Skip to content

azurermAppServiceManagedCertificate

This certificate can be used to secure custom domains on App Services (Windows and Linux) hosted on an App Service Plan of Basic and above (free and shared tiers are not supported).

\~> NOTE: A certificate is valid for six months, and about a month before the certificate’s expiration date, App Services renews/rotates the certificate. This is managed by Azure and doesn't require this resource to be changed or reprovisioned. It will change the thumbprint computed attribute the next time the resource is refreshed after rotation occurs, so keep that in mind if you have any dependencies on this attribute directly.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzurermDnsZoneExample =
  new azurerm.dataAzurermDnsZone.DataAzurermDnsZone(this, "example_1", {
    name: "mydomain.com",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermDnsZoneExample.overrideLogicalId("example");
const azurermAppServicePlanExample = new azurerm.appServicePlan.AppServicePlan(
  this,
  "example_2",
  {
    kind: "Linux",
    location: azurermResourceGroupExample.location,
    name: "example-plan",
    reserved: true,
    resource_group_name: azurermResourceGroupExample.name,
    sku: [
      {
        size: "B1",
        tier: "Basic",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServicePlanExample.overrideLogicalId("example");
const azurermAppServiceExample = new azurerm.appService.AppService(
  this,
  "example_3",
  {
    app_service_plan_id: azurermAppServicePlanExample.id,
    location: azurermResourceGroupExample.location,
    name: "example-app",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceExample.overrideLogicalId("example");
const azurermDnsCnameRecordExample = new azurerm.dnsCnameRecord.DnsCnameRecord(
  this,
  "example_4",
  {
    name: "example-adcr",
    record: azurermAppServiceExample.defaultSiteHostname,
    resource_group_name: dataAzurermDnsZoneExample.resourceGroupName,
    ttl: 300,
    zone_name: dataAzurermDnsZoneExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermDnsCnameRecordExample.overrideLogicalId("example");
const azurermDnsTxtRecordExample = new azurerm.dnsTxtRecord.DnsTxtRecord(
  this,
  "example_5",
  {
    name: "asuid.mycustomhost.contoso.com",
    record: [
      {
        value: azurermAppServiceExample.customDomainVerificationId,
      },
    ],
    resource_group_name: dataAzurermDnsZoneExample.resourceGroupName,
    ttl: 300,
    zone_name: dataAzurermDnsZoneExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermDnsTxtRecordExample.overrideLogicalId("example");
const azurermAppServiceCustomHostnameBindingExample =
  new azurerm.appServiceCustomHostnameBinding.AppServiceCustomHostnameBinding(
    this,
    "example_6",
    {
      app_service_name: azurermAppServiceExample.name,
      hostname: `\${join(".", [${azurermDnsCnameRecordExample.name}, ${azurermDnsCnameRecordExample.zoneName}])}`,
      resource_group_name: azurermResourceGroupExample.name,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceCustomHostnameBindingExample.overrideLogicalId("example");
const azurermAppServiceManagedCertificateExample =
  new azurerm.appServiceManagedCertificate.AppServiceManagedCertificate(
    this,
    "example_7",
    {
      custom_hostname_binding_id:
        azurermAppServiceCustomHostnameBindingExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceManagedCertificateExample.overrideLogicalId("example");
const azurermAppServiceCertificateBindingExample =
  new azurerm.appServiceCertificateBinding.AppServiceCertificateBinding(
    this,
    "example_8",
    {
      certificate_id: azurermAppServiceManagedCertificateExample.id,
      hostname_binding_id: azurermAppServiceCustomHostnameBindingExample.id,
      ssl_state: "SniEnabled",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceCertificateBindingExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • customHostnameBindingId - (Required) The ID of the App Service Custom Hostname Binding for the Certificate. Changing this forces a new App Service Managed Certificate to be created.
  • tags - (Optional) A mapping of tags which should be assigned to the App Service Managed Certificate.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the App Service Managed Certificate.

  • canonicalName - The Canonical Name of the Certificate.

  • expirationDate - The expiration date of the Certificate.

  • friendlyName - The friendly name of the Certificate.

  • hostNames - The list of Host Names for the Certificate.

  • issueDate - The Start date for the Certificate.

  • issuer - The issuer of the Certificate.

  • subjectName - The Subject Name for the Certificate.

  • thumbprint - The Certificate Thumbprint.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the App Service Managed Certificate.

  • read - (Defaults to 5 minutes) Used when retrieving the App Service Managed Certificate.

  • update - (Defaults to 30 minutes) Used when creating the App Service Managed Certificate.

  • delete - (Defaults to 30 minutes) Used when deleting the App Service Managed Certificate.

Import

App Service Managed Certificates can be imported using the resourceId, e.g.

terraform import azurerm_app_service_managed_certificate.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resGroup1/providers/Microsoft.Web/certificates/customhost.contoso.com