Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AVM Module Issue]: certificateKeyVaultProperties in App Managed Environments appears unusable (aka container app environment) #3855

Open
1 task done
christianacca opened this issue Nov 28, 2024 · 5 comments
Open
1 task done

[AVM Module Issue]: certificateKeyVaultProperties in App Managed Environments appears unusable (aka container app environment) #3855

christianacca opened this issue Nov 28, 2024 · 5 comments
Assignees
@hundredacres
Labels
Class: Resource Module 📦 This is a resource module Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed Needs: Triage 🔍 Maintainers need to triage still Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue

Comments

@christianacca
Copy link

christianacca commented Nov 28, 2024
edited
Loading

Check for previous/existing GitHub issues

  • I have checked for previous/existing GitHub issues

Issue Type?

I'm not sure

Module Name

avm/res/app/managed-environment

(Optional) Module Version

0.8.1

Description

I have a working bicep infra-as-code script working just nicely to create an Container App environment (CAE) that imports a certificate from key vault, and a Container app that has a custom domain that's bound to this certificate from this CAE

At the time I wrote the bicep, certificateKeyVaultProperties had not made available in the App Managed Environments verified module. And so I used the "raw resource" instead. Now that certificateKeyVaultProperties was added in #2719, I thought I'd go and replace my usage of the raw resource with the AVM.

Problem is that when I run the bicep from scratch (ie where there is no previous managed environment or container app), this fails trying to create the container app, saying that the certificate cannot be found in the managed environment.

When I go and look at the managed environment in the azure portal that did get created, I don't see the certificate listed in "Bring your certificates" section. Hence the container app creation fails.

So now I am at a loss to know how to successfully/correctly use certificateKeyVaultProperties in the App Managed Environment module. Any assistance would be welcome, as I'm really trying hard to onboard as many resource to AVM as I can, and this issue is holding up that effort.

For reference below are the relevant extracts taken from both the original working bicep, and the new bicep that attempts to use the AVM

Also, the PR where I make the switch to AVM for managed environment: https://github.com/christianacca/web-api-starter/pull/23/files

bicep using raw resource - working

// aca-environment.bicep

param instanceSettings object
param sharedSettings sharedSettingsType

var kvSettings = sharedSettings.certSettings.KeyVault
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: kvSettings.ResourceName
  scope: resourceGroup(kvSettings.SubscriptionId, kvSettings.ResourceGroupName)

  resource cert 'secrets' existing = { name: sharedSettings.certSettings.ResourceName }
}

resource acaEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' = {
  name: instanceSettings.ResourceName
  location: location
  properties: {
    // SNIP
    workloadProfiles: [
      {
        name: 'Consumption'
        workloadProfileType: 'Consumption'
      }
    ]
    zoneRedundant: false
  }

  resource acaEnvCert 'certificates' = {
    name: sharedSettings.certSettings.ResourceName
    location: location
    properties: {
      certificateKeyVaultProperties: {
        identity: sharedSettings.managedIdentityResourceId
        keyVaultUrl: kv::cert.properties.secretUri
      }
    }
  }
}

// =============== //
//   Definitions   //
// =============== //


type sharedSettingsType = {
  certSettings: object
}

Full listing: aca-environment.bicep

// api.bicep (container app)

param instanceSettings object
param sharedSettings sharedSettingsType

module api 'br/public:avm/res/app/container-app:0.4.1' = {
  name: '${uniqueString(deployment().name, location)}-AcaApi'
  params: {
    containers: [
      {
        env: appEnvVars.outputs.desiredEnvVars
        image: appImage
        name: instanceSettings.ResourceName
        // SNIP
      }
    ]
    customDomains: [
      {
        name: apiHostName
        certificateId: acaEnv::cert.id
        bindingType: 'SniEnabled'
      }
    ]
    environmentId: acaEnv.id
    // SNIP
    workloadProfileName: 'Consumption'
  }
}

resource acaEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' existing = {
  name: instanceSettings.AcaEnvResourceName
  resource cert 'certificates' existing = { name: sharedSettings.certSettings.ResourceName }
}

// =============== //
//   Definitions   //
// =============== //

type sharedSettingsType = {
  certSettings: object
  // SNIP
}

Full listing: api.bicep

bicep using AVM - broken

// aca-environment.bicep

param instanceSettings object
param sharedSettings sharedSettingsType

var kvSettings = sharedSettings.certSettings.KeyVault
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: kvSettings.ResourceName
  scope: resourceGroup(kvSettings.SubscriptionId, kvSettings.ResourceGroupName)

  resource cert 'secrets' existing = { name: sharedSettings.certSettings.ResourceName }
}

module acaEnv 'br/public:avm/res/app/managed-environment:0.8.1' = {
  name: '${uniqueString(deployment().name, location)}-AcaEnv'
  params: {
    name: instanceSettings.ResourceName
    certificateKeyVaultProperties: {
      identityResourceId: sharedSettings.managedIdentityResourceId
      keyVaultUrl: kv::cert.properties.secretUri
    }
    // SNIP
    workloadProfiles: [
      {
        name: 'Consumption'
        workloadProfileType: 'Consumption'
      }
    ]
    zoneRedundant: false
  }
}

// =============== //
//   Definitions   //
// =============== //


type sharedSettingsType = {
  certSettings: object
}

Full listing: aca-environment.bicep

// api.bicep (container app)

// NO CHANGE - see above

(Optional) Correlation Id

No response
@christianacca christianacca added Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue labels Nov 28, 2024
@avm-team-linter avm-team-linter bot added the Class: Resource Module 📦 This is a resource module label Nov 28, 2024
@github-project-automation github-project-automation bot moved this to Needs: Triage in AVM - Module Issues Nov 28, 2024
@avm-team-linter AVM Team Linter
Copy link

@christianacca, thanks for submitting this issue for the avm/res/app/managed-environment module!

Important

A member of the @Azure/avm-res-app-managedenvironment-module-owners-bicep or @Azure/avm-res-app-managedenvironment-module-contributors-bicep team will review it soon!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service microsoft-github-policy-service bot added the Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days label Dec 4, 2024
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Caution

**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days. **

Tip

  • To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention ‼️" label once the issue has been responded to.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed label Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hundredacres hundredacres

Labels
Class: Resource Module 📦 This is a resource module Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed Needs: Triage 🔍 Maintainers need to triage still Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue
Projects
AVM - Module Issues
Status: Needs: Triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hundredacres @christianacca