22