Azure Deployment - Overide parameter with ARM functions

0
votes

I'm using VSTS to deploy azure resources. I use task "Azure Resource Group Deployment" to deploy ARM templates. How can I, for a specific parameter, override the value with a ARM function (concat, listkeys, etc)?

Example: My ARM template has a parameter that is a storage account key and instead of providing the key directly, I want to provide it by passing [listkeys(...)]

2
azuredeployment

2 Answers

1
votes

You cannot do that, several functions (like listKeys()) are evaluated at runtime only. I don't know what you are trying to achieve, so there are probably ways of doing what you try to achieve.

If you want to hide the keys you can store them in the Key Vault and retrieve at deployment time:

"password": {
    "reference": {
        "keyVault": {
            "id": "[resourceId('kvGroup', 'Microsoft.KeyVault/vaults', 'kvName')]"
        },
        "secretName": "secret"
    }
},
0
votes

If the storage account isn't created within the same ARM template, I'd use the parameter to supply the name of the storage account and then listkeys() within the ARM template to get at the storage account connection string.

If you're creating the storage account in a previous ARM template deployment in your pipeline you could use output parameters to make the connection string available in the pipeline. Here is an example where xxx represents your company naming prefix:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "environment": {
      "type": "string",
      "defaultValue": "d",
      "metadata": {
        "description": "The deployment environment, given by develop (d), testing (t), production (p) or quality assurance (q)"
      }
    }
  },
  "variables": {
    "busUnit": "vendor_name_here",

    //storage account names must be lowercase and are limited to 24 alpha numeric characters
    "storage_account_name": "[concat('xxx', parameters('environment'), variables('busUnit'), 'stor')]"        
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "sku": {
        "name": "Standard_LRS", //this is a hard coded SKU
        "tier": "Standard" //general purpose versus blob-only
      },
      "kind": "Storage", 
      "name": "[variables('storage_account_name')]",
      "apiVersion": "2017-06-01",
      "location": "[resourceGroup().location]", //add it to the same region/location as the resource group
      "properties": {
        "encryption": {
          "keySource": "Microsoft.Storage",
          "services": {
            "blob": {
              "enabled": true
            }
          }
        },
        "networkAcls": {
          "bypass": "AzureServices",
          "defaultAction": "Allow",
          "ipRules": [],
          "virtualNetworkRules": []
        }
      },
      "dependsOn": []
    }
  ],
  "outputs": {
    "storageAccountKey": {
      //"description": "This works if the storage account is in the same resource group. It returns the access key for the account",
      "type": "securestring",
      "value": "[listKeys(variables('storage_account_name'),'2015-05-01-preview').key1]"
    },
    "storageAccountName": {
      //"description": "This is the computed name of the storage account, based on naming conventions in the variables",
      "type": "string",
      "value": "[variables('storage_account_name')]"
    }
  }
}