How do I renew an SSL certificate using ARM templates? - azure

I have an application in its own resource group in Azure that was provisioned using Azure Resource Management templates.
When I try to replace the SSL certficate by changing the pfxBlob to the base64 string of the renewed certificate .PFX file and then deploy the template everything appears to work correctly.
{
"type": "Microsoft.Web/certificates",
"name": "[variables('appService_name')]",
"apiVersion": "2016-03-01",
"location": "[parameters('resourceLocation')]",
"properties": {
"pfxBlob": "[parameters('sslCertificateData')]",
"password": "[parameters('sslCertificatePassword')]"
}
}
There are no errors, but when I check in the Azure portal, the certificate has not been updated and continues to show the details of the old certificate.
I can manually upload the certificate through the Azure portal (although it appears as a second certificate), so I'm certain there is no issue with the certificate.
Is it possible to overwrite an existing certificate using ARM templates?

Related

Azure ML MSI deployment over ARM Templates enables purge protection on Key Vault

I have discovered lately that when you deploy an Azure ML instance from the ARM Template, the MSI will override the purge protection settings of the Key Vault. It will enable purge protection on the Key Vault. This is not the behavior that I am looking for, because when trying to deploy it again, the template will fail saying that the Key Vault with the name already exists and you can't deleted before the retention period.
If you deploy the Azure ML instance manually and select the Key Vault, it will keep the disable purge settings. Any ideas how can we keep purge disabled hier?
The Azure ML properties that we used are mentioned bellow:
{
"type": "Microsoft.MachineLearningServices/workspaces",
"apiVersion": "2020-09-01-preview",
"name": "[variables('machineLearningWorkspaceName')]",
"location": "[parameters('location')]",
"identity": {
"type": "[parameters('amlManagedIdentityOption')]"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]",
"[resourceId('Microsoft.ContainerRegistry/registries', variables('containerRegistryName'))]"
],
"tags": "[parameters('resourceTags')]",
"properties": {
"friendlyName": "[variables('machineLearningWorkspaceName')]",
"storageAccount": "[variables('storageAccount')]",
"keyVault": "[variables('keyVault')]",
"applicationInsights": "[variables('applicationInsights')]",
"containerRegistry": "[ variables('containerRegistry')]",
"adbWorkspace": "[variables('adbWorkSpace')]",
"hbiWorkspace": "[parameters('confidential_data')]",
"allowPublicAccessWhenBehindVnet": "[parameters('allowPublicAccessWhenBehindVnet')]"
}
}
On the Key Vault ARM we have the following properties:
"properties": {
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enabledForVolumeEncryption": "[parameters('enableVaultForVolumeEncryption')]",
"softDeleteRetentionInDays": 7,
"tenantId": "[subscription().tenantId]",
"copy": [
{
"name": "accessPolicies",
"count": "[length(parameters('userObjectId'))]",
"input": {
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('userObjectId')[copyIndex('accessPolicies')].Id]",
"permissions": "[parameters('userObjectId')[copyIndex('accessPolicies')].Permissions]"
}
}
Scenario 1 :
Created a Machine Learning using Azure portal and the KeyVault is provisioned as dependent resources where the purge production is set to enabled by default.
Scenario 2 :
Created a Test keyVault service as a independent resource and could see the purge production is set to disabled and could see an option to enable the same
Scenario 3 :
Created again a Machine language via portal with the Test keyVault (Disabled purge production)after deploying Machine language the keyVault(disabled purge production) purge production is enabled automatically.
Found an open article here Where the problem was basically that attaching a Key Vault to an Azure Machine Learning workspace, automatically activates Purge Protection on that Key Vault
While deploying the ML via Manually/Templates in Azure it enables soft delete and purge protection in Key Vault by default. It protect keys against accidental or malicious deletion. we don’t change it into Disable because it is Design behavior.Refer machine learning security baseline
Once Purge Production is enabled, it cannot be disabled or overridden by anyone including Microsoft. Refer
You need as an feature request make vote or submit a feedback here

Problem deploying pfx certificate with ARM to Azure, InternalServerError

So, I'm trying to deploy a certificate to Azure using ARM template (currently using bicep).
I have received my .cer files from Sectigo, generating a pfx file using openssl seems to work fine since the generated pfx is possible to add using the Azure portal on my FunctionApp.
But when I try to deploy it using ARM template I get this error:
{
"code":"DeploymentFailed",
"message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code":"InternalServerError",
"message":"There was an unexpected InternalServerError. Please try again later. x-ms-correlation-request-id: f25b9b70-e931-4e19-b010-cc1907cdcbcc"
}
]
}
The deployment looks like this:
{
"type": "Microsoft.Web/certificates",
"apiVersion": "2016-03-01",
"name": "xxx20220609",
"location": "[resourceGroup().location]",
"properties": {
"pfxBlob": "[parameters('certificatePfx')]",
"password": "[parameters('certificatePassword')]"
}
}
The certificatePassword is provided as a parameter and is the same as when I import it manually.
The certificatePfx is found just reading the bytes from the pfx file and base64 encoding it, which I've done using C#:
Convert.ToBase64String(File.ReadAllBytes(#"[pfx-file-path]"))
Any idea on what the InternalServerError could be about?
Please check once the below points as, I was doing the below mistakes in my test application:
• In my environment I discovered that the certificate binding to the host's name must be done via two templates instead of one because we cannot have two operations against the same type within an ARM template.
• Even I was getting a subsequent validation error which was occurring due to the domain name containing upper case letters. Once I altered that, I was successfully able to issue an app service with a managed certificate via an ARM template.
Funny thing. Tried exporting the certificate again, with another password. This time it worked

How to Create Web Site ARM Template with Managed Identity?

I am attempting to create Azure Resource Manager templates for several web sites that read secrets from a key vault. In reading How to use managed identities for App Service and Azure Functions, the documentation states that the web site ARM template should contain the following upon creation for authenticating with a key vault:
"identity": {
"type": "SystemAssigned"
}
Once the web site is created, the the identity section changes to the following:
"identity": {
"type": "SystemAssigned",
"tenantId": "<TENANTID>",
"principalId": "<PRINCIPALID>"
}
Does this mean that after running the ARM templates to create the web sites that I have to go back into the ARM template(s) and update the identity section for every site so that I can run the ARM templates to update the sites if need be?
no, you dont have to do that. that is expected. it will not delete that. just rerun it and nothing will change.

Where to centralise SSL certificates in Azure?

We have our own certificate (.pfx) issued by an authority before using Azure. We are now using Azure and would like to be able to use this certificate for all our app services.
I know we can upload them in the "SSL settings" section of the app service. But the problem is that we have to upload it in every single app service that we have. If we renew our certificates we need to go through all the apps and upload the new certificate again one by one.
What I am looking for is a place (like "App Service Certificates") where we can upload our certificate once and let the apps use it. It's ideal for us not to change apps if we renew our certificate and upload it again in that centralised place, wherever it is.
In the "App Service Certificates" blade, I see that we can only order a certificate and can't upload our own certificate. Is it even possible to do it there or should I be looking at some custom solutions?
BTW, we are using ARM templates to deploy our infrastructure and app services, any hints in ARM templates regarding SSL would be appreciated.
You can use keyvault and pull certificates from it using arm templates (they have to be in the same subscription though). you can use this snippet:
{
"type": "Microsoft.Web/certificates",
"name": "[parameters('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[parameters('location')]",
"properties": {
"keyVaultId": "[parameters('existingKeyVaultId')]",
"keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]"
}
},
https://github.com/Azure/azure-quickstart-templates/blob/master/webapp-keyvault-ssl/azuredeploy.json

Create SubscriptionCloudCredentials for WebSiteManagementClient without Azure AD Application

I'm looking for a simple solution to Authenticate and use the WebSiteManagementClient. The examples I've seen utilize an Azure AD Application to create the SubscriptionCloudCredentials required. I would prefer to create the SubscriptionCloudCredentials without the use of an AD Application.
If at all possible, I would prefer to just use the Web Deploy un/pw credentials found in the Publish Profile Settings XML (as I already have code that uses these to interact with the kudu api with basic auth)
I found this potential solution that instead uses a management certificate (more info). But again, if at all possible, I would prefer to just use the Web Deploy un/pw.
(I understand the management cert is at a subscription level, and the Web Deploy un/pw are at a App Service/WebSite instance level. I'm just stating what my desired solution would look like.)
Management certificates allow you to authenticate only with the classic deployment (Azure Service Management) model and not the Azure Resource Management deployment model.
If your web app is not created using the classic deployment model, you'll need a TokenCloudCredential instead of the CertificateCloudCredential.
Technically, you can still create Certificate-based SubscriptionCloudCredentials but it will only work with Azure web app created with the classic deployment model.
I would prefer to just use the Web Deploy un/pw.
If you want to upload certificate to Azure WebApp during Web Deploy then we can use ARM template , more details please refer to the document.
{
"name": "[parameters('certificateName')]",
"apiVersion": "2014-04-01",
"type": "Microsoft.Web/certificates",
"location": "[resourceGroup().location]",
"properties": {
"pfxBlob": "pfx base64 blob",
"password": "some pass"
}
}
About how to create subscriptionCloudCredentials with certificate and how to create customized cert, I did a demo for it. More details please refer to another SO thread.
If we try to run the project on the Azure. Please refer to document Using Certificates in Azure Websites Applications. Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application
So we also need to add the AppSetting in the ARM template, more detail info please refer to the document.
  
{
"name": "appsettings",
    "type": "config",
    "apiVersion": "2015-08-01",
    "dependsOn": [
        "[concat('Microsoft.Web/sites/', variables('webSiteName'))]"
    ],
    "tags": {
        "displayName": "WebAppSettings"
    },
    "properties": {
        " WEBSITE_LOAD_CERTIFICATES ": "thumbprint "
    }

Resources