How to pass azure-pipelines.yml variables to ARM templates with AzureResourceManagerTemplateDeployment

2
votes

I'm starting to work with Azure and tried these steps:

  • I added a secret to an Azure Vault.
  • I linked a service principal to my Azure DevOps pipelines.
  • I created a variable group linked to my vault.
  • I created a variable group with some variables.
  • I created a azure-pipelines.yaml with a variables: group: group1 group: group2 part
  • I have - task: AzureResourceManagerTemplateDeployment@3 with a template with parameters. How do I satisfy the paramters from the variable groups?
2
azureazure-devopsazure-resource-manager

2 Answers

9
votes

You can have a try using overrideParameters parameter for the task to override your ARM template's parameters with the variables defined in your variable groups. Check here for more parameters about this task.

- task: AzureResourceManagerTemplateDeployment@3
      inputs:
        azureResourceManagerConnection: <connection>

        overrideParameters: -storageAcctName azurerg -Username $(vmusername) -azureKeyVaultName $(fabrikamFibre)

For accessing AzureKeyVault, you can also use Azure Key Vault task to get your secrets in your build pipeline, or integrate KeyVault to your ARM template as @Daniel Mann pointed out. Check here for Microsoft official tutorial.

-1
votes

Variable groups aren't intended to be used with YAML pipelines. Add a AzureKeyVault step to your pipeline in order to retrieve secrets from the keyvault.

Or link your ARM template directly to the keyvault; ARM templates have native support for keyvault parameters:

"adminPassword": {
        "reference": {
          "keyVault": {
          "id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
          },
          "secretName": "ExamplePassword"
        }
      }

Or write your application to retrieve secrets directly from the keyvault at runtime.