SCEPman Bicep deployment

/ cloudfriendly

SCEPman is a slim and resource-friendly solution to issue and validate certificates using SCEP. It is an Azure Web App providing the SCEP protocol and works directly with the Microsoft Graph and Intune API.
I have used SCEPman together with RADIUS-as-a-Service for our offices to log on to our WIFI automatically. There are much more ways you can use SCEPman take a look at SCEPman docs.
Reference:
https://docs.scepman.com/
https://docs.radiusaas.com/
https://github.com/marfha88/SCEPman


This blog post is about the infrastructure, architecture and deployment of SCEPman with bicep.
As most companies now use infrastructure as code (IaC) and SCEPman just gives us the starting point I wanted to share my deployment of SCEPman with bicep.

So, to get started SCEPman have a very smooth first deployment which sets everything up and also adds a resource that I can’t find a way to deploy with bicep (pid)

Basic deployment

More advanced deployment nr2

This deployment will include alarm, Application Insights and auto scale on the app service plan.

Do the same as in the first deployment but change to bicep-deploy-2

Deploy your SCEPman instance from: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fscepman%2Finstall%2Fprod%2Fazuredeploy.json

Use my bicep code bicep-deploy-2 and change the necessary parameters so they match your company you can find the code here: https://github.com/marfha88/SCEPman/tree/main/bicep-deploy-2

Run the bicep deployment to add your tags and to make sure that it works.

Open the SCEPman webapp and run the powershell script or runt it with the github action (more advanced and optional) deploy-powershell (powershell.yml) and change the scepman.ps1 script you find in extra-config from my github repo.

After you have run the scepman script a few new webapp settings have been created se the portal. Add the settings to your bicep code both for the webapp and for the webapp-certificatemaster.
Webapp:

Webapp-cm:

Visual studio code:


Geo-redundancy and even more advanced deployment nr3

This deployment adds Traffic Manager, (certificate for https) deployment slots and update strategy.

Prerequisites:

  • HTTPS Certificate
  • Have your own domain (So you can add DNS records)
  • SCEPman licance

First: Determine what hostname/dns your SCEPman instance will have. mine had (scepman.fahlbeck.no)
Second: Buy a certificate for your SCEPman instance
Recommendation: Buy the certificate through Azure App Service Certificates so you can have everything in code plus certificate auto renewal.

When the prerequisites are done do the same as in the first deployments but change to bicep-deploy-3.0
Use my bicep code bicep-deploy-3.0 and change the necessary parameters so they match your company you can find the code here: https://github.com/marfha88/SCEPman/tree/main/bicep-deploy-3.0
After running bicep-deploy-3.0 This will add key vault access policy for “Microsoft Azure App Service” so you can import/create your certificate for SCEPman.

Now move on to bicep-deploy-3.1 and deploy everything.
Use my bicep code bicep-deploy-3.1 and change the necessary parameters so they match your company you can find the code here: SCEPman/bicep-deploy-3.1 at main · marfha88/SCEPman (github.com)
The deployment will show some errors, and this is because you need to verify your domain for both the web apps.

  • Verify your domains with DNS records (you find the info in the portal under App Service\Custom domains)
  • Run the deployment again.
  • Now Run the powershell script that the webapp will show. (If the script creates a new certificate web master webapp delete it)
  • Add all the app service Application settings in bicep.

For update strategy follow the SCEPman docs.
https://docs.scepman.com/advanced-configuration/update-strategy.

  • Download the the artifact from SCEPman:
    https://raw.githubusercontent.com/scepman/install/master/dist/Artifacts.zip
  • Add the artifact to a storage account and point the web apps to that artifact as in bicep code bellow,
    WEBSITE_RUN_FROM_PACKAGE: 'https://${storageAccountName}.blob.${environment().suffixes.storage}/scepman-artifacts/Artifacts.zip'
  • The App services needs Storage Table Data Contributor role on the storage account
  • point the deployment slots to SCEPmans own artifact in bicep as bellow
    WEBSITE_RUN_FROM_PACKAGE: ArtifactsLocationSCEPman
  • You can find bicep for RBAC in extra-config

Hope this will help you in your deployment of SCEPman
When I started out for our company there were a lot of small things, I needed to figure out regarding how to deploy the bicep code.
So even if you don’t need to deploy SCEPman there might be some tips and tricks in the bicep code that you can use ☺️!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s