Fix: DTOSS-8363 App Service certificate bindings (#153)

* automate App Service certificate bindings

* fix up hub certificate pfx outputs

* fix resource ref

* fix resource ref

* conditional fix

* linting

Author: patrickmoore-nc

infrastructure/modules/app-service-plan/certificate.tf

@@ -1,11 +1,17 @@
 resource "azurerm_app_service_certificate" "wildcard" {
-  count = var.wildcard_ssl_cert_key_vault_secret_id != null ? 1 : 0
+  count = var.wildcard_ssl_cert_pfx_blob_key_vault_secret_name != null ? 1 : 0
 
   name                = var.wildcard_ssl_cert_name
   resource_group_name = var.resource_group_name
   location            = var.location
 
   app_service_plan_id = azurerm_service_plan.appserviceplan.id
-  key_vault_secret_id = var.wildcard_ssl_cert_key_vault_secret_id
-  key_vault_id        = var.wildcard_ssl_cert_key_vault_id
+  pfx_blob            = data.azurerm_key_vault_secret.pfx_blob[0].value
+}
+
+data "azurerm_key_vault_secret" "pfx_blob" {
+  count = var.wildcard_ssl_cert_pfx_blob_key_vault_secret_name != null ? 1 : 0
+
+  name         = var.wildcard_ssl_cert_pfx_blob_key_vault_secret_name
+  key_vault_id = var.wildcard_ssl_cert_key_vault_id
 }

infrastructure/modules/app-service-plan/output.tf

@@ -7,5 +7,5 @@ output "app_service_plan_id" {
 }
 
 output "wildcard_ssl_cert_id" {
-  value = var.wildcard_ssl_cert_key_vault_secret_id != null ? azurerm_app_service_certificate.wildcard[0].id : null
+  value = var.wildcard_ssl_cert_pfx_blob_key_vault_secret_name != null ? azurerm_app_service_certificate.wildcard[0].id : null
 }

infrastructure/modules/app-service-plan/variables.tf

@@ -53,25 +53,24 @@ variable "vnet_integration_subnet_id" {
   default     = ""
 }
 
-variable "wildcard_ssl_cert_key_vault_secret_id" {
+variable "wildcard_ssl_cert_name" {
   type        = string
-  description = "Wildcard SSL certificate Key Vault secret id, for App Service Custom Domain binding."
+  description = "Wildcard SSL certificate name as it will appear in the App Service binding, for Custom Domain binding."
   default     = null
 }
 
-variable "wildcard_ssl_cert_key_vault_id" {
+variable "wildcard_ssl_cert_pfx_blob_key_vault_secret_name" {
   type        = string
-  description = "Wildcard SSL certificate Key Vault id, needed if the Key Vault is in a different subscription."
+  description = "Wildcard SSL certificate pfx blob Key Vault secret name, for Custom Domain binding."
   default     = null
 }
 
-variable "wildcard_ssl_cert_name" {
+variable "wildcard_ssl_cert_key_vault_id" {
   type        = string
-  description = "Wildcard SSL certificate name, for Custom Domain binding."
+  description = "Wildcard SSL certificate Key Vault id, needed if the Key Vault is in a different subscription."
   default     = null
 }
 
-
 ## autoscale rule ##
 
 variable "metric" {

infrastructure/modules/lets-encrypt-certificates/data.tf

@@ -34,3 +34,16 @@ data "azurerm_key_vault_certificate" "letsencrypt" {
     null_resource.letsencrypt_cert
   ]
 }
+
+# references to the created certificate pfx blobs, for outputs
+data "azurerm_key_vault_secret" "pfx_blob" {
+  for_each = local.letsencrypt_certs_map
+
+  name = "pfx-${replace(replace(each.value.cert_subject, "*.", "wildcard-"), ".", "-")}"
+
+  key_vault_id = var.key_vaults[each.value.region].key_vault_id
+
+  depends_on = [
+    null_resource.letsencrypt_cert
+  ]
+}

infrastructure/modules/lets-encrypt-certificates/output.tf

@@ -2,7 +2,8 @@
 output "key_vault_certificates" {
   value = {
     for k, v in local.letsencrypt_certs_map : k => {
-      name                  = v.cert_key
+      name                  = data.azurerm_key_vault_certificate.letsencrypt[k].name
+      naming_key            = v.cert_key
       subject               = v.cert_subject
       location              = v.region
       id                    = data.azurerm_key_vault_certificate.letsencrypt[k].id
@@ -11,3 +12,16 @@ output "key_vault_certificates" {
     }
   }
 }
+
+output "key_vault_certificate_pfx_blobs" {
+  value = {
+    for k, v in local.letsencrypt_certs_map : k => {
+      name           = data.azurerm_key_vault_secret.pfx_blob[k].name
+      naming_key     = v.cert_key
+      subject        = v.cert_subject
+      location       = v.region
+      id             = data.azurerm_key_vault_secret.pfx_blob[k].id
+      versionless_id = data.azurerm_key_vault_secret.pfx_blob[k].versionless_id
+    }
+  }
+}

infrastructure/modules/lets-encrypt-certificates/scripts/certbot.sh

@@ -126,8 +126,10 @@ while [[ $# -gt 0 ]]; do
             echo "Certificate ${cert_name} with thumbprint ${thumbprint_local} already exists in Key Vault ${kv_name}, skipping import..."
         else
             echo "Importing certificate ${cert_name} into Key Vault ${kv_name}..."
-            openssl pkcs12 -export -inkey certbot/config/live/${trimmed_domain}/privkey.pem -in certbot/config/live/${trimmed_domain}/fullchain.pem -out ${trimmed_domain}.pfx -password pass:
+            openssl pkcs12 -export -inkey certbot/config/live/${trimmed_domain}/privkey.pem -in certbot/config/live/${trimmed_domain}/cert.pem -certfile certbot/config/live/${trimmed_domain}/chain.pem -out ${trimmed_domain}.pfx -password pass:
             az keyvault certificate import --vault-name "${kv_name}" --name "${cert_name}" --file "${trimmed_domain}.pfx" --password ""
+            # Also upload the certificate pfx blob since App Services cannot currently reference elliptic curve certificates as Key Vault Certificate objects
+            az keyvault secret set --vault-name "${kv_name}" --name "pfx-${cert_name}" --file "${trimmed_domain}.pfx" --encoding base64 --content-type "application/x-pkcs12"
         fi
     done
     [[ -e "${trimmed_domain}.pfx" ]] && rm "${trimmed_domain}.pfx"