Azure Question posted in
The official documentation to get you started can be found here.

Azure – Deploy Hostname configuration for API management with Keyvault certificate

I am implementing a bicep file for deploying an API management with a custom domain. The certificated related to this custom domain must be taken from a keyvault.

I’ve managed to get it working using the following hardcoded values:

hostnameConfigurations: [{
  type: 'Proxy'
  hostName: 'my-url.my-domain.com'
  keyVaultId: <secret-identifier-from-certificate-in-keyvault>
  certificateSource: 'KeyVault'
  defaultSslBinding: true
  negotiateClientCertificate: false
}]

The value of ‘secret-identifier-from-certificate-in-keyvault’ is taken as it comes from the keyvault certificate

certificate fields from the keyvault

However, after this test, I want to do this automated, so that if I provide the certificate name and the keyvault ID I am able to retrieve this data, as it is different in each environment.

I’ve tried accessing the certificate data like this:

resource keyVaultCertificate 'Microsoft.KeyVault/vaults/certificates@2022-07-01' existing = {
  parent: keyVault
  name: certificateName
}

and then using the corresponding value in the bicep keyVaultId: keyVaultCertificate.id but didn’t work.

Also, same with secret:

resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' existing = {
  parent: keyVault
  name: certificateName
}

And using keyVaultId: keyVaultSecret.id, also without success, getting error ‘Invalid parameter: Not a valid KeyVault secret Url’

How could I get the same data I see in the certificate from the azure portal, but as part of my bicep?

Also, I’ve read that it is better not to include the version in the keyVaultId data so that it works when the certificate is renewed. Could someone shed some light on how to do this considering also this best practice?

Thanks

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    After some extra research, I've come up to a working solution, although it is not what I expected, as I intended to retrieve the whole secret address as a property of the certificate.

    If I concatenate the keyvault address with the certificate data like this:

    resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyVaultName
}

resource apiManagementName_resource = {

   [... some other settings ...]

   hostnameConfigurations: [
   {
     type: 'Proxy'
     hostName: 'my-url.my-domain.com'
     keyVaultId: '${keyVault.properties.vaultUri}secrets/${certificateName}'
     certificateSource: 'KeyVault'
     defaultSslBinding: true
     negotiateClientCertificate: false
   }
}

    Then the certificate is attached properly to the custom domain field in the api management.

    Also as it does not include the version, it is supposed to be taking the last one so if renovated, it should keep working.


  2. 0

    try kvSecret.properties.secretUri when using keyVaultId

    Below is a draft template.

    resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: keyVaultName
  location: location
  properties: {
    sku: {
      name: 'standard'
      family: 'A'
    }
    tenantId: tenant().tenantId
  }
}

resource kvSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
  parent: kv
  name: 'xxx'
  properties: {
    value: secretValue
  }
}


resource apim 'Microsoft.ApiManagement/service@2023-05-01-preview' = {
  name: apiManagementServiceName
  location: location
  sku: {
    name: sku
    capacity: skuCount
  }
  properties: {
    hostnameConfigurations: [
      {
        type: 'Proxy'
        keyVaultId: kvSecret.properties.secretUri
        ....
        ....
      }
    ]
  }
  ....
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search