3

I need a mechanism to download a .pfx certificate from Keyvault and to then upload it to an Azure Container Environment, all via Bicep. This will minimise any manual intervention when the certificate is updated.

I am currently adding a certificate to my Azure Container Environment using the base64 encoded value I manually converted using powershell. As follows:

resource certificate 'Microsoft.App/managedEnvironments/certificates@2022-06-01-preview' = {
  parent: env
  location: location
  name: 'ta-cert'
  properties: {
    password: certificatePassword
    value: '<base64>'
  }
}

What I would like to try and achieve is to download the pfx file from Keyvault and convert to base64 (maybe by using a powershell command embedded in bicep) all within the Bicep file, which can then be used in the code above.

If anyone has done this before would be really grateful to see the implementation.

Thomas
  • 24,234
  • 6
  • 81
  • 125
Amay
  • 106
  • 7

1 Answers1

5

If your certificate is stored as a certificate in key vault, it is already base64 encoded and accessible as a key vault secret (see Composition of a Certificate).

You can use the bicep getSecret function to pass the certificate to the container app environment:

containerapp-env-certificate.bicep module:

param containerAppEnvName string
param location string = resourceGroup().location
param certificateName string

@secure()
param certificateValue string

resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-03-01' existing = {
  name: containerAppEnvName
}

resource certificate 'Microsoft.App/managedEnvironments/certificates@2022-06-01-preview' = {
  parent: containerAppEnv
  location: location
  name: certificateName
  properties: {
    // Dont need password here
    value: certificateValue
  }
}

From your main.bicep template, you can invoke it like that:

param containerAppEnvName string
param location string = resourceGroup().location

param keyVaultName string
param keyVaultCertificateName string

// Get a reference to key vault
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: keyVaultName
}

module certificate 'containerapp-env-certificate.bicep' = {
  name: 'containerapp-env-certificate'
  params: {
    containerAppEnvName: containerAppEnvName
    certificateName: 'ta-cert'
    location: location
    // Get the certificate as a base64 secret
    certificateValue: keyVault.getSecret(keyVaultCertificateName)    
  }
}
Thomas
  • 24,234
  • 6
  • 81
  • 125
  • 1
    Thomas this is a superb answer!! I don't know why I didn't even consider this - simple and elegant. Thank you!! – Amay Nov 15 '22 at 15:54
  • Feel free to accept the answer if that s good for you :-) – Thomas Nov 21 '22 at 18:40
  • 1
    Sorry I thought I had, should be done now. Thank you! – Amay Nov 22 '22 at 21:16
  • 1
    To allow the keyvault to be accessed by Bicep I had to run `az keyvault update --name --enabled-for-template-deployment true` – Mitch Feb 06 '23 at 02:52