Set Access key of service bus in Arm Template - azure

I have trying to set up the access keys to an azure service bus in an azure resource manager template. No matter what I do the template ignores the keys and sets some random ones instead without giving any errors. I have the following parameters file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"environmentName": { "value": "Integration" },
"primaryKey": {
"value": "<myKey1>"
},
"secondaryKey": {
"value": "<myKey2>"
}
}
}
where myKey are substitued the real value of the keys. I also have the following template (part of it below):
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"environmentName": {
"type": "string"
},
"primaryKey": {
"type": "string"
},
"secondaryKey": {
"type": "string"
}
},
"variables": {
"ServiceBus_ReadWriteKey": "[concat(parameters('environmentName'), '/ReadWrite')]",
"servicebus_namespace": "[parameters('environmentName')]",
"servicebus_topic_name": "[concat(parameters('environmentName'), '/products')]",
This is the resource that creates the access policy and should set it's keys:
{
"type": "Microsoft.ServiceBus/namespaces/AuthorizationRules",
"name": "[variables('ServiceBus_ReadWriteKey')]",
"apiVersion": "2015-08-01",
"scale": null,
"properties": {
"keyName": "ReadWrite",
"claimType": "SharedAccessKey",
"claimValue": "None",
"primaryKey": "[parameters('primaryKey')]",
"secondaryKey": "[parameters('secondaryKey')]",
"rights": [
"Listen",
"Send"
],
"revision": -1
},
"dependsOn": [
"[resourceId('Microsoft.ServiceBus/namespaces', variables('servicebus_namespace'))]"
]
},
The access policy is created, always with a random key, never the one I specified. How do I set this programmatically and what is wrong with the code above?

You are using a different api version as the sample you are using:
sample api version 2014-09-01
your api version 2015-08-01
try to change the api version to see if that causes the issue

Related

Secure string visible on azure logic app parameters window

I am fetching value from key vault but it my secure string is visible in parameter windows in azure logic app. how can I hide it from this window?
dev.logic.parameters.json File:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"value": "gaf-ir-dev-publisheventtosfplatform-logicapp"
},
"salesforce-client-secret": {
"reference": {
"keyVault": {
"id": "/subscriptions/42187cc7-b2ae-423a-9039-00298be79cdf/resourceGroups/ir-dev-use-rg/providers/Microsoft.KeyVault/vaults/ir-dev-use-kv"
},
"secretName": "SalesforceClientSecret"
}
}
}
}
LogicApp.json File
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"type": "string",
"minLength": 1,
"maxLength": 80,
"metadata": {
"description": "Name of the Logic App."
}
},
"salesforce-client-secret": {
"type": "securestring",
"metadata": {
"description": "salesforce-client-secret"
}
}
}
},
"variables": {},
"resources": [
{
"name": "[parameters('logicAppName')]",
"type": "Microsoft.Logic/workflows",
"location": "[parameters('logicAppLocation')]",
"tags": {
"displayName": "LogicApp"
},
"apiVersion": "2016-06-01",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": "..."
"parameters": {
"salesforce-client-secret": {
"type": "securestring",
"defaultValue": "[parameters('salesforce-client-secret')]"
}
},
"triggers": {
"manual": {
"type": "Request",
"kind": "Http",
"inputs": {
"schema": {}
}
}
},
"contentVersion": "1.0.0.0",
"outputs": {}
},
"parameters": {}
}
}
],
"outputs": {}
}
Parameters Window:
As you can see it is showing secret value in default value text box. It should not be visible in the parameters window.
Storing secret values and secret objects in a parameter is not suggested as mentioned in MS document.
Check if below scenario helps in your case,
Created logic app as shown below,
I have secret stored in azure key vault and retrieving the value using Get secret action and I have enabled secure input and output so that it will not show in run history window.
Using the secret value in http action and getting data.
The secret value will not be visible in run history window,
Note: As mentioned by #Skin, you can use built in actions like variables and assign secret value to variable. So that you can use value throughout logic app using variable and you can secure it using settings option.

Updating key vault secret via Arm template release from devops CI/CD fails

I have managed to release secrets to my Azure key vault via CI/CD from DevOps using my arm templates. The initial release went fine and added my new non existing secrets to my key vault resource. Though men trying to update the value of the secret in my ARM template and then pushing it to my GIT-repo to in turn release it as to update my secret in azure it fails giving me:
At least one resource deployment operation failed. Please list deployment operations for
details. Please see https://aka.ms/DeployOperations for usage details.
Details:
BadRequest:
Check out the troubleshooting guide to see if your issue is addressed:
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
Task failed while creating or updating the template deployment.
My template looks like this:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"value": "test-kv-devopstest01-d"
},
"TestCedential_1": {
"value": "TestCedentialSecretValue1"
},
"TestCedentialName_1": {
"value": "TestCedentialSecretName1_SecondVersion"
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"type": "string"
},
"TestCedential_1": {
"type": "secureString"
},
"TestCedentialName_1": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('TestCedential_1')]"
}
}
],
"outputs": {}
}
I've also tried granting permissions for the pipelines in access control in the key vault resource in azure.
Am i missing something maybe?
I tested the same code in my environment and it resulted in same error :
The issue is with the below :
"TestCedentialName_1": {
"value": "TestCedentialSecretName1_SecondVersion"
}
In Key vault secret '_' (underscore) is not allowed in name. The allowed values are alphanumeric characters and dashes.
Changing underscore to dash fixes the issue :
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"type": "string",
"defaultValue" :"test-kv-ansuman-d"
},
"TestCedential_1": {
"type": "secureString",
"defaultValue":"TestCedentialSecretValue1"
},
"TestCedentialName_1": {
"type": "string",
"defaultValue": "TestCedentialSecretName1-SecondVersion"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('TestCedential_1')]"
}
}
],
"outputs": {}
}
Output:

Get resolved ARM template after failed deployment

Is it possible to get the ARM template as it was during runtime in the Azure Portal with the variables and parameters resolved?
Example below:
AzureDeploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"environment": {
"type": "string",
"defaultValue": "dev",
},
"storageSKU": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_RAGRS",
"Standard_ZRS",
"Premium_LRS",
"Premium_ZRS",
"Standard_GZRS",
"Standard_RAGZRS"
]
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"storageAccountName": "[concat('companyname',parameters('environment'),'sa01'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('storageSKU')]"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true
}
}
]
}
AzureDeploy.parameters.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"environment": {
"value": "dev"
}
}
}
If this deployment was to fail on something such as the name or the SKU, would I be able to access the portal or somehow see how these values were resolved when the script was ran?
The deployment happens in a CD pipeline in AzureDevops and I have control of the variable groups etc. so I know what is being passed in but not how it resolves. In a more complex template, I have an error claiming an Id is not set on a Logic App API connection but I cannot tell if the error is due to the variable I am using in the concat function or if the value is genuinely incorrect (resolving okay according to data passed in).
If anyone is familiar with troubleshooting these through the deployments blade in Azure then you may have some tips on how to see a more detailed view.
Thanks,
Edit:
The code below triggers Intellisense in Visual Studio 2019 but has been confirmed working during deployment. No warnings in VS Code as per comments. Majority of code omitted for brevity.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"environment": {
"type": "string",
"defaultValue": "dev"
},
"increment": {
"type": "string",
"defaultValue": "01"
},
"keyvaultName": {
"type": "string",
"defaultValue": "randomKeyVaultName",
"metadata": {
"description": "Keyvault Name for deployment"
}
}
},
"variables": {
"uniqueKeyVaultName": "[parameters('keyvaultName')]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2016-10-01",
"name": "[concat(variables('uniqueKeyVaultName'), '/407045A0-1B78-47B5-9090-59C0AE9A96F6')]",
"location": "northeurope",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'cosmosdb_linkedtemplate')]"
],
"properties": {
"contentType": "Graph",
"value": "[concat('{''D'': ''DatabaseName'', ''U'': ''https://randomcosmosdb-',parameters('environment'),'-cdb-',parameters('increment'),'.documents.azure.com'', ''C'': ''CollectionName'', ''K'': ''',reference('cosmosdb_linkedtemplate').outputs.accountKey.value,'''}')]",
"attributes": {
"enabled": true
}
}
}
],
"outputs": {}
}
If you want to see the evaluated template there are a few things you can do to get it without deploying:
1) call the /validate api: https://learn.microsoft.com/en-us/rest/api/resources/deployments/validate -- but you need to use an older apiVersion at the moment (e.g. 2017-05-01)... the response will contain the fully evaluated template. If you have an older version of PowerShell or the CLI, you can see the response from the rest API by using the -debug switch. But keep in mind, the more recent versions of PS/CLI will use a newer apiVersion and those don't return the full template (at this time).
2) The /whatif api will also return evaluated JSON but there's a bit more to wade through if all you're after is the evaluated template: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-deploy-what-if
Tha help?

Template deployment to Azure API management with swagger fails with 'path' must not be empty

I am trying to create an API and operations in azure API management using the swagger import feature, using a template derived from the doumentation at https://learn.microsoft.com/en-us/azure/templates/microsoft.apimanagement/2018-01-01/service/apis
Every time I deploy my API using my Azure Resource manager template to Azure API management I get the error 'path' must not be empty. What am I doing wrong? Path is definitely not empty!
For this example you can just use any valid swagger file contents such as at https://petstore.swagger.io/v2/swagger.json
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apim_name": {
"type": "string"
},
"api_name": {
"type": "string"
},
"swagger_json": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.ApiManagement/service/apis",
"name": "[concat(parameters('apim_name'), '/' ,parameters('api_name'))]",
"apiVersion": "2018-06-01-preview",
"properties": {
"displayName": "Pet Store",
"description": "Cool api def",
"serviceUrl": "https://petstore.swagger.io/v2",
"path": "petstore",
"protocols": [
"https"
],
"authenticationSettings": {
"oAuth2": null,
"openid": null,
"subscriptionKeyRequired": true
},
"subscriptionKeyParameterNames": {
"header": "Ocp-Apim-Subscription-Key",
"query": "subscription-key"
},
"contentValue": "[parameters('swagger_json')]",
"contentFormat": "swagger-json"
}
}
]
}
It seems the API management resource manager APIs are fussy about parameters when using the swagger import feature and the docs and error messages are a little lacking.
The secret is that the swagger file definition replaces most of the properties you would normally pass for an API in the template so you need a much reduced template, as below.
Hope this helps someone else!
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apim_name": {
"type": "string"
},
"api_name": {
"type": "string"
},
"swagger_json": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.ApiManagement/service/apis",
"name": "[concat(parameters('apim_name'), '/' ,parameters('api_name'))]",
"apiVersion": "2018-06-01-preview",
"properties": {
"path": "petstore",
"contentValue": "[parameters('swagger_json')]",
"contentFormat": "swagger-json"
}
}
]
}

Azure notification hub installantion

Fast question. How create installation using templates? Can you give an example? How construct 'InstallationTemplate' object.
When you want to create an ARM template based on the json schema of Microsoft.NotificationHubs:
Create a new project in Visual Studio 2015.
Choose for a Cloud project
Choose for Azure Resource Group
Choose Blank Template
Open azuredeploy.json
You will see this:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
},
"resources": [
],
"outputs": {
}
}
Then begin with the resources part by typing apiVersion (note that you get intellisense already):
"resources": [
{
"apiVersion": ""
}
],
After this add the type: Just select the correct value.
After the type is set. You will get intellisense on the allowed properties.
There are more parameters available. But when using the main properties and
create parameters of the hardcoded values and at the end you will get a template like:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"namespaceLocation": {
"type": "string"
},
"namespaceName": {
"type": "string"
},
"notificationHubName": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"apiVersion": "2014-09-01",
"name": "[parameters('namespaceName')]",
"type": "Microsoft.NotificationHubs/namespaces",
"location": "[parameters('namespaceLocation')]",
"properties": {
"name": "[parameters('namespaceName')]",
"namespaceType": "NotificationHub"
},
"resources": [
{
"apiVersion": "2014-09-01",
"name": "[parameters('notificationHubName')]",
"type": "Microsoft.NotificationHubs/namespaces/notificationHubs",
"location": "[parameters('namespaceLocation')]",
"dependsOn": [
"[concat('Microsoft.NotificationHubs/namespaces/', parameters('namespaceName'))]"
],
"properties": {
"name": "[parameters('notificationHubName')]"
}
}
]
}
],
"outputs": {
}
}

Resources