I'm trying to deploy an ARM template with conditional logic to use two different key-vaults depending on the input. Each exists in a different subscription which is the issue..
(I'm using one template for prod and dev and deploying to different subscriptions accordingly)
Master template variable
1. Key vault 1: /subid1/xxxxx/keyvault
2. Key vualt 2: /subid2/xxxx/keyvault
Nested template
"[If(x=y),/subid1/xxxxx/keyvault,/subid1/xxxxx/keyvault)]"
So when deploying into subscrition 2 (subid2) as an example the error is:
Code=KeyVaultParameterReferenceNotInTheSameTenant; Message=The specified KeyVault /subid1/xxxxx/keyvault is not in current tenant.
So I get why the error message is flagging(I've declared a variable in another sub), but how can i get the validation to check what's being deployed as opposed to the variables or is there another way to achieve the same goal?
Thanks,
more a workaround than an answer but I just declared key-vault as a parameter in input a different value into the VSTS build definition. Not ideal as I wanted selected DEV to flow through all the pertinent settings, but works so closing.
Related
I am using Terraform to provision my Azure resources which works great, however, for some resources such as Logic Apps, doing this natively doesn't really work so I am using the Logic Apps ARM template and doing a Terraform "azurerm_resource_group_template_deployment" in order to provision. I know doing an ARM template deployment within Terraform is a bit of a last resort. It works ok though and deploys fine but I have a Service Bus connection defined and that is of type "securestring". By default, these are not saved as part of ARM deployment so everytime Terraform runs in my pipeline, even if the Logic App ARM template has not changed, it still does the deployment as the top level deployment state Terraform knows about previously did not have the value saved so will always see it as new. Is there any way around this other than changing the "securestring" to "string" which I obviously do not want to do given the endpoint contains the SAS key etc?
Hit same issues today - really limits what is viable. Managed to work around my two scenario's.
For things like keys and connection strings you can use the listkeys function inside of the ARM template - some examples here. I had this exact issue trying to get a log analytics workspace key in to the template - https://github.com/Azure/azure-quickstart-templates/blob/master/demos/arm-template-retrieve-azure-storage-access-keys/azuredeploy.json - Get connection strings in ARM
Another scenario I had was wanting to pass a service principal secret from TF to template as securestring, to get around this I ended up getting the secret from keyvault inside of the ARM template instead.
With the intention of building a generic logic app solution via Azure Portal, I've supplied all config to the logic app connectors as parameters sourced from a database.
The only problem I've experienced now though, is that the custom value supplied as the subscription for the ADF pipeline run is not working. The exact same value works when selected explicitly from the dropdown. The other values such as the Resource Group, Data Factory Name and the Data Factory Pipeline Name work fine when populated by the parameters.
Is there a specific way to do this? Or is this a bug in the Logic App ADF connector?
Please do not put the name of subscription into the Subscription input box, it can not be executed success. You can put the subscription id into the Subscription input box, show as below screenshot:
I am trying to use a template to deploy a managed Kubernetes cluster (AKS). My problem is that the template has a parameter aadSessionKey that I seem to be unable to locate.
I assume the expanded name of the parameter is Azure AD SessionKey. When I look in the portal, I can see that my Azure AD has a Name, Application ID and Object ID, but nothing that looks like a session key, nor a way to generate such a thing.
I am using a free trial account if that matters.
Can you try entering any random value and try deploying it. It seems like this is system generated value which is not to be filled by clients. This has been present in template for some other reason.
Ref - https://twitter.com/ashtonkj/status/1196384865672925184
I have an ARM template, which I will be using it to deploy resources (Mentioned as in Azure Portal) via Azure DevOps Pipeline. These ARM templates were created using my Dev Subscription. If I need to use this same ARM template to move to production, I need to manually update the subscription id etc in the ARM template and then run the respective pipelines. Is there any way to automate this manual updation process in ARM template.
I have tried using File Transform Agent job available under Azure DevOps Release pipeline. But since the values are available inside nested loops of ARM templates, it failed. Is there any PowerShell script that will be suitable for this process of updating values.
I don't want to manually update the ids under the ARM Template. Instead, I want to update it automatically.
Set Json Property task might help to set the property with specific value.
First in the marketplace search for "set Json property" task and install it for your organization.
Then you can set the property path and the value accordingly. check here for detail usage
Instead of hard coding in ARM templates you can use parameters file. For dev and prod you can have separate files and while deploying pass ARM Template along with parameter file whichever is required.
You can use AKV (Azure Key Vault) to access your subscription details in parameter file
subscription().subscriptionid will get you the details
I have a logic app ARM template that is already deployed and at the time of deployment it pulls certain passwords/secrets from Azure key vault storage. But, what if someone changes the password or secret that is being used by the ARM template?
One option is to re-deploy the ARM template. But is there an option so that I don't have to redeploy an ARM template and the configuration gets updated in such cases automatically?
so unless the resource itself is configured to pull values from the Key Vault - your only options is to rerun the template or update those values somehow, because this is what the template does, pulls values and applies them.
You can (perhaps) use something like Azure Event Grid to listen to events like KV secret value change. But I dont know if that listener actually exist.