Azure CDN - Custom Domain SSL via Resource Management API

Question

Using the latest Azure Powershell SDK, but still can't seem to create Custom SSL Domains for CDNs in Azure via API Management. We have 100s of subdomains to create and need to be able to script the creation of this task for future extensibility.

Does anyone know how to toggle this flag via the REST API since the SDK has no support? We are using the New-AzureRmCdnCustomDomain commandlet.

Answer 1

Update: The AzureRM 6.13.0-module and the new Az-modules (including Az.Cdn) now supports this using a cmdlet. See Enable-AzureCdnCustomDomain (AzureRM.Cdn) or Enable-AzCdnCustomDomain (Az.Cdn)

---

The REST API for enabling Custom Domain HTTPS is documented at learn.microsoft.com

Enable Custom Https

Enable https delivery of the custom domain.

POST /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Cdn/profiles/{profileName}/endpoints/{endpointName}/customDomains/{customDomainName}/enableCustomHttps?api-version=2017-10-12

Before you can use the Azure REST API you need to get an access token:

Generating access token using PowerShell:

$Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/<TenantID>/oauth2/token?api-version=1.0 -Method Post -Body @{
    "grant_type" = "client_credentials"
    "resource" = "https://management.core.windows.net/"
    "client_id" = "<application id>"
    "client_secret" = "<password you selected for authentication>"
}

The response contains an access token, information about how long that token is valid, and information about what resource you can use that token for. The access token you received in the previous HTTP call must be passed in for all request to the Resource Manager API. You pass it as a header value named "Authorization" with the value "Bearer YOUR_ACCESS_TOKEN". Notice the space between "Bearer" and your access token.

Client ID is retrived by creating an app registration in Azure AD and the clientkey is generated in the Keys-section of the created app registration. This can be combined into a solution like this:

$subscriptionId = "..."
$resourceGroupName = "..."
$profileName = "..."
$endpointName = "..."
$customDomainName = ".."

$Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/<TenantID>/oauth2/token?api-version=1.0 -Method Post -Body @{
    "grant_type" = "client_credentials"
    "resource" = "https://management.core.windows.net/"
    "client_id" = "<application id>"
    "client_secret" = "<password you selected for authentication>"
}

$header = @{
     "Authorization"= "Bearer $($Token.access_token)"
 }

Invoke-RestMethod -Method Post -Headers $header -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Cdn/profiles/$profileName/endpoints/$endpointName/customDomains/$customDomainName/enableCustomHttps?api-version=2016-10-02"

If you don't need to automate the script, you can login manually using GUI (no need for app-registration) using this modified sample (based on Source). It requires AzureRM-module, which can be installed using Install-Module AzureRM:

Function Login-AzureRESTApi {

    Import-Module AzureRM.Profile

    # Load ADAL Azure AD Authentication Library Assemblies
    $modulepath = Split-Path (Get-Module -Name AzureRM.Profile).Path
    $adal = "$modulepath\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
    $adalforms = "$modulepath\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll"
    $null = [System.Reflection.Assembly]::LoadFrom($adal)
    $null = [System.Reflection.Assembly]::LoadFrom($adalforms)

    # Login to Azure
    $Env = Login-AzureRmAccount

    # Select Subscription
    $Subscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose a subscription ..." -PassThru)
    $adTenant = $Subscription.TenantId
    $global:SubscriptionID = $Subscription.SubscriptionId

    # Client ID for Azure PowerShell
    $clientId = "1950a258-227b-4e31-a9cf-717495945fc2"

    # Set redirect URI for Azure PowerShell
    $redirectUri = "urn:ietf:wg:oauth:2.0:oob"

    # Set Resource URI to Azure Service Management API | @marckean
    $resourceAppIdURIASM = "https://management.core.windows.net/"
    $resourceAppIdURIARM = "https://management.azure.com/"

    # Set Authority to Azure AD Tenant
    $authority = "https://login.windows.net/$adTenant"

    # Create Authentication Context tied to Azure AD Tenant
    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    # Acquire token
    $global:authResultASM = $authContext.AcquireToken($resourceAppIdURIASM, $clientId, $redirectUri, "Auto")
    $global:authResultARM = $authContext.AcquireToken($resourceAppIdURIARM, $clientId, $redirectUri, "Auto")

} 

$resourceGroupName = "..."
$profileName = "..."
$endpointName = "..."
$customDomainName = ".."

Login-AzureRESTApi

#Reuse selected subscription from login
$Subscription = $global:subscriptionId

$header = @{
     "Authorization"= $global:authResultARM.CreateAuthorizationHeader()
 }

Invoke-RestMethod -Method Post -Headers $header -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Cdn/profiles/$profileName/endpoints/$endpointName/customDomains/$customDomainName/enableCustomHttps?api-version=2017-10-12"