我想创建一个具有自定义主机名绑定和托管SSL证书的Azure应用程序服务。
当我创建一个Bicep模板时,只有在已经创建了主机名绑定的情况下才能部署证书资源。但是要创建主机名绑定,我需要证书指纹。
更新同一模板中的主机名绑定也是不可能的,因为资源在一个模板中只能存在一次。
// hostname bindings must be deployed one by one to prevent Conflict (HTTP 429) errors.
@batchSize(1)
resource customHostnameWithoutSsl 'Microsoft.web/sites/hostnameBindings@2019-08-01' = [for fqdn in customHostnames: {
name: '${webAppService.name}/${fqdn}'
properties: {
siteName: webAppService.name
hostNameType: 'Verified'
sslState: 'Disabled'
}
}]
// Managed certificates can only be created once the hostname is added to the web app.
resource certificates 'Microsoft.Web/certificates@2022-03-01' = [for (fqdn, i) in customHostnames: {
name: '${fqdn}-${webAppName}'
location: location
properties: {
serverFarmId: appServicePlanResourceId
canonicalName: fqdn
}
dependsOn: [ ]
}]
// sslState and thumbprint can only be set once the managed certificate is created
@batchSize(1)
resource customHostname 'Microsoft.web/sites/hostnameBindings@2019-08-01' = [for (fqdn, i) in customHostnames: {
name: '${webAppService.name}/${fqdn}'
properties: {
siteName: webAppService.name
hostNameType: 'Verified'
sslState: 'SniEnabled'
thumbprint: certificates[i].properties.thumbprint
}
}]
是否有其他方法可以创建单个部署模板来部署具有自定义主机名的托管SSL证书的Azure应用程序服务?
在同一模板中更新主机名绑定也是不可能的,因为一个资源在一个模板中只能存在一次。
为了防止此错误,可以使用Bicep模块(或ARM嵌套模板(部署资源。
然后解决方案变成这样:
webApp.二头肌
@description('The name of the App Service Plan that this web app will be deployed to.')
param appServicePlanResourceId string
@description('The location that the resource will be deployed to')
param location string = resourceGroup().location
@description('The custom hostnames that you wish to add.')
param customHostnames array = []
@description('Deploy hostnames without SSL binding before creating the certificate. Required when hostname is not present yet.')
param redeployHostnames bool = false
resource webAppService 'Microsoft.Web/sites@2020-12-01' = {
...
}
// hostname bindings must be deployed one by one to prevent Conflict (HTTP 429) errors.
@batchSize(1)
resource customHostnameWithoutSsl 'Microsoft.web/sites/hostnameBindings@2019-08-01' = [for fqdn in customHostnames: if (redeployHostnames) {
name: '${webAppService.name}/${fqdn}'
properties: {
siteName: webAppService.name
hostNameType: 'Verified'
sslState: 'Disabled'
}
}]
// certificates must be bound via module/nested template, because each resource can only occur once in every template
// in this case the hostnameBindings would occur twice otherwise.
module certificateBindings './bindCertificateToHostname.bicep' = {
name: '${deployment().name}-ssl'
params: {
appServicePlanResourceId: appServicePlanResourceId
customHostnames: customHostnames
location: location
webAppName: webAppService.name
}
dependsOn: customHostnameWithoutSsl
}
bindCertificateToHostname.dipse
param webAppName string
param location string
param appServicePlanResourceId string
param customHostnames array
// Managed certificates can only be created once the hostname is added to the web app.
resource certificates 'Microsoft.Web/certificates@2022-03-01' = [for (fqdn, i) in customHostnames: {
name: '${fqdn}-${webAppName}'
location: location
properties: {
serverFarmId: appServicePlanResourceId
canonicalName: fqdn
}
}]
// sslState and thumbprint can only be set once the managed certificate is created
@batchSize(1)
resource customHostname 'Microsoft.web/sites/hostnameBindings@2019-08-01' = [for (fqdn, i) in customHostnames: {
name: '${webAppName}/${fqdn}'
properties: {
siteName: webAppName
hostNameType: 'Verified'
sslState: 'SniEnabled'
thumbprint: certificates[i].properties.thumbprint
}
}]
您可以按照其中一个变通方法来实现上述要求;
要为自定义域部署具有SSL证书的应用程序服务,您可以遵循@bmoore msft在此GitHub示例上建议的完整配置和模板:-
样品template.json:-
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2019-08-01",
"name": "[variables('appServicePlanName')]",
"location": "[parameters('location')]",
"properties": {
"name": "[variables('appServicePlanName')]"
},
"sku": {
"name": "P1",
"tier": "Premium",
"size": "1",
"family": "P",
"capacity": "1"
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"name": "[parameters('webAppName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverFarms', variables('appServicePlanName'))]"
],
"properties": {
"name": "[parameters('webAppName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverFarms', variables('appServicePlanName'))]"
}
},
{
"condition": "[variables('enableSSL')]",
"type": "Microsoft.Web/certificates",
"apiVersion": "2019-08-01",
"name": "[variables('certificateName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('webAppName'))]"
],
"properties": {
"keyVaultId": "[parameters('existingKeyVaultId')]",
"keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverFarms', variables('appServicePlanName'))]"
}
},
{
"type": "Microsoft.Web/sites/hostnameBindings",
"name": "[concat(parameters('webAppName'), '/', parameters('customHostname'))]",
"apiVersion": "2019-08-01",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/certificates', variables('certificateName'))]"
],
"properties": {
"sslState": "[if(variables('enableSSL'), 'SniEnabled', json('null'))]",
"thumbprint": "[if(variables('enableSSL'), reference(resourceId('Microsoft.Web/certificates', variables('certificateName'))).Thumbprint, json('null'))]"
}
}
注意:-由于我们的账户存在某些条款问题,我无法使用自定义域进行测试
有关更多信息,请参阅SO THREAD|如何配置应用程序服务托管证书