I have an ARM Template that is nested (one file). In the parent-scope, there are just 2 resources that get deployed:
- A resource group, with a name that is dictated by a parameter name.
- A deployment resource, which is the sub-template. The resource group is listed in the dependsOn property.
In the sub-template, I am deploying a bunch of Vaults and Secrets. I'm trying to get, in the outputs, some attributes of the secret and the vault (vault name, secret URI, etc). I've tried a bunch of different syntax, and they all yield errors for me. Not sure what else I can try, so I decided to come here for some advice.
Trying to get data from vaults (in this case name, but just testing):
"vaultName": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults','TestVault123123'), '2017-05-10', 'Full').name]"
}
error: The Resource 'Microsoft.KeyVault/vaults/TestVault123124' under resource group null was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
"value": "[reference(resourceId('redacted-for-stackoverflow', parameters('rgName'), 'Microsoft.KeyVault/vaults','TestVault123124'), '2017-05-10', 'Full').name]"
error: 2021-05-10T18:41:03.6121120Z ##[error]Deployment template validation failed: 'The template output 'resourceGroupName2' at line '1' and column '26299' is not valid: Unable to evaluate template language function 'resourceId': function requires fully qualified resource type 'Microsoft.KeyVault/vaults' as one of first three arguments for resource at resource group scope, or first two arguments for resource at subscription scope. Please see https://aka.ms/arm-template-expressions/#resourceid for usage details.. Please see https://aka.ms/arm-template-expressions for usage details.'.
Trying to get output (URI) from a Secret (TestVault123123 is in the same "deployment" resource as the secret:
"mySecretUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', 'TestVault123123', 'TestSecret123123'), '2017-05-10').secretUri]"
},
error: "error": { "code": "ParentResourceNotFound", "message": "Can not perform requested operation on nested resource. Parent resource 'TestVault123123' not found." } }
EDIT: Full Template Note: ID's have been replaced with "redacted-guid".
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"type": "string",
"defaultValue": "sample"
},
"vaultName": {
"type": "string",
"defaultValue": "TestVault333555"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"location": "West US",
"name": "[parameters('rgName')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10",
"name": "keyVaultsDeployment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2020-04-01-preview",
"name": "[parameters('vaultName')]",
"location": "westus",
"tags": {
"Environment": "Development",
"ResourceType": "Vaults"
},
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "redacted-guid",
"accessPolicies": [
{
"tenantId": "redacted-guid",
"objectId": "redacted-guid",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"Get"
],
"certificates": []
}
},
{
"tenantId": "redacted-guid",
"objectId": "redacted-guid",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"enablePurgeProtection": true,
"provisioningState": "Succeeded"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2020-04-01-preview",
"name": "[concat(parameters('vaultName'), '/SECRET')]",
"location": "westus",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
],
"properties": {
"attributes": {
"enabled": true
},
"value": "redacted-guid"
}
}
],
"outputs": {
"secret": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('vaultName'), 'SECRET'), '2017-05-10', 'Full').secretUri]"
},
"vaultLocation": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('vaultName')), '2017-05-10', 'Full').location]"
}
}
}
}
}
],
"outputs": {
}
}
Errors:
2021-05-11T20:54:39.6696772Z ##[error]NotFound: {
"error": {
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.KeyVault/vaults/TestVault333555' under resource group '<null>' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
}
}
2021-05-11T20:54:39.6698437Z ##[error]NotFound: {
"error": {
"code": "ParentResourceNotFound",
"message": "Can not perform requested operation on nested resource. Parent resource 'TestVault333555' not found."
}
}
On Azure, in the release pipeline, in the ARM Template Deployment Job, the deployment scope is set to "Subscription". It's my understanding that this is necessary because I wanted to create a brand new resource group and deploy the resources underneath that. If the deployment scope is set to "Resource Group" it requires me to specify the RG in the pipeline, which I don't want, because I want to create it at execution.
