I notice that deployment with terraform for azure key vault acmebot has a bug with CloudFlare DNS Provider it didn't display anything on DNS zone I restarted the function apps already after added the configuration for Cloudflare it only happen when I deployed this with TF, but using the arm template all good

and I got this issue as well (Your app is pinned to an unsupported runtime version for 'dotnet'. For better performance, we recommend using one of our supported versions instead: ~3.)

I get the following warning (Terraform 1.2.8 / AzureRM 3.21.0):

Warning: Deprecated Resource
│
│ with module.keyvault_acmebot.azurerm_app_service_plan.serverfarm,
│ on .terraform\modules\keyvault_acmebot\main.tf line 13, in resource "azurerm_app_service_plan" "serverfarm":
│ 13: resource "azurerm_app_service_plan" "serverfarm" {
│
│ The azurerm_app_service_plan resource has been superseded by the azurerm_service_plan resource. Whilst this resource will continue to be available in the 2.x and 3.x
│ releases it is feature-frozen for compatibility purposes, will no longer receive any updates and will be removed in a future major release of the Azure Provider.
(and 2 more similar warnings elsewhere)

Hi,

I have use this terraform and its all good. This might be related #15 closed previously.

It seems like Azure will verify if the default Acmebot:Webhook is a valid convention, so setting it as a default "" empty string might cause the function app to stopped working after awhile.

I am getting this error from the function app after sometime.

Microsoft.Extensions.Options: DataAnnotations validation failed for members: 'Webhook' with the error: 'The Webhook field is not a valid fully-qualified http, https, or ftp URL.'.

Perhaps we should set var.webhook_url as a mandatory variable?

Some resources break on the recent v3.x azurerm provider:

 Error: Unsupported argument
│ 
│   on .terraform/modules/keyvault_acmebot/main.tf line 9, in resource "azurerm_storage_account" "storage":
│    9:   allow_blob_public_access  = false
│ 
│ An argument named "allow_blob_public_access" is not expected here.

Docs on change: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/3.0-upgrade-guide

It looks like a recent change in AzureRM Provider v3.39.0 changed the requirements for the dotnet_version

│ Error: expected site_config.0.application_stack.0.dotnet_version to be one of [v3.0 v4.0 v6.0 v7.0], got 6
│ 
│   with module.uksouth_frontdoor.module.keyvault_acmebot.azurerm_windows_function_app.function,
│   on .terraform/modules/uksouth_frontdoor.keyvault_acmebot/main.tf line 98, in resource "azurerm_windows_function_app" "function":
│   98:       dotnet_version = "6"

I'll open a Pull Request to change this to "v6.0" but obviously that may break users of older providers.

As the Acme:Webhook setting isn't defined in Terraform, Terraform keeps proposing to remove it. The simplest way around this would be to include this as a variable in the module so that it can be passed in by the end-user.

# variables.tf
...
variable "webhook_url" {
  type        = string
  description = "Certification authority ACME Endpoint."
  default     = ""
}
...
locals {
 webhook_url = var.webhook_url != null ? {
    "Acmebot:Webhook"   = var.webhook_url
  } : {}
...
acmebot_app_settings = merge(
    local.common,
    local.external_account_binding,
    local.azure_dns,
    local.cloudflare,
    local.custom_dns,
    local.dns_made_easy,
    local.go_daddy,
    local.google_dns,
    local.gratis_dns,
    local.trans_ip,
    local.webhook_url, <--include new local here
  )

module "keyvault_acmebot" {
  source = "shibayan/keyvault-acmebot/azurerm"

  function_app_name     = "${var.app_name}-${var.environment}-acmebot"
  allowed_ip_addresses  = var.acmebot_allowed_ips
  app_service_plan_name = "${var.app_name}-${var.environment}-acmebot"
  storage_account_name  = "${var.environment}acmebot"
  app_insights_name     = "${var.app_name}-${var.environment}-insights"
  resource_group_name   = azurerm_resource_group.common_rg.name
  location              = azurerm_resource_group.common_rg.location
  mail_address          = data.azurerm_key_vault_secret.ops_slack_email.value
  webhook_url       = var.webhook_url
  vault_uri             = data.azurerm_key_vault.appkv.vault_uri 

  azure_dns = {
    subscription_id = data.azurerm_client_config.current.subscription_id
  }

  lifecycle {
    ignore_changes = [
      module.keyvault_acmebot.azurerm_function_app.function.app_settings
    ]
  }
}

To enable authentication after deployment through terraform you have to manually enable the authentication on the function app or fork this module and add it yourself.
It is possible to add an auth_settings block on the function app as described in Function App Argument Reference
From my point of view this would be a nice feature which I would implement either here as PR or as a fork, any comments ?

Hi there, I have used keyvault-acmebot a few years. It's so nice solution!
Great thanks.

BTW, yesterday I deployed new resources using this module.
After that Terraform always show difference about tags.
Because my Azure environment has Azure Policy about tags. It automatically add tags inherited from resource group.

How we manage tags?
I hope one of below.

• Add tags as parameter
• ignore tags

Can you add a tags variable parameter so that the resources created by the module can have the tags automatically applied?

Hi,

i really like this project. I am working in terraform. I just want to add the function app authentication part to terraform as well, because if I add authentication after the deployment, terraform will recognize a difference and reset the function app.

In the code I saw that it is possible to add an auth_settings block.
Can you provide an example on how I create such an Enterprise application and which auth_settings to set?

BTW I am using regular Microsoft authentication.