ARM Template: Resource Not Found Errors when grabbing outputs from Vault and Secrets

1
votes

Sample Template to replicate the issue (ID's have been replaced with "redacted-guid"):

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "rgName": {
        "type": "string",
        "defaultValue": "sample"
    },
    "vaultName": {
        "type": "string",
        "defaultValue": "TestVault333555"
    }
},
"variables": {

},
"resources": [
    {
        "type": "Microsoft.Resources/resourceGroups",
        "apiVersion": "2018-05-01",
        "location": "West US",
        "name": "[parameters('rgName')]",
        "properties": {}
    },
    {
        "type": "Microsoft.Resources/deployments",
        "apiVersion": "2017-05-10",
        "name": "keyVaultsDeployment",
        "resourceGroup": "[parameters('rgName')]",
        "dependsOn": [
            "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
        ],
        "properties": {
            "mode": "Incremental",
            "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                    {
                        "type": "Microsoft.KeyVault/vaults",
                        "apiVersion": "2020-04-01-preview",
                        "name": "[parameters('vaultName')]",
                        "location": "westus",
                        "tags": {
                            "Environment": "Development",
                            "ResourceType": "Vaults"
                        },
                        "properties": {
                            "sku": {
                                "family": "A",
                                "name": "Standard"
                            },
                            "tenantId": "redacted-guid",
                            "accessPolicies": [
                                {
                                    "tenantId": "redacted-guid",
                                    "objectId": "redacted-guid",
                                    "permissions": {
                                        "keys": [
                                            "Get"
                                        ],
                                        "secrets": [
                                            "Get"
                                        ],
                                        "certificates": []
                                    }
                                },
                                {
                                    "tenantId": "redacted-guid",
                                    "objectId": "redacted-guid",
                                    "permissions": {
                                        "keys": [
                                            "Get",
                                            "List",
                                            "Update",
                                            "Create",
                                            "Import",
                                            "Delete",
                                            "Recover",
                                            "Backup",
                                            "Restore"
                                        ],
                                        "secrets": [
                                            "Get",
                                            "List",
                                            "Set",
                                            "Delete",
                                            "Recover",
                                            "Backup",
                                            "Restore"
                                        ],
                                        "certificates": [
                                            "Get",
                                            "List",
                                            "Update",
                                            "Create",
                                            "Import",
                                            "Delete",
                                            "Recover",
                                            "Backup",
                                            "Restore",
                                            "ManageContacts",
                                            "ManageIssuers",
                                            "GetIssuers",
                                            "ListIssuers",
                                            "SetIssuers",
                                            "DeleteIssuers"
                                        ]
                                    }
                                }
                            ],
                            "enabledForDeployment": false,
                            "enabledForDiskEncryption": false,
                            "enabledForTemplateDeployment": false,
                            "enableSoftDelete": true,
                            "softDeleteRetentionInDays": 90,
                            "enableRbacAuthorization": false,
                            "enablePurgeProtection": true,
                            "provisioningState": "Succeeded"
                        }
                    },
                    {
                        "type": "Microsoft.KeyVault/vaults/secrets",
                        "apiVersion": "2020-04-01-preview",
                        "name": "[concat(parameters('vaultName'), '/SECRET')]",
                        "location": "westus",
                        "dependsOn": [
                            "[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
                        ],
                        "properties": {
                            "attributes": {
                                "enabled": true
                            },
                            "value": "redacted-guid"
                        }
                    }
                ],
                "outputs": {
                    "secret": {
                        "type": "string",
                        "value": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('vaultName'), 'SECRET'), '2017-05-10', 'Full').secretUri]"
                    },
                    "vaultLocation": {
                        "type": "string",
                        "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('vaultName')), '2017-05-10', 'Full').location]"
                    }
                }
            }
        }
    }
],
"outputs": {

}
}

Errors:

2021-05-11T20:54:39.6696772Z ##[error]NotFound: {
"error": {
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.KeyVault/vaults/TestVault333555' under resource group '<null>' 
 was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
 }
 }
 2021-05-11T20:54:39.6698437Z ##[error]NotFound: {
 "error": {
"code": "ParentResourceNotFound",
"message": "Can not perform requested operation on nested resource. Parent resource 'TestVault333555' 
not found."
}
}

I've tried lots of variations of the Output Syntax, as well as trying the other output array, but have come up with nothing.

In DevOps, under the release pipeline, in the "ARM Template Deployment" job, I have set the deployment scope to "Subscription" since I'm trying to create a parameterized Resource Group and deploy the Vaults/Secrets underneath that new resource group. It was my understanding that this is what I want, because in DevOps if I set the Deployment Scope to "Resource Group", it requires me to actually specify the resource group in the pipeline, which isn't what I'm looking for since I want to create a new Resource Group.

Any help or advice on getting past these errors would be hugely appreciated. In general I'm relatively new to ARM. It's my understanding that I should be able to output any data from the resource that shows up in it's "JSON View" in Azure, correct?

I'm primarily looking for 3 pieces of info:

  • Vault Name (This is easy, I can output the Vault Name parameter as a output, this does not give an error)
  • Secret Name (In this case: SECRET)
  • Secret URI (Attempted below)
1
azurearm-template
Are you sure the key vault TestVault333555 exists in the resource group ?Thomas
Hi @Thomas . Yes, when I go to the resource group after the deployment, I can find TestVault333555 and the secret is created as well --- yet when I try to output any data from either, it says it cannot find it.toughQuestionsNoAnswer

1 Answers

0
votes

Just answered your last question regarding the same issue. As this link describes you cannot use the reference()-function in the output-section when you have not set the expressionEvaluationOptions'-property in the deployment resource. When not set the default value is 'outer'.

So 2 options: Declare your outputs in the parent template oder set the expressionEvaluationOptions'-property to 'inner' and go from there

{
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2021-04-01",
    "name": "keyVaultsDeployment",
    "resourceGroup": "[parameters('rgName')]",
    "dependsOn": [
        "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
    ],
    "properties": {"expressionEvaluationOptions": {
  "scope": "inner"}