I created a fresh mesh app and it is working fine. Now I updated the service yaml to add one secret as following:
Secrets:
- name: MySecret.txt
description: My Mesh Application Secret
secret_type: inlinedValue
content_type: SecretStoreRef
value: mysecret
- name: mysecret:1.0
description: My Mesh Application Secret Value
secret_type: value
content_type: text/plain
value: "P#ssw0rd#1234"
I have taken this example from the official microsoft documentation. Now after redeploying or even fresh with fresh deployment (tried both) the application when I run the following command :
az mesh secret list -g <resourcegroupname>
I get and [] list i.e. no secrets are shown. Please note that the applications are working fine and also the deployment too succeeded. Please assist.
I have an issue open on that page for a number of problems that document has. Here's what I had to do to my ARM templates to get the template deploying:
Change the secret name to "MySecret.txt/1"
Change
properties": {
"kind": "inlinedValue",
"description": "My Mesh Application Secret",
"contentType": "SecretsStoreRef",
"value": "mysecret",
}
to
"properties": {
"kind": "inlinedValue",
"description": "My Mesh Application Secret",
"contentType": "text/plain",
}
To access your secret, you'll have to add a setting to your codePackages node:
"settings": [
{
"name": "MySecretPasswordSetting",
"value": "[resourceId('Microsoft.ServiceFabricMesh/secrets/values','MySecret.txt','v1')]"
}
]
I also had to add "Microsoft.ServiceFabricMesh/secrets/MySecret.txt/values/v1" to my Microsoft.ServiceFabricMesh/applications.dependsOn.
Related
I have developed a powershell script that allows me to download the Logic Apps from the portal in Visual Studio. Along with the JSON template it also downloads the parameters defined in the Logic App (which is how I wanted). We had established connections with Dataverse and Salesforce via Sign in method. But the problem is that when I download the template via Powershell script and update the parameter file to deploy to a different environment it asks for the credentials which are for service principal login. I haven't used service principal login when creating the connection and I don't have those credentials. I tried removing those parameters from both the parameter file and .JSON file but I am getting error as below:
Error: Code=InvalidDeploymentParameterValue; Message=The value of deployment parameter 'commondataservice-5_token:clientSecret' is null. Please specify the value or use the parameter reference.
These parameters were automatically added in my parameter.json file.
"commondataservice-5_token:clientId": {
"value": null
},
"commondataservice-5_token:clientSecret": {
"value": null
},
"commondataservice-5_token:resourceUri": {
"value": null
},
"commondataservice-5_token:grantType": {
"value": "code"
}
This is how the main Logic App template looks like for the dataverse connection
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"location": "[parameters('logicAppLocation')]",
"name": "[parameters('commondataservice-5_name')]",
"properties": {
"api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',parameters('logicAppLocation'),'/managedApis/commondataservice')]"
},
"displayName": "[parameters('commondataservice-5_displayName')]",
"parameterValues": {
"token:clientId": "[parameters('commondataservice-5_token:clientId')]",
"token:clientSecret": "[parameters('commondataservice-5_token:clientSecret')]",
"token:TenantId": "[parameters('commondataservice-5_token:TenantId')]",
"token:resourceUri": "[parameters('commondataservice-5_token:resourceUri')]",
"token:grantType": "[parameters('commondataservice-5_token:grantType')]"
}
}
}
Below is the Powershell command to get the LA template:
Get-LogicAppTemplate -LogicApp fc-cus-dev-int-test-param-dynamicexpression -ResourceGroup FC-CUS-DEV-INT-RG -SubscriptionId xxxxx-xxxxxx -Verbose | Out-File "C:\Users\xxxxxx\Desktop\DynamicExpression-NA.LogicApp.json"
#Powershell command to get the Parameters:
Get-ParameterTemplate -TemplateFile "C:\Users\xxxxx\Desktop\DynamicExpression-NA.LogicApp.json" | Out-File "C:\Users\xxxxxx\DynamicExpression-NA.LAparameters.json"
I have followed this article to download the Logic App: https://blog.sandro-pereira.com/2020/12/21/logic-apps-moving-from-azure-portal-to-visual-studio/
I am having a hard time trying to remove the connection parameters from the parameter file and deploying the LA. Any suggestions or pointers are highly appreciated
You have to update the parameter file with actual values. When you extract a template it creates the parameter file but for for security reasons any value that should not be public (i.e. password) it does not retrieve the existing value. Those values all show as null in your parameter file. You need to get those values and update the parameter file before deploying.
I would like to change the application settings of an azure functions via API. I have found this API For this API I generate such a body:
{
"properties":
{
"appSettings":[
{
"Name":"452bb"
}
]
}
}
After sending my request I get Response Code: 200 but the value of Name doesn't change in Application settings of the Azure functions
Do you have any idea, why it doesn't work for me?
Suppose what you need is Update Application Settings, I try this this could update the application settings.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/appsettings?api-version=2019-08-01
Body
{
"id": "subscriptions/{subscriptionId}/resourceGroups/{resource group}/providers/Microsoft.Web/sites/{WebAppName}/config/appsettings",
"name": "appsettings",
"type": "Microsoft.Web/sites/config",
"location": "South Central US",
"tags": {
"hidden-related:/subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/tomfreePlan": "empty"
},
"properties": {
"Test1": "testValue1" //Added value
}
}
And before update the settings, you could use List Application Settings post way to list the appsetting body firstly.
As for the api you post, this appsettings I check the resource explorer, it's under the web tag and the appsettings you want it's the first tag shown in the below pics. And I try to just change it in the resource explorer, it doesn't show any error however the value still keep null, so just use the Update Application Settings API
I'm trying to add a custom domain with an SSL-binding to a web app with an ARM-template. I can do it manually in the Azure Portal but I want it to work with an ARM-template.
The certificate is in a key vault which is not in the same resource group as the web app. I have no problem accessing ordinary secrets from the key vault in my release pipeline like databaseconnectionstrings. The problem is when I try to access certificates. I have GET permissions to the keyvault certificates.
I'm using this github template
https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault
This is the error I get when I try to deploy the ARM-template with a release pipeline.
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client 'xxxx' with object id 'xxxx' has permission to perform action 'Microsoft.Web/certificates/write' on scope '***/providers/Microsoft.Web/certificates/xxxxx'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.KeyVault/vaults/xxxxx'."
}
You could try increasing the permissions the Azure DevOps service connection has on the key vault certificates under Access Policies, maybe start with all certificate permissions as a troubleshooting step to confirm it's permission related, then reduce as required, may just need Get and Create?
I solved it by creating 4 resources in the ARM template. A certificate, an app service plan, a web app and a hostname binding. Just like this github azure-quickstart-template https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-custom-domain-and-ssl.
The key for me was modifying the certificate resource by adding a pxfBlob and removing the key vault properties, see the code below. The certificatePfx is a securestring which is set in the release pipeline from the keyVault.
{
"type": "Microsoft.Web/certificates",
"name": "[parameters('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('webAppName')]",
"serverFarmId": "[concat(resourceId('Microsoft.Web/serverFarms', parameters('appServicePlanName')))]",
"hostNames": [
"parameters('hostname_wildcard')",
"parameters('hostname_domain')"
],
"pfxBlob": "[parameters('certificatePfx')]"
},
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('webAppName'))]"
]
},
If I have an Azure ARM template that can create:
Azure Container Registry
Azure Key Vault
Is there a way for the username and password for the Azure Container Registry to be automatically be added to the Azure Key Vault using ARM templates?
Is there some way to refer to the Azure Container Registry username and password secrets in ARM templates for this purpose?
UPDATE
#EdBoykin's answer is correct, this is what I ended up with:
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('key_vault_name'), '/AzureContainerRegistryKey1')]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('container_registry_name')), '2017-10-01').passwords[0].value]"
},
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', parameters('key_vault_name'))]",
"[concat('Microsoft.ContainerRegistry/registries/', parameters('container_registry_name'))]"
]
}
Muhammad,
To create the secrets in KeyVault you will need to create an ARM template that looks something like this. Make sure to update the 'dependson' section so this resource depends on your ACR being created first. The username is going to be the ACR resource name. So, whatever you set that to in your ARM script, you can store in your key vault as a key vault secret.
For the passwords, or keys, this is what you do. Here is a sample template for adding a KeyVault secret
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(variables('keyVaultName'), '/{YourACRKey1SecretName}')]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('YourACRName')), '2017-10-01').passwords[0].value]"
},
"dependsOn": []
}
{YourACRKey1SecretName} should be changed to the secret name for your ACR Key1 value.
To set the other key in your keyvault, create another key vault secret resource with a new name and use this for the value:
For Key 2
[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('YourACRName')), '2017-10-01').passwords[1].value]
I was trying to add Azure key vault integration with our ARM deployment, so we can keep all password in Azure Key-Vault.
I was following this to try to access secret (adminPassword) I have created in Azure KeyVault (dSentienceAnalytics). Here is my template
I tried to deploy this template through Powershell, but it asked me to enter value for variable “adminPassword”, which it supposed to retrieve from Azure key vault.
Do you see what I am missing here?
You cannot use a KeyVault reference in the template itself, only in the parameters file. So your template will not look any differently if you're using KeyVault, the adminPassword parameter will simply be defined as a secureString. The template's use of the password can look exactly like this:
https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-linux/azuredeploy.json
The parameters file, is where the reference will be used. The first code sample here:
https://azure.microsoft.com/en-us/documentation/articles/resource-manager-keyvault-parameter/#reference-a-secret-with-static-id
Is showing you the parameters file, not the template file's parameter object (it is a bit confusing).
For a really simple example, see the KeyVaultUse.json and KeyVaultUse.parameters.json here:
https://github.com/rjmax/ArmExamples/tree/master/keyvaultexamples
Note that there's nothing unique or different about KeyVaultUse.json, the "key" is in the parameters file.
That help?
You can create a linked template and pass the keyvault secret to that as a parameter. Your linked template will need to be accessible to Azure at some uri.
"name": "linked-template",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri":"<your linked template uri, e.g. a blob-store file with a sas token>"
},
"parameters": {
"password": {
"reference": {
"keyVault": {
"id": "[variables('keyVaultId')]"
},
"secretName": "password"
}
},
You will need the id of your key vault, e.g. here, it's assume to be in a variable constructed from parameters on the top-level template where the user specifies a resource group and name for the key-vault:
"deploymentKeyVaultId" : "[resourceid(subscription().subscriptionId,
parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults',
parameters('keyVaultName'))]",
What are you trying to deploy? If it is an app service you can retrieve the secret from Key Vault with the combination of leveraging Managed Service Identity and access policy on the Key Vault. Here's how to turn on MSI authentication for App Service and add access policy
In the App Service can add something like this:
{
"apiVersion": "2018-11-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', WEBSITE NAME))]",
"Microsoft.ApplicationInsights.AzureWebSites",
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('secretName'))]"
],
"properties": {
"ConnectionSecret": "[concat('#Microsoft.KeyVault(SecretUri=', reference(SECRET NAME).secretUriWithVersion, ')')]"
}