Creating a Microsoft.KeyVault/vaults/certificates

[jsburckhardt]

Bicep version
Bicep CLI version 0.14.85 (f4a4d48)

Describe the bug
I'm trying to create a certificate. Basically, az keyvault certificate create -n certificatetosign --vault-name vaultname -p @policy.json . I can see TF has an endpoint in the Azure Provider link

To Reproduce
Steps to reproduce the behavior:

1. create a kv and try creating a certificate

param keyVaultName string = 'kv-${uniqueString(resourceGroup().id)}'
param certificateName string = 'cert-${uniqueString(resourceGroup().id)}'
param issuerName string = 'Self'
param subjectName string = 'CN=contoso.com'

resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
  name: keyVaultName
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'standard'
      family: 'A'
    }
    tenantId: subscription().tenantId
    accessPolicies: [
      {
        tenantId: subscription().tenantId
        objectId: 'f520d84c-3fd3-4cc8-88d4-2ed25b00d27a'
        permissions: {
          keys: [
            'get'
            'create'
            'delete'
            'list'
            'update'
            'import'
            'backup'
            'restore'
            'recover'
            'purge'
          ]
          secrets: [
            'get'
            'list'
            'set'
            'delete'
            'backup'
            'restore'
            'recover'
            'purge'
          ]
          certificates: [
            'get'
            'list'
            'delete'
            'create'
            'import'
            'update'
            'managecontacts'
            'manageissuers'
            'getissuers'
            'listissuers'
            'setissuers'
            'deleteissuers'
            'purge'
            'recover'
          ]
        }
      }
    ]
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
    enableRbacAuthorization: false
    networkAcls: {
      defaultAction: 'Allow'
      bypass: 'AzureServices'
    }
  }
}

resource certificate 'Microsoft.KeyVault/vaults/certificates@2021-06-01-preview' = {
  name: '${keyVault.name}/${certificateName}'
  properties: {
    certificatePolicy: {
      issuerParameters: {
        name: 'Self'
        certificateTransparency: null
      }
      x509CertificateProperties: {
        subject: 'CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US'
        validityInMonths: 60
        enhancedKeyUsage: [ 'ServerAuthentication' ]
        keyUsage: [ 'digitalSignature' ]
        ekus: [ '1.3.6.1.5.5.7.3.3' ]
      }
    }
  }
}

[brwilkinson]

These api's are not published at this time... via ARM... You can only access via REST enpoints etc.

TF, az cli, powershell.

https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/allversions

• certificates are missing in the api specs here.

We have this open issue for this:

• Resource Type to get existing certificates from Microsoft.KeyVault is missing #7354

in the meantime I use deployment scripts executed from Bicep... only downside is that i cannot enable my keyvault firewall because of this.

Example of requesting the cert ..

https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/SFM-Cluster.bicep#L78

module createCertswithRotation 'x.newCertificatewithRotation.ps1.bicep' = { // if( Global.DomainNameExt != 'psthing.com') {
  name: toLower('dp-createCert-${sfmname}')
  params: {
    userAssignedIdentityName: UAICert.name
    CertName: sfmname
    Force: false
    SubjectName: 'CN=${commonName}'
    VaultName: KV.name
    DnsNames: union(array(commonName), array(friendlyName), array(fullName), array(shortName))
  }
}

The module to call the deployment script.

• https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/x.newCertificatewithRotation.ps1.bicep

The PowerShell used in the deployment script.

• https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/loadTextContext/newCertificatewithRotation.ps1

• I feel like that even though the api specs are not published, we should be able to call the endpoint... i can't remember if i spent much time trying this. However, I have used this current process extensively with a good amount of success.

[brwilkinson]

Hi @jsburckhardt did you need some further guidance on this one? We have the open issue for the keyvault team, however have to use the workaround until they decide to implement.

[sebs]

can we bribe the team to expedite this one? ;) I'll send cookies!

[verschaevesiebe]

Bump