Make it possible to deploy WebApp using custom domain and App Service managed certificate in one deployment
Currently it is not possible to provision a new
Microsoft.Web/sites resource using custom domain and App Service managed certificate using one deployment operation. This is because of cyclic dependency between
Microsoft.Web/certificates resources. This is pretty confusing and inconvenient.
The sequence of operation ARM needs to perform is as below:
Microsoft.Web/sites/hostNameBindings(without binding an SSL certificate because it does not yet exist) to link custom domain name to the Web App
Microsoft.Web/certificatesresource to issue a managed certificate for the custom domain (this requires custom domain to be linked)
- now need to update existing
Microsoft.Web/sites/hostNameBindingswith the newly issued certificate
Unfortunately ARM does not allow to perform two independent operations on the same resource in one deployment, so it either requires two deployments or usage of the nested template as described in this blog post: https://dotnetdevlife.wordpress.com/2019/11/12/arm-app-service-managed-certificate/. Both approaches are less than optimal.
One solution to break the loop would be to only verify domain ownership, without verifying that domain is linked to the specific Web App or not verify domain at all. This should provide comparable security, because people would not be able to bind the issued certificate without verifying custom domain anyways (i.e. not possible to create
Microsoft.Web/sites/hostNameBindings without verifying the domain). On the other hand it would allow to break the loop and deploy Web App with custom domain and managed certificate in one deployment:
Microsoft.Web/certificatesresource to issue a managed certificate for the custom domain
Microsoft.Web/sites/hostNameBindingsto link custom domain name to the Web App using managed certificate issued earlier