feat: add custom domain + managed TLS certificate support

- variables.tf: add custom_domain variable (optional, default '')
- main.tf: split locals into aca_fqdn + app_fqdn (prefers custom domain),
  add azurerm_container_app_environment_managed_certificate and
  azurerm_container_app_custom_domain resources (count-gated on custom_domain)
- outputs.tf: add aca_fqdn output; existing outputs already use app_fqdn
- deploy workflow: add TF_VAR_custom_domain from SHARING_CUSTOM_DOMAIN var,
  add import step that detects portal-created resources and imports them into
  Terraform state before plan (idempotent — skips if already managed)
- GitHub env var SHARING_CUSTOM_DOMAIN=ai-fluency-server-test.devopsjournal.io
  set for testing environment

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: rajbos

.github/workflows/sharing-server-deploy.yml

@@ -166,6 +166,42 @@ jobs:
             -backend-config="container_name=${{ vars.TF_STATE_CONTAINER }}" \
             -backend-config="key=${{ needs.setup.outputs.state_key }}"
 
+      - name: Import existing custom domain resources
+        if: steps.prereqs.outputs.configured == 'true' && vars.SHARING_CUSTOM_DOMAIN != ''
+        working-directory: sharing-server/infra
+        env:
+          TF_VAR_resource_group_name: ${{ vars.AZURE_RESOURCE_GROUP }}
+          TF_VAR_app_name:            ${{ needs.setup.outputs.app_name }}
+          TF_VAR_custom_domain:       ${{ vars.SHARING_CUSTOM_DOMAIN }}
+        run: |
+          # Authenticate az CLI with the same service principal used by Terraform.
+          az login --service-principal -u "$ARM_CLIENT_ID" -p "$ARM_CLIENT_SECRET" --tenant "$ARM_TENANT_ID" --output none
+          az account set --subscription "$ARM_SUBSCRIPTION_ID"
+
+          ENV_NAME="${TF_VAR_app_name}-env"
+
+          # Import managed certificate if it already exists in Azure but not in state.
+          if ! terraform state show 'azurerm_container_app_environment_managed_certificate.this[0]' > /dev/null 2>&1; then
+            CERT_ID=$(az containerapp env certificate list \
+              --name "$ENV_NAME" \
+              --resource-group "$TF_VAR_resource_group_name" \
+              --query "[?properties.subjectName=='$TF_VAR_custom_domain'].id | [0]" \
+              -o tsv 2>/dev/null || true)
+            if [[ -n "$CERT_ID" && "$CERT_ID" != "None" ]]; then
+              echo "Importing managed certificate: $CERT_ID"
+              terraform import 'azurerm_container_app_environment_managed_certificate.this[0]' "$CERT_ID"
+            fi
+          fi
+
+          # Import custom domain binding if it already exists in Azure but not in state.
+          if ! terraform state show 'azurerm_container_app_custom_domain.this[0]' > /dev/null 2>&1; then
+            DOMAIN_ID="/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_resource_group_name/providers/Microsoft.App/containerApps/$TF_VAR_app_name/customDomainName/$TF_VAR_custom_domain"
+            if az rest --method get --url "https://management.azure.com${DOMAIN_ID}?api-version=2024-03-01" > /dev/null 2>&1; then
+              echo "Importing custom domain: $DOMAIN_ID"
+              terraform import 'azurerm_container_app_custom_domain.this[0]' "$DOMAIN_ID"
+            fi
+          fi
+
       - name: Terraform plan
         if: steps.prereqs.outputs.configured == 'true'
         working-directory: sharing-server/infra
@@ -180,6 +216,7 @@ jobs:
           TF_VAR_allowed_github_org:  ${{ vars.SHARING_ALLOWED_GITHUB_ORG }}
           TF_VAR_github_org_check_token: ${{ secrets.ORG_CHECK_TOKEN }}
           TF_VAR_min_replicas:        ${{ needs.setup.outputs.min_replicas }}
+          TF_VAR_custom_domain:       ${{ vars.SHARING_CUSTOM_DOMAIN }}
         run: terraform plan -out=tfplan
 
       - name: Terraform apply
@@ -196,6 +233,7 @@ jobs:
           TF_VAR_allowed_github_org:  ${{ vars.SHARING_ALLOWED_GITHUB_ORG }}
           TF_VAR_github_org_check_token: ${{ secrets.ORG_CHECK_TOKEN }}
           TF_VAR_min_replicas:        ${{ needs.setup.outputs.min_replicas }}
+          TF_VAR_custom_domain:       ${{ vars.SHARING_CUSTOM_DOMAIN }}
         run: terraform apply -auto-approve tfplan
 
       - name: Output deployment summary

sharing-server/infra/main.tf

@@ -53,7 +53,10 @@ resource "azurerm_container_app_environment_storage" "data" {
 # The ACA environment default_domain is known after environment creation,
 # so this local can be used for BASE_URL before the container app is created.
 locals {
-  app_fqdn = "${var.app_name}.${azurerm_container_app_environment.this.default_domain}"
+  # Native ACA FQDN — always available; used as CNAME target for custom DNS setup.
+  aca_fqdn = "${var.app_name}.${azurerm_container_app_environment.this.default_domain}"
+  # Effective public hostname — custom domain when provided, ACA FQDN otherwise.
+  app_fqdn = var.custom_domain != "" ? var.custom_domain : local.aca_fqdn
 }
 
 resource "azurerm_container_app" "this" {
@@ -177,3 +180,27 @@ resource "azurerm_container_app" "this" {
     }
   }
 }
+
+# ── Custom domain + managed TLS certificate ───────────────────────────────────
+# Only created when var.custom_domain is set.
+# DNS prerequisites (must exist before applying):
+#   CNAME  <subdomain>        → local.aca_fqdn
+#   TXT    asuid.<subdomain>  → azurerm_container_app_environment.this.custom_domain_verification_id
+
+resource "azurerm_container_app_environment_managed_certificate" "this" {
+  count                        = var.custom_domain != "" ? 1 : 0
+  name                         = "sharing-cert"
+  container_app_environment_id = azurerm_container_app_environment.this.id
+  dns_suffix                   = var.custom_domain
+  domain_control_validation    = "CNAME"
+}
+
+resource "azurerm_container_app_custom_domain" "this" {
+  count                                    = var.custom_domain != "" ? 1 : 0
+  name                                     = var.custom_domain
+  container_app_id                         = azurerm_container_app.this.id
+  container_app_environment_certificate_id = azurerm_container_app_environment_managed_certificate.this[0].id
+  certificate_binding_type                 = "SniEnabled"
+
+  depends_on = [azurerm_container_app_environment_managed_certificate.this]
+}

sharing-server/infra/outputs.tf

@@ -1,3 +1,8 @@
+output "aca_fqdn" {
+  description = "Native ACA FQDN — use as CNAME target when setting up a custom domain"
+  value       = local.aca_fqdn
+}
+
 output "app_url" {
   description = "Public HTTPS URL of the deployed sharing server"
   value       = "https://${local.app_fqdn}"

sharing-server/infra/variables.tf

@@ -50,6 +50,12 @@ variable "github_org_check_token" {
   default     = ""
 }
 
+variable "custom_domain" {
+  description = "Optional: custom domain to bind to the container app (e.g. sharing.example.com). Leave empty to use the ACA-generated FQDN."
+  type        = string
+  default     = ""
+}
+
 variable "min_replicas" {
   description = "Minimum container replicas. Must be 1 for SQLite on Azure Files — scale-to-zero causes stale SMB oplocks that block DB startup. Scale-to-zero (0) is only safe if you accept occasional lock errors on cold start."
   type        = number