How do I use Azure Key Vault secret in linked template - azure

I'm trying to create automation variable off KeyVault secret. I assume I can probably do the same thing what is currently done in main template for retrieving windows password but it fails with non-descriptive error below. Not sure what shall be done next to troubleshoot.
Error
{
"code": "BadRequest",
"message": "{\"Message\":\"The request is invalid.\",\"ModelState\":{\"variable.properties.value\":[\"An error has occurred.\"]}}"
}
Template
{
"name": "mystring",
"type": "variables",
"apiVersion": "2015-10-31",
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]"
],
"properties": {
"value": {
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId, 'Utility-RG', 'Microsoft.KeyVault/vaults', 'MyKeyVault')]"
},
"secretName": "WindowsPasswordSecret"
}
},
"description": "test var",
"isEncrypted": false
}
}

That error is indeed helpful, while I have no idea what went wrong there, I can tell you how to work around that, you need to pass the data from the KV to the template (as input parameter) not to the resource. And in the template use parameter to assign value to the object in question.
Reference: https://github.com/4c74356b41/bbbb-is-the-word/blob/master/_arm/parent.json#L151

Related

"Cannot read properties of undefined" when using ResourceSelector on UIDefinition

I'm building an ARM template that deploys some variables and runbooks to the automation account that the user selects.
To guide the user, I use a
{
"name": "AutomationAccount",
"type": "Microsoft.Solutions.ResourceSelector",
"resourceType": "Microsoft.Automation/automationAccounts",
"label": "Automation Account",
"toolTip": "The Automation Account that will host these runbooks.",
"filter": {
"subscription": "onBasics",
"location": "onBasics"
},
"visible": true
}
This correctly displays a dropdown that allows me to select the Automation Account filtered to the subscription and the resource group.
At the end of the UIDefinition.json file, I output the selected value like so:
"outputs": {
"parameters": {
...
"AutomationAccountId": "[steps('basics').AutomationAccount.id]",
...
}
}
(based on the sample output from the documentation for the ResourceSelector)
My ARM template is then supposed to use this value as a parameter:
"parameters": {
...
"AutomationAccountId": {
"type": "string",
"metadata": {
"description": "The resourceId of the Automation Account that will host this runbook."
}
},
...
}
which I then use as part of the name for a new variable:
"resources": [
...
{
"name": "[concat(parameters('AutomationAccountId'), '/MyVariableName')]",
"type": "Microsoft.Automation/automationAccounts/variables",
"apiVersion": "2019-06-01",
"dependsOn": [ ],
"properties": {
"value": "[parameters('SomeVariableValueParameter')]",
"description": "Some description')",
"isEncrypted": false
}
...
The UI displays correctly, allowing me to pick an Automation Account, but when I get to the Review & Create stage, validation fails with the following error message:
with the following error detail:
ERROR TYPE
Cannot read properties of undefined (reading 'subscriptionId')
Can anyone help out?

How to reference Keyvault Secret Tags from ARM template

I have an ARM template which syncs secret value from source Keyvault into Destination one.
I also want to sync secret tags, but ARM reference that I use for 'sourceKV.secret.tags' retrieval does not work
[reference(resourceId('subscriptionId', 'resourceGroup', 'Microsoft.KeyVault/vaults/secrets', 'SourceKV', 'Secret'), '2021-04-01-preview', 'Full').tags.tagName]
any ideas what can be the issue, or what is the correct form to retrieve tags during ARM template deployment?
These work for me:
"outputs": {
"tags": {
"type": "string",
"value": "[reference('/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.KeyVault/vaults/zzzz/secrets/mysecret', '2022-07-01', 'Full').tags]"
},
"tagValue": {
"type": "string",
"value": "[reference('/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.KeyVault/vaults/zzzz/secrets/mysecret', '2022-07-01', 'Full').tags.hello]"
},
"tagValue2": {
"type": "string",
"value": "[reference(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.KeyVault/vaults/secrets', 'xxxx', 'mysecret'), '2021-04-01-preview', 'Full').tags.hello]"
}
}
Will result in:
"outputs": {
"tagValue": {
"type": "String",
"value": "world"
},
"tagValue2": {
"type": "String",
"value": "world"
},
"tags": {
"type": "Object",
"value": {
"hello": "world"
}
}
}
Also works with the API version you used. It is important that you use 'Full', otherwise you won't get the tags. Note that you can use this syntax anywhere in your template. I just used it in the outputs because it is good for testing.
As I found out it is not possible to use Reference function for setting tags property value for keyvault as valid usages state
reference func only works if it is used inside properties block or for outputs; but as tags are not part of properties instead of returning value reference fun returns just string "reference(resource...)"

Creating SAS token with ARM template: error InvalidValuesForRequestParameters

I am trying to generate a SAS token from an ARM template, to allow my template to subsequently access resources in a blob storage (including linked templates). The SAS token is supposed to be stored in a vault I'm also creating in this template. The storage account exists independently (in another RG)
However, I get the following error:
{
"code": "InvalidValuesForRequestParameters",
"message": "Values for request parameters are invalid: signedPermission,signedExpiry,signedResourceTypes,signedServices."
}
My template had this variable and line to generate the SAS token:
"variables": {
"vaultName": "[concat('hpc',uniqueString(resourceGroup().id, parameters('keyVaultName')))]",
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "fb",
"signedPermission": "rwdlacup",
"signedExpiry": "2021-11-30T00:00:00Z",
"signedResourceTypes": "co"
}
}
},
(...)
{
"apiVersion": "2018-02-14",
"type": "Microsoft.KeyVault/vaults/secrets",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
],
"name": "[concat(variables('vaultName'), '/', 'StorageSaSToken')]",
"properties": {
"value": "[listAccountSas(resourceId(parameters('StorageAccountRg'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01', variables('accountSasProperties')).accountSasToken]"
}
}
I tried several variation of the parameters, but could not find what's wrong, and the error is not really helping
I tried (among other things):
removing the 'signed' in front of the parameters (services instead of signedServices)
various combination of services, resource types and permission
various times (shorter, longer...)
When we define variables, we do not need to specify a data type for the variable. For more details, please refer to here.
So please update your template as the following template
"variables": {
"vaultName": "[concat('hpc',uniqueString(resourceGroup().id, parameters('keyVaultName')))]",
"accountSasProperties": {
"signedServices": "fb",
"signedPermission": "rwdlacup",
"signedExpiry": "2021-11-30T00:00:00Z",
"signedResourceTypes": "co"
}
},
(...)
{
"apiVersion": "2018-02-14",
"type": "Microsoft.KeyVault/vaults/secrets",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
],
"name": "[concat(variables('vaultName'), '/', 'sas')]",
"properties": {
"value": "[listAccountSas(resourceId(parameters('StorageAccountRg'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01', variables('accountSasProperties')).accountSasToken]"
}
}
Found the issue with the help of #jim-xu answer, and it's the worst kind of solution: the stupid mistake
I switched "accountSasProperties" from parameters to variables, and in the process, I forgot to remove the "defaultValue", and put the value directly under "accountSasProperties"
the correct syntax for a variable in my case:
"accountSasProperties": {
"signedServices": "fb",
"signedPermission": "rwdlacup",
"signedExpiry": "2021-11-30T00:00:00Z",
"signedResourceTypes": "co"
}
I incidentally also remove object type, as pointed out by #jim-xu in his answer

Azure RM Template AutomationRunbookServiceUriIsNotValid

I need to deploy a resource of type "microsoft.insights/actionGroups" with ARM Template and I am stuck on a problem. My Template :
{
"apiVersion": "2019-06-01",
"type": "microsoft.insights/actionGroups",
"location": "Global",
"name": "[variables('ActionGroupName')]",
"tags": {
"displayName": "MyActionGroupName"
},
"properties": {
"groupShortName": "variables('ActionGroupShortName')",
"enabled": true,
"automationRunbookReceivers": [
{
"name": "MyRunbookRecieverName",
"automationAccountId": "[resourceId('microsoft.insights/components', parameters('AzureTelemetryName'))]",
"runbookName": "MyRunbook",
"webhookResourceId": "[resourceId('Microsoft.Automation/automationAccounts/webhooks', parameters('AzureAutomationName'), 'WebHookName')]",
"isGlobalRunbook": false
}
]
}
}
But when I try to deploy I get this error:
New-AzureRmResourceGroupDeployment : 08:39:52 - Resource microsoft.insights/actionGroups 'ActionGroupName' failed with message '{
"Code": "AutomationRunbookServiceUriIsNotValid",
"Message": "AutomationRunbookServiceUriIsNotValid"
I look over template definition, and it is mentioned that WebhookReceiver.identifierUri is not mandatory.
What am I doing wrong?
I can reproduce your issue with the template, I add the serviceUri in the automationRunbookReceivers, then it works fine. You can refer to this link to create the webhook.
"automationRunbookReceivers": [
{
"name": "MyRunbookRecieverName",
"automationAccountId": "[resourceId('microsoft.insights/components', parameters('AzureTelemetryName'))]",
"runbookName": "MyRunbook",
"webhookResourceId": "[resourceId('Microsoft.Automation/automationAccounts/webhooks', parameters('AzureAutomationName'), 'WebHookName')]",
"isGlobalRunbook": false,
"serviceUri":"https://s16events.azure-automation.net/webhooks?token=xxxxxxxxxxxx"
}
]
To the serviceUri is not required issue, I am not sure if there is some mistake of the doc, just some test result for you to refer.(If I do something wrong, please correct me.)
In the doc, it appears like below. The name is No required, but if I deploy without it, I get the AutomationRunbookReceiverNameIsNullOrEmpty error. The useCommonAlertSchema is required, but if I deploy withou it, I will get no error. The same thing happens to the serviceUri.

ARM deployment fails with incorrect DSC extension template error

I have ARM deployment template, which contains VM resource with DSC extension
"resources": [
{
"name": "Microsoft.Powershell.DSC",
"type": "extensions",
"location": "[resourceGroup().location]",
"apiVersion": "2015-06-15",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('appVMName'))]"
],
"tags": {
"displayName": "appDSC"
},
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.9",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "[parameters('appDSCUpdateTagVersion')]",
"settings": {
"configuration": {
"url": "[parameters('dscArchiveUrl')]",
"script": "appDSC.ps1",
"function": "Main"
},
"configurationArguments": {
"nodeName": "[parameters('appVMName')]",
"webDeployPackage": "[parameters('appWebPackage')]",
"backgroundServicePackage": "[parameters('backgroundServicePackage')]"
}
}
}
}
]
I managed to make this work for the first time I executed it, but now it responds with error:
15:37:17 - Resource Microsoft.Compute/virtualMachines 'Unique-InApp' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'Microsoft.Powershell.DSC'. Error message: \"The
DSC Extension received an incorrect input: Configuration.url requires that configuration.script is specified.\nPlease c
orrect the input and retry executing the extension.\"."
}
]
}
}'
As you can see, I obviously put script to configuration, but for some reason it is not recognized by ARM deployment script.
I suppose, this is just wrong error message and I have different problem, but without proper diagnostic information I am not able to understand it.
So what is the problem and how to fix it?
Looking at this example and at the schema seems like you are doing it wrong.
I don't see script or function properties for DSC extension, instead I see configurationFunction property, which supposedly takes a value similar to this:
ContosoWebsite.ps1\\ContosoWebsite
Second slash is used to escape the first one ;)

Resources