{App Service} az webapp config ssl import: Fix AttributeError with azure-mgmt-web 11.0.0#33705
Open
seligj95 wants to merge 2 commits into
Open
{App Service} az webapp config ssl import: Fix AttributeError with azure-mgmt-web 11.0.0#33705seligj95 wants to merge 2 commits into
az webapp config ssl import: Fix AttributeError with azure-mgmt-web 11.0.0#33705seligj95 wants to merge 2 commits into
Conversation
…pp Service Certificates with azure-mgmt-web 11.0.0 The azure-mgmt-web 11.0.0 upgrade switched WebSiteManagementClient to a single-api (2025-05-01) client that no longer exposes the 'app_service_certificate_orders' operation group, which lives under the Microsoft.CertificateRegistration provider. This caused 'az webapp config ssl import' to fail with "'WebSiteManagementClient' object has no attribute 'app_service_certificate_orders'". Resolve the App Service Certificate Key Vault secret name via a direct ARM REST call to Microsoft.CertificateRegistration/certificateOrders instead. Fixes Azure#33542 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
️✔️AzureCLI-FullTest
|
️✔️AzureCLI-BreakingChangeTest
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes az webapp config ssl import failing on azure-mgmt-web 11.0.0+ by restoring App Service Certificate Key Vault secret-name resolution without relying on the removed app_service_certificate_orders SDK operation group.
Changes:
- Added
_get_app_service_certificate_kv_secret_name()to queryMicrosoft.CertificateRegistration/certificateOrdersvia ARM REST (with pagination and error handling). - Updated
import_ssl_certto use the new helper instead of the removed SDK operation group. - Added unit tests covering match/no-match, pagination, and error behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/azure-cli/azure/cli/command_modules/appservice/custom.py |
Replaces the deprecated SDK access with a direct ARM REST query to resolve the correct Key Vault secret name for App Service Certificates. |
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_import_ssl_cert.py |
Adds unit tests validating secret-name resolution logic, pagination, and graceful failure handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Collaborator
|
App Service |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #33542
az webapp config ssl importfails with:Root cause
The
azure-mgmt-web11.0.0 upgrade (shipped in CLI 2.87.0) switchedWebSiteManagementClientfrom a multi-api client to a single-api client (api-version2025-05-01). That client no longer exposes theapp_service_certificate_ordersoperation group — those operations belong to the separateMicrosoft.CertificateRegistrationresource provider.import_ssl_certaccessedclient.app_service_certificate_orders, which now raisesAttributeError.A prior change added a
hasattr(...)guard that merely suppressed the crash, silently breaking App Service Certificate secret-name resolution.Fix
Added
_get_app_service_certificate_kv_secret_name()which resolves the Key Vault secret name via a direct ARM REST call toMicrosoft.CertificateRegistration/certificateOrders(api2022-09-01), with pagination and graceful error handling.import_ssl_certnow calls it, restoring the original behavior for purchased App Service Certificates without depending on the dropped SDK operation group.Testing
test_import_ssl_cert.py): match, no-match, pagination, and error handling — all pass.flake8/pylintclean on the changed region.AttributeError) and correctly resolves the certificate order's actual Key Vault secret name rather than the certificate name.