Key vault values from deployment, and linked templates parameters

3
votes

I have a template to create a key vault and a secret within it. I also have a service fabric template, that requires 3 things from the key vault: the Vault URI, the certificate URL, and the certificate thumbprint.

If I create the key vault and secret with powershell, it is easy to manually copy these 3 things from the output, and paste them into the parameters of the service fabric template. However, what I am hoping to do, due to the fact that this cert has the same life cycle as the service fabric cluster, is to link from the key vault template to the service fabric template, so when I deploy the key vault and secret (which btw is a key that has been base 64 encoded to a string. I could have this as a secret in yet another key vault...), I can pass the 3 values on as parameters.

So I have two questions.

  1. How do I retrieve the 3 values in the arm template. Powershell outputs them as 'ResourceId' of the key vault, 'Id' of the secret, and 'Version' of the secret. My attempt:

    "sourceVaultValue": {
    "value": "resourceId('Microsoft.KeyVault/vaults/', parameters('keyVaultName')"
    },
"certificateThumbprint": {
    "value": "[listKeys(resourceId('secrets', parameters('secretName')), '2015-06-01')"
    },
"certificateUrlValue": { "value": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net:443/secrets/', parameters('secretName'), resourceId('secrets', parameters('secretName')))]"

But the certificateUrlValue is incorrect. You can see I tried with and without listKeys, but neither seemed to work... (The thumbprint is within the certUrl itself)

  1. If I were to get the correct values, I would like to try pass them as parameters to the next template. The template in question has quite a few more parameters than the 3 I want to pass however. So is it possible to have a parametersLink element to link to the parameter file, as well as a parameters element for just those 3? Or is there an intended way of doing this?

Cheers

2
azure-resource-managerazure-service-fabricazure-keyvaultarm-template
Ed - just to make sure, is that JSON snippet above the outputs section of the template that creates the secrets?bmoore-msft
It wasn't originally. I had it in the parameters element for the linked template, then I moved it to the output section to test. It occurs to me that I might need 'reference' in front of them? I can't check atm tho. We'll have to reconvene tomorrow :)Edward Rixon

2 Answers

4
votes

Ok, try this when you get back to the keyboard...

1) for the uri, you can use an output like:

"secretUri": {
  "type": "string",
  "value": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretName'))).secretUri]"
}

For #2, you cannot mix and match the link and some values, it's one or the other.

A couple thoughts on how you could do this (it depends a bit on how you want to structure the rest of your deployment)...

  • One way to think of this is instead of nesting the SF, deploy them in the same template since they have the same lifecycle
  • instead of nesting the SF template, nest the KV template and reference the outputs of that deployment in the SF template...

Aside from that I can't think of anything elegant - since you want to pass "dynamic" params to a nested deployment really the only way to do that is to dynamically write the param file behind the link or pass all the params into the deployment resource.

HTH - LMK if it doesn't...

-3
votes
Can't  Reference a secret with dynamic id !!!!
The obvious problems with this way of doing things are:
Someone needs to type the cleartext password which means:
it needs to be known to anyone who provisions the environment and how do I feed it into an automated environment deployment?  If I store the password in a parameter… ???????
   "variables": {
    "tenantPassword": {
      "reference": {
        "keyVault": {
          "ID": "[concat(subscription().id,'/resourceGroups/',parameters('keyVaultResourceGroup'),'/providers/Microsoft.KeyVault/vaults/', parameters('VaultName'))]"
        },
        "secretName": "tenantPassword"
      }
    }
  },