I'm looking for a simple solution to Authenticate and use the WebSiteManagementClient. The examples I've seen utilize an Azure AD Application to create the SubscriptionCloudCredentials required. I would prefer to create the SubscriptionCloudCredentials without the use of an AD Application.
If at all possible, I would prefer to just use the Web Deploy un/pw credentials found in the Publish Profile Settings XML (as I already have code that uses these to interact with the kudu api with basic auth)
I found this potential solution that instead uses a management certificate (more info). But again, if at all possible, I would prefer to just use the Web Deploy un/pw.
(I understand the management cert is at a subscription level, and the Web Deploy un/pw are at a App Service/WebSite instance level. I'm just stating what my desired solution would look like.)
Management certificates allow you to authenticate only with the classic deployment (Azure Service Management) model and not the Azure Resource Management deployment model.
If your web app is not created using the classic deployment model, you'll need a TokenCloudCredential instead of the CertificateCloudCredential.
Technically, you can still create Certificate-based SubscriptionCloudCredentials but it will only work with Azure web app created with the classic deployment model.
I would prefer to just use the Web Deploy un/pw.
If you want to upload certificate to Azure WebApp during Web Deploy then we can use ARM template , more details please refer to the document.
{
"name": "[parameters('certificateName')]",
"apiVersion": "2014-04-01",
"type": "Microsoft.Web/certificates",
"location": "[resourceGroup().location]",
"properties": {
"pfxBlob": "pfx base64 blob",
"password": "some pass"
}
}
About how to create subscriptionCloudCredentials with certificate and how to create customized cert, I did a demo for it. More details please refer to another SO thread.
If we try to run the project on the Azure. Please refer to document Using Certificates in Azure Websites Applications. Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application
So we also need to add the AppSetting in the ARM template, more detail info please refer to the document.
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webSiteName'))]"
],
"tags": {
"displayName": "WebAppSettings"
},
"properties": {
" WEBSITE_LOAD_CERTIFICATES ": "thumbprint "
}
Related
I am attempting to create Azure Resource Manager templates for several web sites that read secrets from a key vault. In reading How to use managed identities for App Service and Azure Functions, the documentation states that the web site ARM template should contain the following upon creation for authenticating with a key vault:
"identity": {
"type": "SystemAssigned"
}
Once the web site is created, the the identity section changes to the following:
"identity": {
"type": "SystemAssigned",
"tenantId": "<TENANTID>",
"principalId": "<PRINCIPALID>"
}
Does this mean that after running the ARM templates to create the web sites that I have to go back into the ARM template(s) and update the identity section for every site so that I can run the ARM templates to update the sites if need be?
no, you dont have to do that. that is expected. it will not delete that. just rerun it and nothing will change.
I've created the ARM template for Azure API Management deployment. In order to enable its REST API I need to select the Enable API Management REST API checkbox in Azure Portal as explained here. I'd like to activate this option within the ARM template but I'm unable to find which resource to add/modify in my template to achieve it.
This one https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/tenantaccess/update. In general whatever Azure portal does it does through same public API used by templates. So usually you can open browser dev console and see what call is being made behind the scenes.
If anyone is still looking for an answer, the below template does the job of enabling Management REST API in Azure APIM
{
"type": "Microsoft.ApiManagement/service/tenant",
"apiVersion": "2020-06-01-preview",
"name": "[concat(parameters('ApimServiceName'), '/access')]",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', parameters('ApimServiceName'))]"
],
"properties": {
"enabled": true
}
}
I have generated template from existing Azure API management resource, modified it a bit, and tried to deploy using Azure CLI. But I'm getting the following error:
Deployment failed. Correlation ID: 7561a68f-54d1-4370-bf6a-175fd93a4b99. {
"error": {
"code": "MethodNotAllowed",
"message": "System group membership cannot be changed",
"details": null
}
}
But all the APIs are getting created and working fine. Can anyone help me solve the error. This is the command I tried to deploy in my ubuntu machine:
az group deployment create -g XXXX --template-file azuredeploy.json --parameters #param.json
Service Group Template:
{
"type": "Microsoft.ApiManagement/service/groups",
"apiVersion": "2018-06-01-preview",
"name": "[concat(parameters('service_name'), '/administrators')]",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', parameters('service_name'))]"
],
"properties": {
"displayName": "Administrators",
"description": "Administrators is a built-in group. Its membership is managed by the system. Microsoft Azure subscription administrators fall into this group.",
"type": "system"
}
}
You have several options if you want to copy an API Management instance to a new instance. Using the template is not listed here.
Use the backup and restore function in API Management. For more information, see How to implement disaster recovery by using service backup and restore in Azure API Management.
Create your own backup and restore feature by using the API Management REST API. Use the REST API to save and restore the entities from the service instance that you want.
Download the service configuration by using Git, and then upload it to a new instance. For more information, see How to save and configure your API Management service configuration by using Git.
Update:
I have Confirmed with Microsoft engineer that ARM template deployment for APIM failed is an known issue and is planning to fix it.(5/7/2019)
We have our own certificate (.pfx) issued by an authority before using Azure. We are now using Azure and would like to be able to use this certificate for all our app services.
I know we can upload them in the "SSL settings" section of the app service. But the problem is that we have to upload it in every single app service that we have. If we renew our certificates we need to go through all the apps and upload the new certificate again one by one.
What I am looking for is a place (like "App Service Certificates") where we can upload our certificate once and let the apps use it. It's ideal for us not to change apps if we renew our certificate and upload it again in that centralised place, wherever it is.
In the "App Service Certificates" blade, I see that we can only order a certificate and can't upload our own certificate. Is it even possible to do it there or should I be looking at some custom solutions?
BTW, we are using ARM templates to deploy our infrastructure and app services, any hints in ARM templates regarding SSL would be appreciated.
You can use keyvault and pull certificates from it using arm templates (they have to be in the same subscription though). you can use this snippet:
{
"type": "Microsoft.Web/certificates",
"name": "[parameters('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[parameters('location')]",
"properties": {
"keyVaultId": "[parameters('existingKeyVaultId')]",
"keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]"
}
},
https://github.com/Azure/azure-quickstart-templates/blob/master/webapp-keyvault-ssl/azuredeploy.json
I'm looking for any examples of configuring Azure Batch using an Azure Resource Manager template. Googling yielded nothing, and the Azure QuickStart Templates do not yet have any Batch examples, however this SO question implies that it has been done.
What I would like to achieve is, via an ARM template, to create a Batch account and configure a pool (with a minimum number of compute nodes, auto expanding to a maximum number of nodes), and then set the resulting pool ID into my API server's appsettings resource.
I'm about to start reverse engineering it using the Azure Resource Explorer, but any pre-existing examples would be very much appreciated.
Update
So far I've managed to create the resource:
{
"name": "[variables('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2015-07-01",
"dependsOn": [ ],
"tags": {
"displayName": "BatchInstance"
}
}
And to configure the account settings in the appsettings of my API server:
"BATCH_ACCOUNT_URL": "[concat('https://', reference(concat('Microsoft.Batch/batchAccounts/', variables('batchAccountName'))).accountEndpoint)]",
"BATCH_ACCOUNT_KEY": "[listKeys(resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName')), providers('Microsoft.Batch', 'batchAccounts').apiVersions[0]).primary]",
"BATCH_ACCOUNT_NAME": "[variables('batchAccountName')]"
I still haven't managed to create a pool and fetch the pool ID via ARM, mainly because the pool I created using Batch Explorer never showed up in either the Azure Portal or the Azure Resource Explorer. I'll update this if I find the solution.
Unfortunately we don't have a way today to create a pool using ARM templates. The Azure Portal should show the pools created under your account (even if you didn't created them using ARM).
This is supported, please see the reference docs here: https://learn.microsoft.com/azure/templates/microsoft.batch/2019-04-01/batchaccounts/pools