How does one create a certificate in keyvault via Bicep? #8457
-
|
I use bicep to create my Keyvault, but want the Keyvault to have some default certs after creation. Really I can't seem to find the equivalent of https://learn.microsoft.com/en-us/cli/azure/keyvault/certificate?view=azure-cli-latest#az-keyvault-certificate-create Is this just a ARM limitation? I do see capability for creating secrets but nothing for certificates. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
You create certificates via policy. There is a known issue about So you have to use an alternate method. I use deploymentscripts example for issuers, you can also do self signed instead of this, however it's not a valid cert plus you may need some extra settings for these...
Module to create issuermodule CertificateIssuer 'x.CertificateIssuer.ps1.bicep' = [for (issuer, index) in CertIssuerInfo: {
name: 'dp-kv-certificateissuer-${issuer.name}'
params: {
CertIssuerName: issuer.name
CertIssuerProvider: issuer.provider
Deployment: Deployment
vaultName: KV.name
}
}]DeploymentScript in the Moduleparam CertIssuerName string
param CertIssuerProvider string
param vaultName string
param Deployment string
param logStartMinsAgo int = 7
param now string = utcNow('F')
resource UAI 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
name: '${Deployment}-uaiCertificatePolicy'
}
resource setCertificateIssuer 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
name: 'setCertificateIssuer-${CertIssuerName}'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${UAI.id}': {}
}
}
location: resourceGroup().location
kind: 'AzurePowerShell'
properties: {
azPowerShellVersion: '7.3.2'
arguments: ' -CertIssuerName ${CertIssuerName} -CertIssuerProvider ${CertIssuerProvider} -VaultName ${vaultName}'
scriptContent: loadTextContent('../bicep/loadTextContext/setCertificateIssuer.ps1')
forceUpdateTag: now
cleanupPreference: 'OnSuccess'
retentionInterval: 'P1D'
timeout: 'PT${logStartMinsAgo}M'
}
}Reference to powershell to run in the deploymentscriptparam (
[string]$CertIssuerName,
[string]$CertIssuerProvider,
[string]$VaultName
)
Write-Verbose -Message "Checking for Issuer [$CertIssuerName] for provider [$CertIssuerProvider]" -Verbose
$Current = Get-AzKeyVaultCertificateIssuer -VaultName $VaultName -Name $CertIssuerName -Verbose
if ($Current)
{
Write-Verbose -Message "Found Issuer [$CertIssuerName] for provider [$CertIssuerProvider]" -Verbose
}
else
{
Write-Verbose -Message "Adding Issuer [$CertIssuerName] for provider [$CertIssuerProvider]" -Verbose
Set-AzKeyVaultCertificateIssuer -VaultName $VaultName -Name $CertIssuerName -IssuerProvider $CertIssuerProvider -PassThru
}After that you create the cert and policy... again using a deploymentscript module createCertswithRotation 'x.newCertificatewithRotation.ps1.bicep' = [for (cert, index) in wafInfo.SSLCerts: if (contains(cert, 'createCert') && bool(cert.createCert)) {
name: replace(toLower('dp-createCert-${cert.name}-${contains(cert, 'zone') ? cert.zone : null}'), '.', '-')
params: {
userAssignedIdentityName: UAICert.name
CertName: replace(toLower('${cert.name}${contains(cert, 'zone') ? '.${cert.zone}' : null}'), '.', '-')
Force: contains(cert, 'force') ? bool(cert.force) : false
SubjectName: 'CN=${cert.name}${contains(cert, 'zone') ? '.${cert.zone}' : null}'
VaultName: KV.name
DnsNames: contains(cert, 'DnsNames') ? cert.DnsNames : [
'${cert.name}${contains(cert, 'zone') ? '.${cert.zone}' : null}'
]
}
}]The deploymentscript that creates the cert with auto rotation.param VaultName string = 'myvault'
param CertName string = 'abc-test-com'
param SubjectName string = 'CN=abc.test.com'
param DnsNames array = [
'abc.test.com'
'abc-a.test.com'
'abc-b.test.com'
]
param Force bool = false
param userAssignedIdentityName string
param now string = utcNow('F')
var boolstring = Force == false ? '$false' : '$true'
resource newCertwithRotationKV 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
name: 'newCertwithRotationKV-${CertName}'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', userAssignedIdentityName)}': {}
}
}
location: resourceGroup().location
kind: 'AzurePowerShell'
properties: {
azPowerShellVersion: '7.5.0'
arguments: ' -VaultName ${VaultName} -CertName ${CertName} -SubjectName ${SubjectName} -Force ${boolstring} -DnsNames ${join(DnsNames,'_')}'
scriptContent: loadTextContent('../bicep/loadTextContext/newCertificatewithRotation.ps1')
forceUpdateTag: now
cleanupPreference: 'OnSuccess'
retentionInterval: 'P1D'
timeout: 'PT5M'
}
}
output VaultNameOut string = newCertwithRotationKV.properties.outputs.VaultName
output CertNameOut string = newCertwithRotationKV.properties.outputs.CertName
output ThumbprintOut string = newCertwithRotationKV.properties.outputs.Thumbprint
output CertEnabledOut bool = newCertwithRotationKV.properties.outputs.CertEnabled
output RenewAtPercentageLifetime int = newCertwithRotationKV.properties.outputs.RenewAtPercentageLifetime
output ValidityInMonthsOut int = newCertwithRotationKV.properties.outputs.ValidityInMonths
output SubjectNameOut string = newCertwithRotationKV.properties.outputs.SubjectName
output DnsNamesOut array = newCertwithRotationKV.properties.outputs.DnsNamesThe powershell script that gets called from the deploymentscriptparam (
[validateset('GlobalSign', 'DigiCert')]
[string]$IssuerName = 'DigiCert',
[string]$VaultName = 'vault01',
[string]$CertName = 'abc.test.com',
[string]$SubjectName = 'CN=abc.test.com',
[string]$DnsNames,
[int]$ValidityInMonths = 12,
[int]$RenewAtPercentageLifetime = 24,
[string]$SecretContentType = 'application/x-pkcs12',
[switch]$Disabled,
[bool]$Force
)
try
{
Write-Output "`nUTC is: $(Get-Date)"
$c = Get-AzContext -ErrorAction stop
if ($c)
{
Write-Output "`nContext is: "
$c | Select-Object Account, Subscription, Tenant, Environment | Format-List | Out-String
$DNSNamesArray = $DnsNames -split '_'
Write-Output $DNSNamesArray
$PolicyParams = @{
RenewAtPercentageLifetime = $RenewAtPercentageLifetime
SecretContentType = $SecretContentType
ValidityInMonths = $ValidityInMonths
IssuerName = $IssuerName
DnsNames = $DNSNamesArray
Disabled = $Disabled
SubjectName = $SubjectName
}
$Cert = Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName
If ($Cert)
{
$Policy = $Cert | Get-AzKeyVaultCertificatePolicy | Where-Object SubjectName -EQ $SubjectName
}
if ($Policy)
{
Write-Warning -Message "Policy exists [$($policy.SubjectName)]"
if ($Force)
{
Write-Warning -Message "Force Policy [$($policy.SubjectName)] settings"
$Policy = New-AzKeyVaultCertificatePolicy @PolicyParams
}
}
else
{
Write-Warning -Message "Creating Policy [$SubjectName]"
$Policy = New-AzKeyVaultCertificatePolicy @PolicyParams
}
if ($Cert -and (-not $Force))
{
Write-Warning -Message "Certificate exists [$($Cert.Name)]"
}
else
{
Write-Warning -Message "Creating Certificate [$CertName]"
$Result = Add-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName -CertificatePolicy $Policy
$Result.StatusDetails
while ($New.Enabled -ne $true)
{
$New = Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName
Start-Sleep -Seconds 30
}
}
$out = $cert ?? $new
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs['VaultName'] = $VaultName
$DeploymentScriptOutputs['CertName'] = $out.Name
$DeploymentScriptOutputs['Thumbprint'] = $out.Thumbprint
$DeploymentScriptOutputs['CertEnabled'] = $out.Enabled
$DeploymentScriptOutputs['RenewAtPercentageLifetime'] = $Policy.RenewAtPercentageLifetime
$DeploymentScriptOutputs['ValidityInMonths'] = $Policy.ValidityInMonths
$DeploymentScriptOutputs['SubjectName'] = $Policy.SubjectName
$DeploymentScriptOutputs['DnsNames'] = $Policy.DnsNames
}
else
{
throw 'Cannot get a context'
}
}
catch
{
Write-Warning $_
Write-Warning $_.exception
} |
Beta Was this translation helpful? Give feedback.
-
|
@aegal I hope this solution can work for you. I don't think I mentioned it however you can also use the 'Self' for a self signed cert. |
Beta Was this translation helpful? Give feedback.
-
|
Well done! |
Beta Was this translation helpful? Give feedback.
-
|
Hi @jeru81 The DeploymentScripts team are actively working on allowing the DeploymentScripts to run inside of a VNET. That team should be able to provide a status update on this next month, so keep an eye out for that news. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @brwilkinson, If DeploymentScript ACI could somehow land up on this list the access could kept disabled at all. But maybe there will be reasons they dont... |
Beta Was this translation helpful? Give feedback.
-
|
The team are working on it @jeru81... There are a few related items similar to what you mentioned that are pre-requisites to making this possible. |
Beta Was this translation helpful? Give feedback.
-
|
Seems odd that a standard terraform provider exists for creating self-signed certificates, but there's nothing in ARM/Bicep for this... |
Beta Was this translation helpful? Give feedback.
You create certificates via policy.
There is a known issue about
Certificatesresource provider under keyvault not being published.So you have to use an alternate method.
I use deploymentscripts
example for issuers, you can also do self signed instead of this, however it's not a valid cert
plus you may need some extra settings for these...
Module to create issuer
DeploymentScript in the Module