Automate certificate creation during deployment

[khaliddermoumi]

Hi,
first, thank you for the great solution.

Here is my issue:
When deploying resources, such as app gw, an existing certificate in a key vault is needed. Now after you deploy keyvault-acmebot (f. e. using the tf module), how can you create the certificate right away, and retrieve it later in the same automation when deploying the resource which requires the certificate?
(if available, a code sample would be great)
Thanks! :)

[azsft]

Hello, I solved this solution by add CertificatePolicy collection to options and create time triggered function, which reads pre-configured certificates from options and issue unissued ones.

[FunctionName($"{nameof(AddConfiguredCertificates)}_{nameof(Orchestrator)}")]
    public async Task Orchestrator([OrchestrationTrigger] IDurableOrchestrationContext context, ILogger log)
    {
        var activity = context.CreateActivityProxy<ISharedActivity>();

        var certificates = await activity.GetAllCertificates();
        var configuredPolicies = _options.CertificatePolicies;

        var unissuedCertificates = configuredPolicies
            .Where(policy => !certificates.Any(cert => cert.Name.Equals(policy.CertificateName, StringComparison.InvariantCultureIgnoreCase)))
            .ToList();

        if (unissuedCertificates.Count() == 0)
        {
            log.LogInformation("No unissued configured certificates.");

            ....... 

I configure function via bicep template, during deployment. Disadvantage is, certificate is not created right away after deployment.

Another option is to call api from your pipeline

[khaliddermoumi]

Yes thanks, I also considered using the api ... anybody done this before?
(BTW: would be nice to have this as a built-in feature, I am sure this "creation during deployment" is a common use case)

[scastellanosnqn]

Have you got some advance on that ? I'll love to create certificates from my new-app pipeline via API. I personally don't have a clue about how to make authentication happen. Do you have some idea ?

[a-priestley]

I can use terraform to pull down a certificate using vancluever/acme and store it in the same keyvault that acmebot will use. You still need to manually have acmebot manage the certificate, by clicking "renew" in the web portal though.
If there is a way to automate management of existing certs, it would be a good workaround for this problem. I imagine you can do it using the API, but I haven't figured that out yet.