Search code examples
azureazure-bicep

Azure Bicep - Microsoft.Web/certificates server farm id always empty

I'm experiencing incorrect behaviour with linking/importing a Azure Key Vault certificate to a Azure App Service Plan / App Service through bicep.

I provide the serverFarmId property with my App Service Plan Id

resource appServiceCertificate 'Microsoft.Web/certificates@2022-03-01' = {
  name: '${keyVaultName}-${keyVaultCertificateName}'
  location: location
  properties: {
    keyVaultId: keyVault.id
    keyVaultSecretName: keyVaultCertificateName
    serverFarmId: appServicePlanId // <<<< this is empty somehow
  }
}

Azure claims the deployment went 'Ok' for 'Microsoft.Web/certificates' enter image description here

But my server farm id always ends up being empty. So the certificate is not available later on enter image description here

Although the first step succeeds. There's no certificate linked to my app service. enter image description here

The second step (adding the hostNameBindings) then fails because the certificate is not found.

Cannot find Certificate with name XXX.

I've tried multiple ways to get the app service plan id. Which all return a correct and identical result. But when Azure deploys the template, the server farm id becomes empty.

I'm doing a similar approach as in the Microsoft sample and multiple online articles. So I'm quite sure, there's something wrong on my end. But I cannot figure out what.

Full module:

param location string = resourceGroup().location
param appServiceName string
param appServicePlanName string
param dnsCertificateThumbPrint string
param dnsName string
param keyVaultName string
param keyVaultCertificateName string

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyVaultName
}

resource appService 'Microsoft.Web/sites@2022-03-01' existing = {
  name: appServiceName
}

/*module appServicePlan 'AppServicePlan.bicep' = {
  name: appServicePlanName
  params: {
    appPlanName: appServicePlanName
  }
}*/

//Attempt #1 var appServicePlanId = appService.properties.serverFarmId 
//Attempt #2 var appServicePlanId = appServicePlan.outputs.aspId
var appServicePlanId = resourceId('Microsoft.Web/serverfarms', appServicePlanName)

resource appServiceCertificate 'Microsoft.Web/certificates@2022-03-01' = {
  name: '${keyVaultName}-${keyVaultCertificateName}'
  location: location
  properties: {
    keyVaultId: keyVault.id
    keyVaultSecretName: keyVaultCertificateName
    serverFarmId: appServicePlanId
  }
}

resource mainBinding 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
  name: dnsName
  parent: appService
  properties: {
    siteName: dnsName
    hostNameType: 'Verified'
    sslState: 'SniEnabled'
    thumbprint: dnsCertificateThumbPrint
  }
  dependsOn: [
    appServiceCertificate
  ]
}
Solution

  • As Thomas mentioned, the solution was to revert to version '2019-08-01'