如何仅使用 ASUID TXT 记录将自定义域绑定到带有 Bicep 的 Azure Web 应用程序？

我一直在尝试使用下面的命令将自定义域绑定到现有的Azure Web应用程序，问题是我只需要使用asuid TXT记录，因为自定义域的CNAME指向应用程序网关vip。 .

// Editable parameters
param customDomainName string
param appName string
param appServicePlanName string
param location string = resourceGroup().location

// Reference to the existing web app
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
  name: appName
}

resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' existing = {
  name: appServicePlanName
}

// Step 1: Add the custom domain (hostname binding) to the web app
resource customDomainBinding 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
  parent: webApp
  name: customDomainName
  properties: {
    hostNameType: 'Verified'
  }
}

// Step 2: Create a managed certificate for the custom domain
resource certificates 'Microsoft.Web/certificates@2022-03-01' = {
  name: '${customDomainName}-managed-cert'
  location: location
  properties: {
    canonicalName: customDomainName
    serverFarmId: appServicePlan.id
  }
}

// Step 3: Update the SSL state for the custom domain (SSL binding)
// Only bind SSL once, do not create a separate binding
resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
  parent: webApp
  name: customDomainName // This should be the same as above
  properties: {
    hostNameType: 'Verified'
    sslState: 'SniEnabled'
    thumbprint: certificates.properties.thumbprint
    customHostNameDnsRecordType: 'CName'
  }
}

然后我得到了这个，因为正如我提到的，CNAME 指向应用程序网关 vip

Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain has an active CNAME record which is set to .azurewebsites.net etc

我尝试过的另一条路线是引用密钥保管库中的证书，但没有成功使用以下方法

// Editable parameters
param subIdOfCertKeyVault string
param certKeyVaultResourceGroup string
param customDomainName string
param appName string
param certKeyVaultName string
param certificateSecretName string

// Reference to the existing web app
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
  name: appName
}

// Reference Key Vault
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
  name: certKeyVaultName
  scope: resourceGroup(subIdOfCertKeyVault, certKeyVaultResourceGroup)
}

// Reference the secret in Key Vault
resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' existing = {
  parent: keyVault
  name: certificateSecretName
}

// Directly bind the certificate to the hostname
resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
  parent: webApp
  name: customDomainName
  properties: {
    hostNameType: 'Verified'
    sslState: 'SniEnabled'
    thumbprint: keyVaultSecret.properties.secretUri
  }
}

下面的 Azure CLI 仅适用于使用 TXT 记录和托管证书...

### Set the variables ###
$SubscriptionIDofWebApp = '' # Subscription ID of where the lms web app will be created
$Company = ''
$Environment = '' # lower or prod
$SubEnvironment = '' # dev, uat, qa, etc. Note: if prod, enter prod
$Location = '' # Region where the subscription is
$Record = ''

    # Set Subscription for Web App
    Write-Host 'Setting the subscription of the web app...'
    az account set --subscription $SubscriptionIDofWebApp
        
    # Set Thumbprint Variable
    Write-Host 'Creating the variable for the thumbprint...'
    $Thumbprint = az webapp config ssl list --resource-group "rg-$Company-$Environment-app-$Location-001" --query "[].thumbprint" --output tsv
    
    # Bind the SSL Cert
    Write-Host 'Binding the SSL Cert...'
    az webapp config ssl bind --resource-group "rg-$Company-$Environment-app-$Location-001" --name "app-$Company-$SubEnvironment-lms-$Location-001" --certificate-thumbprint "$Thumbprint" --ssl-type SNI

当只能使用 TXT 记录而不是 CNAME 进行验证时，如果您知道使用 BICEP 执行此操作的正确、最佳方法，请告诉我。