ARM template integration with Azure Key Vault

0
votes

I am trying to retrieve keyVault values within my ARM template

I have enabled my keyVault for ARM template retrieval

My parameter file looks like this

"postleadrequesturl": {
  "reference": {
    "keyVault": {
      "id": "/subscriptions/e0f18fe9-181d-4a38-90bc-f2e0101f8f05/resourceGroups/RG-DEV-SHAREDSERVICES/providers/Microsoft.KeyVault/vaults/MMSG-APIManagement"
    },
    "secretName": "DEV-POSTLEADREQUEST-URL"
  }
}

My deploy file looks like this

{
  "properties": {
    "authenticationSettings": {
      "subscriptionKeyRequired": false
    },
    "subscriptionKeyParameterNames": {
      "header": "Ocp-Apim-Subscription-Key",
      "query": "subscription-key"
    },
    "apiRevision": "1",
    "isCurrent": true,
    "subscriptionRequired": true,
    "displayName": "MMS.CRM.PostLeadRequest",
    "serviceUrl": "[parameters('postleadrequesturl')]",
    "path": "CRMAPI/PostLeadRequest",
    "protocols": [
      "https"
    ]
  },
  "name": "[concat(variables('ApimServiceName'), '/mms-crm-postleadrequest')]",
  "type": "Microsoft.ApiManagement/service/apis",
  "apiVersion": "2019-01-01",
  "dependsOn": []
},

The error I recieve is

Error converting value "@{keyVault=; secretName=DEV-POSTLEADREQUEST-URL}" to type 'Microsoft.WindowsAzure.ResourceStack.Frontdoor.Data.Entities.Deployments.KeyVaultParameterReference

Any thoughts?

1
azure-keyvaultazure-api-managementarm-template
Have you referred to the document? - Jim Xu
Is that Ok for you? - Jim Xu

1 Answers

0
votes

According to my test, If we want to integrate Azure Key Vault in your Resource Manager template deployment, please refer to the following steps

  1. Create Azure Key vault
New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzKeyVault `
  -VaultName $keyVaultName `
  -resourceGroupName $resourceGroupName `
  -Location $location `
  -EnabledForTemplateDeployment
$secretvalue = ConvertTo-SecureString 'hVFkk965BuUv' -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'ExamplePassword' -SecretValue $secretvalue
$userPrincipalName = "<Email Address of the deployment operator>"

Set-AzKeyVaultAccessPolicy `
  -VaultName $keyVaultName `
  -UserPrincipalName $userPrincipalName `
  -PermissionsToSecrets set,delete,get,list

  1. Grant access to the key vault The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault. The Owner and Contributor roles both grant this access. a. Create a custom role definition JSON file

     {
"Name": "Key Vault resource manager template deployment operator",
"IsCustom": true,
"Description": "Lets you deploy a resource manager template with the access to the secrets in the Key Vault.",
"Actions": [
"Microsoft.KeyVault/vaults/deploy/action"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
]
}

    b. Create the new role using the JSON file:

    New-AzRoleDefinition -InputFile "<PathToRoleFile>" 
New-AzRoleAssignment `
-ResourceGroupName $resourceGroupName `
-RoleDefinitionName "Key Vault resource manager template deployment operator" `
-SignInName $userPrincipalName

  2. Create ARM template

template.json

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {

        "service_testapi068_name": {
            "defaultValue": "testapi068",
            "type": "String"
        },
        "postleadrequesturl": {
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
    {
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2019-01-01",
            "name": "[parameters('service_testapi068_name')]",
            "location": "Southeast Asia",
            "sku": {
                "name": "Developer",
                "capacity": 1
            },
            "properties": {
                "publisherEmail": "[email protected]",
                "publisherName": "test",
                "notificationSenderEmail": "[email protected]",
                "hostnameConfigurations": [
                    {
                        "type": "Proxy",
                        "hostName": "[concat(parameters('service_testapi068_name'), '.azure-api.net')]",
                        "negotiateClientCertificate": false,
                        "defaultSslBinding": true
                    }
                ],
                "customProperties": {
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "False"
                },
                "virtualNetworkType": "None"
            }
        },
        {
            "type": "Microsoft.ApiManagement/service/apis",
            "apiVersion": "2019-01-01",
            "name": "[concat(parameters('service_testapi068_name'), '/demo-conference-api')]",
            "dependsOn": [
                "[resourceId('Microsoft.ApiManagement/service', parameters('service_testapi068_name'))]"
            ],
            "properties": {
                "displayName": "Demo Conference API",
                "apiRevision": "1",
                "description": "A sample API with information related to a technical conference.  The available resources  include *Speakers*, *Sessions* and *Topics*.  A single write operation is available to provide  feedback on a session.",
                "serviceUrl": "[parameters('postleadrequesturl')]",
                "path": "conference",
                "protocols": [
                    "http",
                    "https"
                ],
                "isCurrent": true
            }
        }

    ],
    "outputs":{

       "postleadrequesturl" :{

        "type":"String",
        "value":"[parameters('postleadrequesturl')]"

       } 
    }
}

paramaters.json

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {


        "postleadrequesturl": {
          "reference": {
            "keyVault": {
              "id": "/subscriptions/e5b0fcfa-e859-43f3-8d84-5e5fe29f4c68/resourceGroups/testkeyandstorage/providers/Microsoft.KeyVault/vaults/testkey08"
            },
            "secretName": "postleadrequesturl"
          }
        }
    }
}
  1. Deploy
$name = ""
$password = ""
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-AzAccount -Credential $mycreds


New-AzResourceGroupDeployment  -ResourceGroupName "testapi06"  -TemplateFile "E:\template.json" -TemplateParameterFile "E:\parameters.json"

enter image description here

For more details, please refer to

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter#grant-access-to-the-secrets

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-use-key-vault