Using Bicep to deploy managed certificates with custom domains requires multiple runs

[johnnyreilly]

This issue has now been resolved, to see how to use the new approach read this: https://johnnyreilly.com/azure-container-apps-bicep-managed-certificates-custom-domains#updated-08112025---with-bindingtype-auto-you-can-deploy-in-one-go

---

Please provide us with the following information:

This issue is a: (mark with an x)

• bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

See discussion here: #607 (comment)

Azure Container Apps support managed certificates and custom domains. However, deploying them with Bicep is not straightforward. The following bicep results in an error message like this:

Creating managed certificate requires hostname '....' added as a custom hostname to a container app in environment 'caenv-appname-dev'

resource managedEnvironmentManagedCertificate 'Microsoft.App/managedEnvironments/managedCertificates@2022-11-01-preview' = {
  parent: managedEnvironment
  name: '${managedEnvironment.name}-certificate'
  location: location
  tags: tags
  properties: {
    subjectName: customDomainName
    domainControlValidation: 'CNAME'
  }
}

resource containerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {
  //...
  properties: {
    configuration: {
      //...
      ingress: {
        //...
        customDomains: [
          {
            name: managedEnvironmentManagedCertificate.properties.subjectName
            certificateId: managedEnvironmentManagedCertificate.id
            bindingType: 'SniEnabled'
          }
        ]
        //...
      }
      //...
    }
    //...
  }
  //...
}

Steps to reproduce

Deploy an Azure Container App using Bicep with the above template additions

Expected behavior [What you expected to happen.]
It should deploy successfully.

Actual behavior [What actually happened.]

Creating managed certificate requires hostname '....' added as a custom hostname to a container app in environment 'caenv-appname-dev'

Screenshots
n/a

Additional context

I've written up the workaround way of deploying with Bicep here: https://johnnyreilly.com/azure-container-apps-bicep-managed-certificates-custom-domains

A potential fix is suggested here: #607 (comment) by @mdrakiburrahman

[mdrakiburrahman]

@dariagrigoriu - I've tested this extensively on 100+ Azure Container App envs - here's a summary of what the bugs are, and how a dev can easily fix it:

#607 (comment)

[johnnyreilly]

See update here from @vinisoto: #607 (comment)

We have fixed an issue that caused the step of creating the managed certificate to take a long time and then fail (although the certificate was indeed successfully created.

With this fix, the number of deployment steps is reduced from 3 to 2. We are designing ways to be able to accomplish the whole process in a single deployment template (e.g., removing the need of creating a container app before creating a managed certificate for certain type of domain ownership validation). We don't have an ETA to share at this time.

[KSemenenko]

there is no updates right?

[nikneem]

I learned that the team is aiming for a solution, but I'm not sure if any of it is testable or in preview yet. @anthonychu may have more info on this.