automate App Service certificate bindings

patrickmoore-nc · patrickmoore-nc · commit 02c111c73149 · 2025-05-08T20:52:19.000+01:00
diff --git a/infrastructure/modules/app-service-plan/certificate.tf b/infrastructure/modules/app-service-plan/certificate.tf
@@ -1,11 +1,10 @@
 resource "azurerm_app_service_certificate" "wildcard" {
-  count = var.wildcard_ssl_cert_key_vault_secret_id != null ? 1 : 0
+  count = var.wildcard_ssl_cert_pfx_blob != null ? 1 : 0
 
   name                = var.wildcard_ssl_cert_name
   resource_group_name = var.resource_group_name
   location            = var.location
 
   app_service_plan_id = azurerm_service_plan.appserviceplan.id
-  key_vault_secret_id = var.wildcard_ssl_cert_key_vault_secret_id
-  key_vault_id        = var.wildcard_ssl_cert_key_vault_id
+  pfx_blob            = var.wildcard_ssl_cert_pfx_blob
 }
diff --git a/infrastructure/modules/app-service-plan/output.tf b/infrastructure/modules/app-service-plan/output.tf
@@ -7,5 +7,5 @@ output "app_service_plan_id" {
 }
 
 output "wildcard_ssl_cert_id" {
-  value = var.wildcard_ssl_cert_key_vault_secret_id != null ? azurerm_app_service_certificate.wildcard[0].id : null
+  value = var.wildcard_ssl_cert_pfx_blob != null ? azurerm_app_service_certificate.wildcard[0].id : null
 }
diff --git a/infrastructure/modules/app-service-plan/variables.tf b/infrastructure/modules/app-service-plan/variables.tf
@@ -53,21 +53,15 @@ variable "vnet_integration_subnet_id" {
   default     = ""
 }
 
-variable "wildcard_ssl_cert_key_vault_secret_id" {
-  type        = string
-  description = "Wildcard SSL certificate Key Vault secret id, for App Service Custom Domain binding."
-  default     = null
-}
-
-variable "wildcard_ssl_cert_key_vault_id" {
+variable "wildcard_ssl_cert_name" {
   type        = string
-  description = "Wildcard SSL certificate Key Vault id, needed if the Key Vault is in a different subscription."
+  description = "Wildcard SSL certificate name, for Custom Domain binding."
   default     = null
 }
 
-variable "wildcard_ssl_cert_name" {
+variable "wildcard_ssl_cert_pfx_blob" {
   type        = string
-  description = "Wildcard SSL certificate name, for Custom Domain binding."
+  description = "Wildcard SSL certificate pfx blob, for Custom Domain binding. Referencing an elliptic curve certificate from Key Vault is not working currently."
   default     = null
 }
 
diff --git a/infrastructure/modules/lets-encrypt-certificates/data.tf b/infrastructure/modules/lets-encrypt-certificates/data.tf
@@ -34,3 +34,16 @@ data "azurerm_key_vault_certificate" "letsencrypt" {
     null_resource.letsencrypt_cert
   ]
 }
+
+# references to the created certificate pfx blobs, for outputs
+data "azurerm_key_vault_secret" "pfx_blob" {
+  for_each = local.letsencrypt_certs_map
+
+  name = "pfx-${replace(replace(each.value.cert_subject, "*.", "wildcard-"), ".", "-")}"
+
+  key_vault_id = var.key_vaults[each.value.region].key_vault_id
+
+  depends_on = [
+    null_resource.letsencrypt_cert
+  ]
+}
diff --git a/infrastructure/modules/lets-encrypt-certificates/output.tf b/infrastructure/modules/lets-encrypt-certificates/output.tf
@@ -11,3 +11,15 @@ output "key_vault_certificates" {
     }
   }
 }
+
+output "key_vault_certificate_pfx_blobs" {
+  value = {
+    for k, v in local.letsencrypt_certs_map : k => {
+      name                  = v.cert_key
+      subject               = v.cert_subject
+      location              = v.region
+      id                    = data.azurerm_key_vault_secret.pfx_blob[k].id
+      versionless_id        = data.azurerm_key_vault_secret.pfx_blob[k].versionless_id
+    }
+  }
+}
diff --git a/infrastructure/modules/lets-encrypt-certificates/scripts/certbot.sh b/infrastructure/modules/lets-encrypt-certificates/scripts/certbot.sh
@@ -126,8 +126,10 @@ while [[ $# -gt 0 ]]; do
             echo "Certificate ${cert_name} with thumbprint ${thumbprint_local} already exists in Key Vault ${kv_name}, skipping import..."
         else
             echo "Importing certificate ${cert_name} into Key Vault ${kv_name}..."
-            openssl pkcs12 -export -inkey certbot/config/live/${trimmed_domain}/privkey.pem -in certbot/config/live/${trimmed_domain}/fullchain.pem -out ${trimmed_domain}.pfx -password pass:
+            openssl pkcs12 -export -inkey certbot/config/live/${trimmed_domain}/privkey.pem -in certbot/config/live/${trimmed_domain}/cert.pem -certfile certbot/config/live/${trimmed_domain}/chain.pem -out ${trimmed_domain}.pfx -password pass:
             az keyvault certificate import --vault-name "${kv_name}" --name "${cert_name}" --file "${trimmed_domain}.pfx" --password ""
+            # Also upload the certificate pfx blob since App Services cannot currently reference elliptic curve certificates as Key Vault Certificate objects
+            az keyvault secret set --vault-name "${kv_name}" --name "pfx-${cert_name}" --file "${trimmed_domain}.pfx" --encoding base64 --content-type "application/x-pkcs12"
         fi
     done
     [[ -e "${trimmed_domain}.pfx" ]] && rm "${trimmed_domain}.pfx"

Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,5 @@ output "app_service_plan_id" {`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`output "wildcard_ssl_cert_id" {`
`10`		`- value = var.wildcard_ssl_cert_key_vault_secret_id != null ? azurerm_app_service_certificate.wildcard[0].id : null`
	`10`	`+ value = var.wildcard_ssl_cert_pfx_blob != null ? azurerm_app_service_certificate.wildcard[0].id : null`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,3 +11,15 @@ output "key_vault_certificates" {`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`	`}`
	`14`	`+`
	`15`	`+output "key_vault_certificate_pfx_blobs" {`
	`16`	`+ value = {`
	`17`	`+ for k, v in local.letsencrypt_certs_map : k => {`
	`18`	`+ name = v.cert_key`
	`19`	`+ subject = v.cert_subject`
	`20`	`+ location = v.region`
	`21`	`+ id = data.azurerm_key_vault_secret.pfx_blob[k].id`
	`22`	`+ versionless_id = data.azurerm_key_vault_secret.pfx_blob[k].versionless_id`
	`23`	`+ }`
	`24`	`+ }`
	`25`	`+}`