How to pass DevOps release secrets to ARM for Key Vault Deployment

0
votes

I am trying to deploy a key vault with secretName and secretValue and I have created a variable group in azure devops with all the secrets and I am using the below parameters in parameter file, but when this gets deployed the secret value gets stored as $(secret) and not the password actually stored in the task group in Azure DevOps.

  "secretsObject": {

    "value": {

      "secrets": [

        {

          "secretName": "App012",

          "secretValue": "$(mysecret)"

        },

and this is what I got in the key vault template:

  {

    "type": "Microsoft.KeyVault/vaults/secrets",

    "name": "[concat(parameters('keyVaultName'), '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",

    "apiVersion": "2018-02-14",

    "dependsOn": [

      "[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"

    ],

    "copy": {

      "name": "secretsCopy",

      "count": "[length(parameters('secretsObject').secrets)]"

    },

    "properties": {

      "value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"

    }

  }

]

}

Any idea how to pass the "secretvalue" as a variable?

2
azureazure-devopsazure-keyvault

2 Answers

1
votes

I believe your asking how to leverage your secrets that are stored as a variable group to be deployed securely with your ARM template via Azure DevOps. If that is the case look at using Override Template Parameters in your release task.

This would be in the format of -NameOfARMParameter $(NameofDevOpsVariable)

In your case it would be -mysecret $(NameOfDevOpsVariable)

The deployment .json should look like this for parameter declaration:

 "secretValue": {
      "type": "string",
      "metadata": {
        "description": "This is for receiving a value from DevOps releases of the secret to be stored in the key vault"
      }
    },
"secretName": {
          "type": "string",
          "metadata": {
            "description": "Name of the Secret"
          }
        },

For the actual deployment

{
  "type": "Microsoft.KeyVault/vaults/secrets",
  "name": "[concat(variables('keyVaultName'),'/',parameters('secretName'))]",
  "apiVersion": "2018-02-14",
  "properties": {
    "contentType": "text/plain",
    "value": "[parameters('secretValue')]"
  },
  "dependsOn": [
    "[resourceId('Microsoft.KeyVault/vaults',  variables('keyVaultName'))]"
  ]
},

And the parameters file doesn't need to have anything in it if these values will be fed from Dev Ops

0
votes

You need to create a parameter file with the secret / link to Key Vault.

Here's a sample of it:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "adminLogin": {
            "value": "exampleadmin"
        },
        "adminPassword": {
            "reference": {
              "keyVault": {
                "id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
              },
              "secretName": "ExamplePassword"
            }
        },
        "sqlServerName": {
            "value": "<your-server-name>"
        }
    }
}

More info:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/parameter-files

and https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/add-template-to-azure-pipelines