[App Service] Fix #18697: az webapp config ssl create: Add --wait flag for managed certificate automation#33068
Closed
[App Service] Fix #18697: az webapp config ssl create: Add --wait flag for managed certificate automation#33068
az webapp config ssl create: Add --wait flag for managed certificate automation#33068Conversation
…wait` flag for managed certificate automation When --wait is set: - Extends polling timeout from 2 minutes to 10 minutes - Raises CLIError on timeout instead of silently returning None - Enables automation scripts to reliably chain ssl bind after ssl create Default behavior (without --wait) is unchanged: 2-minute timeout with warning. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
seligj95
requested review from
NoriZC,
teresaritorto and
yanzhudd
as code owners
️✔️AzureCLI-FullTest
|
|
Hi @seligj95, |
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| functionapp config ssl create | cmd functionapp config ssl create added parameter wait |
||
| webapp config ssl create | cmd webapp config ssl create added parameter wait |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
jsntcy,
wangzelin007,
yonzhan and
zhoxing-ms
microsoft-github-policy-service
bot
added
Web Apps
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an opt-in --wait flag to improve automation reliability for App Service managed certificate creation by extending polling and surfacing timeouts as errors (instead of returning None).
Changes:
- Extend managed cert polling timeout from 2 minutes to 10 minutes when
--waitis specified, and raiseCLIErroron timeout. - Add
--waitparameter wiring forconfig ssl create. - Add unit tests covering timeout behavior for
wait=True(error) vswait=False(returnsNone).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/azure-cli/azure/cli/command_modules/appservice/custom.py |
Adds wait parameter to managed cert creation polling and raises on timeout when opted-in. |
src/azure-cli/azure/cli/command_modules/appservice/_params.py |
Introduces --wait flag for config ssl create argument context. |
src/azure-cli/azure/cli/command_modules/appservice/_help.py |
Documents --wait via an additional example for webapp config ssl create. |
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands_thru_mock.py |
Adds unit tests validating new timeout behavior with and without --wait. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+524
to
+526
| c.argument('wait', options_list=['--wait'], action='store_true', default=False, | ||
| help='Wait up to 10 minutes for the certificate to be created. ' | ||
| 'Returns an error if creation times out instead of silently returning.') |
There was a problem hiding this comment.
wait is being added inside the for scope in ['webapp', 'functionapp'] loop, so --wait will also become available on az functionapp config ssl create (and will map into create_managed_ssl_cert). If this PR is intended to be webapp-only, scope this argument to webapp instead; if it’s intended to support functionapps too, please update functionapp help/examples (and ideally add coverage) to reflect the new flag.
Suggested change
| c.argument('wait', options_list=['--wait'], action='store_true', default=False, | |
| help='Wait up to 10 minutes for the certificate to be created. ' | |
| 'Returns an error if creation times out instead of silently returning.') | |
| if scope == 'webapp': | |
| c.argument('wait', options_list=['--wait'], action='store_true', default=False, | |
| help='Wait up to 10 minutes for the certificate to be created. ' | |
| 'Returns an error if creation times out instead of silently returning.') |
| c.argument('resource-group', options_list=['--resource-group', '-g'], help='Name of resource group.') | ||
| c.argument('wait', options_list=['--wait'], action='store_true', default=False, | ||
| help='Wait up to 10 minutes for the certificate to be created. ' | ||
| 'Returns an error if creation times out instead of silently returning.') |
There was a problem hiding this comment.
The --wait help text ends with “instead of silently returning.” but doesn’t say what’s returned (it’s None). Consider clarifying this to “silently returning None/no result” so automation users understand the default behavior precisely.
Suggested change
| 'Returns an error if creation times out instead of silently returning.') | |
| 'Returns an error if creation times out instead of silently returning None (no result).') |
Comment on lines
+6012
to
6019
| if wait: | ||
| raise CLIError("Managed Certificate creation for '{}' timed out after {} minutes. " | ||
| "Check status with 'az webapp config ssl show -g {} " | ||
| "--certificate-name {}'.".format(hostname, poll_timeout_minutes, | ||
| resource_group_name, certificate_name)) | ||
| logger.warning("Managed Certificate creation in progress. Please use the command " | ||
| "'az webapp config ssl show -g %s --certificate-name %s' " | ||
| " to view your certificate once it is created", resource_group_name, certificate_name) |
There was a problem hiding this comment.
This timeout error hardcodes az webapp config ssl show ..., but create_managed_ssl_cert is also used by functionapp config ssl create (see commands.py). If --wait is exposed for functionapps (currently it is via _params.py), the guidance/error message should be accurate for both command groups (e.g., mention both webapp and functionapp, or avoid hardcoding the group).
Suggested change
| if wait: | |
| raise CLIError("Managed Certificate creation for '{}' timed out after {} minutes. " | |
| "Check status with 'az webapp config ssl show -g {} " | |
| "--certificate-name {}'.".format(hostname, poll_timeout_minutes, | |
| resource_group_name, certificate_name)) | |
| logger.warning("Managed Certificate creation in progress. Please use the command " | |
| "'az webapp config ssl show -g %s --certificate-name %s' " | |
| " to view your certificate once it is created", resource_group_name, certificate_name) | |
| app_type = 'functionapp' if is_functionapp(cmd, resource_group_name, name) else 'webapp' | |
| if wait: | |
| raise CLIError("Managed Certificate creation for '{}' timed out after {} minutes. " | |
| "Check status with 'az {} config ssl show -g {} " | |
| "--certificate-name {}'.".format(hostname, poll_timeout_minutes, | |
| app_type, resource_group_name, certificate_name)) | |
| logger.warning("Managed Certificate creation in progress. Please use the command " | |
| "'az %s config ssl show -g %s --certificate-name %s' " | |
| " to view your certificate once it is created", app_type, resource_group_name, | |
| certificate_name) |
Contributor
Author
|
Consolidated into #33058 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #18697
Problem
az webapp config ssl createhas a hard 2-minute polling timeout for managed certificate creation. When the operation takes longer, the command silently returnsNone, making it impossible for automation scripts to reliably chainssl bindafterssl create.Solution
Add a
--waitflag that:CLIErroron timeout instead of silently returningNoneDefault behavior (without
--wait) is unchanged — still 2-minute timeout with a warning message.Usage
Testing
--waitbehavior (timeout raises error, no-wait returns None)