Merge pull request #115077 from MikeDodaro/addCLI-custom-dns

Add CLI commands from PR #112119

Author: v-dihans

articles/spring-cloud/spring-cloud-tutorial-custom-domain.md

@@ -16,7 +16,7 @@ Certificates encrypt web traffic. These TLS/SSL certificates can be stored in Az
 ## Prerequisites
 * An application deployed to Azure Spring Cloud (see [Quickstart: Launch an existing Azure Spring Cloud application using the Azure portal](spring-cloud-quickstart-launch-app-portal.md), or use an existing app).
 * A domain name with access to the DNS registry for domain provider such as GoDaddy.
-* A private certificate from a third-party provider. The certificate must match the domain.
+* A private certificate (that is, your self-signed certificate) from a third-party provider. The certificate must match the domain.
 * A deployed instance of [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-overview)
 
 ## Import certificate 
@@ -31,20 +31,39 @@ To upload your certificate to key vault:
 1. Under **Password**, enter the private key for your certificate.
 1. Click **Create**.
 
-![Import certificate 1](./media/custom-dns-tutorial/import-certificate-a.png)
+    ![Import certificate 1](./media/custom-dns-tutorial/import-certificate-a.png)
 
 To import certificate to Azure Spring Cloud:
 1. Go to your service instance. 
 1. From the left navigation pane of your app, select **TLS/SSL settings**.
 1. Then click **Import Key Vault Certificate**.
 
-![Import certificate](./media/custom-dns-tutorial/import-certificate.png)
+    ![Import certificate](./media/custom-dns-tutorial/import-certificate.png)
 
-When you have successfully imported your certificate, you'll see it on the list of **Private Key Certificates**.
+Or, you can use the Azure CLI to import the certificate:
+
+```
+az spring-cloud certificate add --name <cert name> --vault-uri <key vault uri> --vault-certificate-name <key vault cert name>
+```
+
+> [!IMPORTANT] 
+> Ensure you grant Azure Spring Cloud access to your key vault before you execute the previous import certificate command. If you haven't, you can execute the following command to grant the access rights.
+
+```
+az keyvault set-policy -g <key vault resource group> -n <key vault name>  --object-id 938df8e2-2b9d-40b1-940c-c75c33494239 --certificate-permissions get list
+``` 
+
+When you have successfully imported your certificate, you'll see it in the list of **Private Key Certificates**.
 
 ![Private key certificate](./media/custom-dns-tutorial/key-certificates.png)
 
->[!IMPORTANT] 
+Or, you can use the Azure CLI to show a list of certificates:
+
+```
+az spring-cloud certificate list
+```
+
+> [!IMPORTANT] 
 > To secure a custom domain with this certificate, you still need to bind the certificate to a specific domain. Follow the steps in this document under the heading **Add SSL Binding**.
 
 ## Add Custom Domain
@@ -67,27 +86,42 @@ Go to application page.
 1. Select **Custom Domain**.
 2. Then **Add Custom Domain**. 
 
-![Custom domain](./media/custom-dns-tutorial/custom-domain.png)
+    ![Custom domain](./media/custom-dns-tutorial/custom-domain.png)
 
 3. Type the fully qualified domain name for which you added a CNAME record, such as www.contoso.com. Make sure that Hostname record type is set to CNAME (<service_name>.azuremicroservices.io)
 4. Click **Validate** to enable the **Add** button.
 5. Click **Add**.
 
-![Add custom domain](./media/custom-dns-tutorial/add-custom-domain.png)
+    ![Add custom domain](./media/custom-dns-tutorial/add-custom-domain.png)
+
+Or, you can use the Azure CLI to add a custom domain:
+```
+az spring-cloud app custom-domain bind --domain-name <domain name> --app <app name> 
+```
 
 One app can have multiple domains, but one domain can only map to one app. When you've successfully mapped your custom domain to the app, you'll see it on the custom domain table.
 
 ![Custom domain table](./media/custom-dns-tutorial/custom-domain-table.png)
 
->[!NOTE]
+Or, you can use the Azure CLI to show a list of custom domains:
+```
+az spring-cloud app custom-domain list --app <app name> 
+```
+
+> [!NOTE]
 > A **Not Secure** label for your custom domain means that it's not yet bound to an SSL certificate. Any HTTPS request from a browser to your custom domain will receive an error or warning.
 
 ## Add SSL binding
 In the custom domain table, select **Add ssl binding** as shown in the previous figure.  
 1. Select your **Certificate** or import it.
 1. Click **Save**.
 
-![Add SSL binding](./media/custom-dns-tutorial/add-ssl-binding.png)
+    ![Add SSL binding](./media/custom-dns-tutorial/add-ssl-binding.png)
+
+Or, you can use the Azure CLI to **Add ssl binding**:
+```
+az spring-cloud app custom-domain update --domain-name <domain name> --certificate <cert name> --app <app name> 
+```
 
 After you successfully add SSL binding, the domain state will be secure: **Healthy**. 
 
@@ -100,10 +134,15 @@ In your app page, in the left navigation, select **Custom Domain**. Then, set **
 
 ![Add SSL binding](./media/custom-dns-tutorial/enforce-http.png)
 
+Or, you can use the Azure CLI to enforce HTTPS:
+```
+az spring-cloud app update -name <app-name> --https-only <true|false> -g <resource group> --service <service-name>
+```
+
 When the operation is complete, navigate to any of the HTTPS URLs that point to your app. Note that HTTP URLs don't work.
 
 ## See also
 * [What is Azure Key Vault?](https://docs.microsoft.com/azure/key-vault/key-vault-overview)
 * [Import a certificate](https://docs.microsoft.com/azure/key-vault/certificate-scenarios#import-a-certificate)
-* [Launch your Spring Cloud App using the Azure CLI](https://docs.microsoft.com/azure/spring-cloud/spring-cloud-quickstart-launch-app-cli)
+* [Launch your Spring Cloud App by using the Azure CLI](https://docs.microsoft.com/azure/spring-cloud/spring-cloud-quickstart-launch-app-cli)