quick fixes

patelchandni · patelchandni · commit ed3032d20b01 · 2026-06-05T16:44:45.000-05:00
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/custom.py b/src/azure-cli/azure/cli/command_modules/appservice/custom.py
@@ -6785,6 +6785,13 @@ def upload_ssl_cert(cmd, resource_group_name,
     # Check if this is a Flex Consumption function app
     is_flex = is_flex_functionapp(cmd.cli_ctx, resource_group_name, name)
 
+    # Validate parameter usage
+    if is_flex and slot:
+        raise ArgumentUsageError("--slot is not supported for Flex Consumption function apps. "
+                                 "Site-scoped certificates apply to the parent app.")
+    if load_to_code is not None and not is_flex:
+        raise ArgumentUsageError("--load-to-code is only supported for Flex Consumption function apps.")
+
     # For Flex Consumption apps, use the site-scoped certificates endpoint (slots not supported)
     if is_flex:
         # Build certificate envelope as dict to include loadCertificateToWebsitesSettings
@@ -6830,6 +6837,9 @@ def list_ssl_certs(cmd, resource_group_name, name=None):
     # Check if this is a Flex Consumption function app
     if name and is_flex_functionapp(cmd.cli_ctx, resource_group_name, name):
         return client.site_certificates.list(resource_group_name=resource_group_name, name=name)
+    if name:
+        raise ArgumentUsageError("--name is only supported for Flex Consumption function apps. "
+                                 "For other app types, certificates are managed at the resource group level.")
     return client.certificates.list_by_resource_group(resource_group_name)
 
 
@@ -6843,6 +6853,9 @@ def show_ssl_cert(cmd, resource_group_name, certificate_name, name=None):
             name=name,
             certificate_name=certificate_name
         )
+    if name:
+        raise ArgumentUsageError("--name is only supported for Flex Consumption function apps. "
+                                 "For other app types, certificates are managed at the resource group level.")
     return client.certificates.get(resource_group_name, certificate_name)
 
 
@@ -6861,15 +6874,30 @@ def delete_ssl_cert(cmd, resource_group_name, certificate_thumbprint, name=None)
                 )
         raise ResourceNotFoundError("Certificate for thumbprint '{}' not found".format(certificate_thumbprint))
 
+    if name:
+        raise ArgumentUsageError("--name is only supported for Flex Consumption function apps. "
+                                 "For other app types, certificates are managed at the resource group level.")
     webapp_certs = client.certificates.list_by_resource_group(resource_group_name)
     for webapp_cert in webapp_certs:
         if webapp_cert.thumbprint == certificate_thumbprint:
             return client.certificates.delete(resource_group_name, webapp_cert.name)
     raise ResourceNotFoundError("Certificate for thumbprint '{}' not found".format(certificate_thumbprint))
 
 
+def _validate_flex_ssl_params(is_flex, load_to_code, enable_using_msi, webapp, resource_group_name, name):
+    """Validate SSL import parameters for Flex Consumption apps."""
+    if load_to_code is not None and not is_flex:
+        raise ArgumentUsageError("--load-to-code is only supported for Flex Consumption function apps.")
+    if enable_using_msi is not None and not is_flex:
+        raise ArgumentUsageError("--enable-using-msi is only supported for Flex Consumption function apps.")
+    if enable_using_msi and (not webapp.identity or not webapp.identity.type):
+        raise ArgumentUsageError(
+            "--enable-using-msi requires a managed identity assigned to the function app. "
+            "Assign one with: az functionapp identity assign -g {} -n {}".format(resource_group_name, name))
+
+
 def import_ssl_cert(cmd, resource_group_name, key_vault, key_vault_certificate_name, name=None, certificate_name=None,
-                    load_to_code=None, enable_using_msi=None):  # pylint: disable=too-many-branches
+                    load_to_code=None, enable_using_msi=None):
     Certificate = cmd.get_models('Certificate')
     client = web_client_factory(cmd.cli_ctx)
 
@@ -6931,33 +6959,49 @@ def import_ssl_cert(cmd, resource_group_name, key_vault, key_vault_certificate_n
                 if asc.name == key_vault_certificate_name:
                     kv_secret_name = asc.certificates[key_vault_certificate_name].key_vault_secret_name
                     break
+        else:
+            logger.warning("Unable to check App Service Certificate orders. "
+                           "If '%s' is an App Service Certificate, the import may not resolve "
+                           "the correct Key Vault secret name.", key_vault_certificate_name)
 
     # if kv_secret_name is not populated, it is not an appservice certificate, proceed for KV certificates
     if not kv_secret_name:
         kv_secret_name = key_vault_certificate_name
 
     cert_name = certificate_name or '{}-{}-{}'.format(resource_group_name, kv_name, key_vault_certificate_name)
 
-    lnk = 'https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html'
-    lnk_msg = 'Find more details here: {}'.format(lnk)
-    if not _check_service_principal_permissions(cmd, kv_resource_group_name, kv_name, kv_subscription):
-        logger.warning('Unable to verify Key Vault permissions.')
-        logger.warning('You may need to grant Microsoft.Azure.WebSites service principal the Secret:Get permission')
-        logger.warning(lnk_msg)
+    # When using MSI, the app's managed identity accesses Key Vault, not the service principal
+    if enable_using_msi:
+        logger.warning('Using managed identity to access Key Vault. '
+                       'Ensure the app\'s managed identity has the permission on the Key Vault.')
+    else:
+        lnk = 'https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html'
+        lnk_msg = 'Find more details here: {}'.format(lnk)
+        if not _check_service_principal_permissions(cmd, kv_resource_group_name, kv_name, kv_subscription):
+            logger.warning('Unable to verify Key Vault permissions.')
+            logger.warning('You may need to grant Microsoft.Azure.WebSites service principal the Secret:Get permission')
+            logger.warning(lnk_msg)
 
     kv_cert_def = Certificate(location=location, key_vault_id=kv_id, password='',
                               key_vault_secret_name=kv_secret_name)
 
     # Check if this is a Flex Consumption function app
-    if name and is_flex_functionapp(cmd.cli_ctx, resource_group_name, name):
+    is_flex = name and is_flex_functionapp(cmd.cli_ctx, resource_group_name, name)
+
+    # Validate parameter usage
+    _validate_flex_ssl_params(is_flex, load_to_code, enable_using_msi, webapp if name else None,
+                              resource_group_name, name)
+
+    if is_flex:
         # Build certificate envelope as dict to include loadCertificateToWebsitesSettings
         # (not in SDK model yet)
         cert_envelope = {
             "location": location,
             "properties": {
                 "keyVaultId": kv_id,
                 "password": "",
-                "keyVaultSecretName": kv_secret_name
+                "keyVaultSecretName": kv_secret_name,
+                "serverFarmId": get_site_server_farm_id(webapp)
             }
         }
         if load_to_code is not None:
@@ -7007,6 +7051,11 @@ def create_managed_ssl_cert(cmd, resource_group_name, name, hostname, slot=None,
     # Check if this is a Flex Consumption function app
     is_flex = is_flex_functionapp(cmd.cli_ctx, resource_group_name, name)
 
+    # Validate parameter usage
+    if is_flex and slot:
+        raise ArgumentUsageError("--slot is not supported for Flex Consumption function apps. "
+                                 "Site-scoped certificates apply to the parent app.")
+
     # Default certificate_name to hostname if not provided
     if not certificate_name:
         certificate_name = hostname
@@ -7091,6 +7140,11 @@ def _update_ssl_binding(cmd, resource_group_name, name, certificate_thumbprint,
     # Check if this is a Flex Consumption function app
     is_flex = is_flex_functionapp(cmd.cli_ctx, resource_group_name, name)
 
+    # Validate parameter usage for Flex apps
+    if is_flex and slot:
+        raise ArgumentUsageError("--slot is not supported for Flex Consumption function apps. "
+                                 "Site-scoped certificates apply to the parent app.")
+
     found_cert = None
 
     # For Flex Consumption apps, search in site-scoped certificates
@@ -7121,6 +7175,12 @@ def _update_ssl_binding(cmd, resource_group_name, name, certificate_thumbprint,
 
     if found_cert:
         if not hostname:
+            # For Flex Consumption apps, site-scoped certificates may not populate host_names
+            # Require --hostname to be specified explicitly in this case
+            if is_flex and (not found_cert.host_names or len(found_cert.host_names) == 0):
+                raise ArgumentUsageError(
+                    "The site-scoped certificate does not have associated host names. "
+                    "Please specify the hostname explicitly using --hostname.")
             if len(found_cert.host_names) == 1 and not found_cert.host_names[0].startswith('*'):
                 return _update_host_name_ssl_state(cmd, resource_group_name, name, webapp,
                                                    found_cert.host_names[0], ssl_type,
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py b/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py
@@ -1737,6 +1737,33 @@ def test_functionapp_flex_ssl_bind_unbind(self, resource_group, storage_account)
         self.cmd('functionapp config ssl delete -g {} -n {} --certificate-thumbprint {}'
                  .format(resource_group, functionapp_name, cert_thumbprint))
 
+    @ResourceGroupPreparer(location=FLEX_ASP_LOCATION_FUNCTIONAPP)
+    @StorageAccountPreparer()
+    def test_functionapp_flex_managed_ssl_cert_create(self, resource_group, storage_account):
+        """Test create_managed_ssl_cert on Flex Consumption function apps.
+
+        This test validates the Flex-specific path in create_managed_ssl_cert which uses
+        site_certificates.create_or_update instead of certificates.create_or_update.
+        """
+        functionapp_name = self.create_random_name('flexsslcreate', 40)
+        test_hostname = 'test.customdomain.com'
+        cert_name = 'test-managed-cert'
+
+        # Create a Flex Consumption function app
+        self.cmd('functionapp create -g {} -n {} -f {} -s {} --runtime python --runtime-version 3.11'
+                 .format(resource_group, functionapp_name, FLEX_ASP_LOCATION_FUNCTIONAPP, storage_account))
+
+        # Test that --slot is rejected for Flex Consumption apps
+        self.cmd('functionapp config ssl create -g {} -n {} --hostname {} --slot staging'
+                 .format(resource_group, functionapp_name, test_hostname),
+                 expect_failure=True)
+
+        # Test that managed certificate creation fails with validation error when hostname is not registered
+        # This validates the Flex path is being taken (site_certificates endpoint)
+        self.cmd('functionapp config ssl create -g {} -n {} --hostname {} --certificate-name {}'
+                 .format(resource_group, functionapp_name, test_hostname, cert_name),
+                 expect_failure=True)
+
 
 class FunctionAppManagedEnvironment(ScenarioTest):
     @AllowLargeResponse()
