Skip to content

azurermAppServiceCertificate

Manages an App Service certificate.

Example Usage

This example provisions an App Service Certificate from a Local File. Additional examples of how to use the azurermAppServiceCertificate resource can be found in the /examples/appServiceCertificate directory within the GitHub Repository.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermAppServiceCertificateExample =
  new azurerm.appServiceCertificate.AppServiceCertificate(this, "example_1", {
    location: azurermResourceGroupExample.location,
    name: "example-cert",
    password: "terraform",
    pfx_blob: '${filebase64("certificate.pfx")}',
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceCertificateExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the certificate. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group in which to create the certificate. Changing this forces a new resource to be created.

  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • pfxBlob - (Optional) The base64-encoded contents of the certificate. Changing this forces a new resource to be created.

-> NOTE: Either pfxBlob or keyVaultSecretId must be set - but not both.

  • password - (Optional) The password to access the certificate's private key. Changing this forces a new resource to be created.

  • appServicePlanId - (Optional) The ID of the associated App Service plan. Must be specified when the certificate is used inside an App Service Environment hosted App Service. Changing this forces a new resource to be created.

  • keyVaultSecretId - (Optional) The ID of the Key Vault secret. Changing this forces a new resource to be created.

-> NOTE: If using keyVaultSecretId, the WebApp Service Resource Principal ID abfa0A7CA6B6473683105855508787Cd must have 'Secret -> get' and 'Certificate -> get' permissions on the Key Vault containing the certificate. (Source: App Service Blog) If you use Terraform to create the access policy you have to specify the Object ID of this Principal. This Object ID can be retrieved via following data reference, since it is different in every AAD Tenant:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azuread from "./.gen/providers/azuread";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azuread.
For a more precise conversion please use the --provider flag in convert.*/
new azuread.dataAzureadServicePrincipal.DataAzureadServicePrincipal(
  this,
  "MicrosoftWebApp",
  {
    application_id: "abfa0a7c-a6b6-4736-8310-5855508787cd",
  }
);
  • tags - (Optional) A mapping of tags to assign to the resource.

Attributes Reference

The following attributes are exported:

  • id - The App Service certificate ID.

  • friendlyName - The friendly name of the certificate.

  • subjectName - The subject name of the certificate.

  • hostNames - List of host names the certificate applies to.

  • issuer - The name of the certificate issuer.

  • issueDate - The issue date for the certificate.

  • expirationDate - The expiration date for the certificate.

  • thumbprint - The thumbprint for the certificate.

  • hostingEnvironmentProfileId - The ID of the App Service Environment where the certificate is in use.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the App Service Certificate.
  • update - (Defaults to 30 minutes) Used when updating the App Service Certificate.
  • read - (Defaults to 5 minutes) Used when retrieving the App Service Certificate.
  • delete - (Defaults to 30 minutes) Used when deleting the App Service Certificate.

Import

App Service Certificates can be imported using the resourceId, e.g.

terraform import azurerm_app_service_certificate.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Web/certificates/certificate1