How to access SSL in KeyVault from ARM Template - azure

Duplicate Question?
I don't believe it is. As stated, this is working using my user from a local deployment and all (as I understand it) permissions have been granted to the Service Principal and the test user that also fails locally.
I have an ARM template that provisions and deploys a web app, part of that is to apply a certificate binding to the webapp. That part of the template looks like this:
{
"type": "Microsoft.Web/sites",
"kind": "api",
"name": "[parameters('name')]",
"apiVersion": "2015-08-01",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('name')]",
"serverFarmId": "[resourceId(parameters('servicePlanGroup'), 'Microsoft.Web/serverFarms', parameters('servicePlanName'))]"
},
"resources": [
{
"name": "[parameters('certificateName')]",
"apiVersion": "2014-04-01",
"type": "Microsoft.Web/certificates",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('name'))]"
],
"properties": {
"keyVaultId": "[parameters('keyVaultId')]",
"keyVaultSecretName": "[parameters('keyVaultSecretName')]"
}
}
]
}
When I run this locally from my PC it works fine, when I run it from the VSTS the deployment fails, and look like this:
Where the error is:
"operationName": {
"localizedValue": "Microsoft.Web/certificates/write",
"value": "Microsoft.Web/certificates/write"
},
"properties": {
"statusCode": "Unauthorized",
"statusMessage": "{\"error\":{\"code\":\"BadRequest\",\"message\":\"\"}}"
}
The SSL certificate and the KeyVault both have permissions added for the Service Principal that VSTS runs under for this release.
The Release Principal user has Read,List for keys and secrets in the KeyVault and is a Contributor in the subscription. My account which works locally is co-admin.
Any ideas on what permissions need to be added?
Update
I added another user testuser which has the same rights as the Service Principal and it now fails locally. I guess it will be some trial and error to add permissions and see what works.

This is not a duplicate question - as mentioned it was pointing to strange permission issue across accounts, even though the permissions were set. It turns out that for some reason the co-admin will work despite the below issue - a potential bug in the ARM/permission infrastructure, maybe?
This works for co-admin user but not anyone else.
Whereas this works for a lesser privileged user/principal.
Note the schema version change. The original schema of 2014-04-01 doesn't actually include anything about Microsoft.Web/Certificates whereas the updated schema 2015-08-01 does include this information.
Local testing using the testuser with same privileges as the VSTS service principal is working fine with this change.
Side Note for anyone else trying to achieve SSL bindings:
The location of resources in my example is all the same. I suspect if the vault is in a different location, then its resource group may also need to be specified for this to work the same - I haven't tested that theory though.

Related

How to pass parameters to an App service's source control?

I have some installation files and filetexts that i hosted in a repository that i need to have within an Appservice. I am currently using a sourcecontrol as shown below, but i need to pass parameters to one of those files in my repo; is there a way of passing parameters from my ARM template to that repo besides sourcecontrols just after the creation of the App service?
{
"apiVersion": "2018-11-01",
"name": "web",
"type": "sourcecontrols",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('sites_name'))]",
"[concat('Microsoft.Web/Sites/', parameters('sites_name'), '/config/web')]"
],
"properties": {
"RepoUrl": "[parameters('repoUrl')]",
"branch": "[parameters('branch')]",
"IsManualIntegration": true
}
}
I really don't believe this is possible. Parameters are used against Azure resources in the ARM template and I don't see anything in the Sourcecontrol API that would allow for file execution. One workaround that might work is create a site extension your site object depend on that will accept that parameters your passing and perform the executed action.

Azure Logic App with SharePoint Connection

I am creating my first logic app which connects to SharePoint and adds entries into some sharepoint list.
Whenever I create a SharePoint Connection it adds below resource to my logic app.
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2018-07-01-preview",
"name": "[parameters('sharepointonline_1_Connection_Name')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'sharepointonline')]"
},
"displayName": "[parameters('sharepointonline_1_Connection_DisplayName')]",
"nonSecretParameterValues": {
"token:TenantId": "[parameters('sharepointonline_1_token:TenantId')]"
}
}
Could anyone give an explanation of "token:TenantId". How/where to get this value in my dev tenant. How this can be moved to UAT/PROD environment?
Whenever I recreate my logic app with the SharePoint connection it loses the connection and shows me below screen with a warning icon.
Is there a way we can authenticate this connection via PowerShell or via Azure DevOps deployment?
This seems to the OAuth connection and will need to be re-authorized after the template deployment to obtain valid access token. Some connections support using an Azure Active Directory (Azure AD) service principal to authorize connections for a logic app that's registered in Azure AD.
Documentation here shows how Azure data lake's connection resource definition can be configured to use parameter values of the template and Azure AD service principal to generate the token so you might want to check if SharePoint connection can be configured in same way or not.
{
<other-template-objects>
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[parameters('azuredatalake_1_Connection_Name')]",
"location": "[parameters('LogicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', 'resourceGroup().location', '/managedApis/', 'azuredatalake')]"
},
"displayName": "[parameters('azuredatalake_1_Connection_DisplayName')]",
"parameterValues": {
"token:clientId": "[parameters('azuredatalake_1_token:clientId')]",
"token:clientSecret": "[parameters('azuredatalake_1_token:clientSecret')]",
"token:TenantId": "[parameters('azuredatalake_1_token:TenantId')]",
"token:grantType": "[parameters('azuredatalake_1_token:grantType')]"
}
}
}
Reference: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-resource-manager-templates-overview#authenticate-connections

How do I create Logic App with Event Grid subscription from ARM-template

I have made a Logic app that listens to an Event Grid Topic and it works fine, but if I delete it and try to create from the template it doesn't work. It never runs.
The problem is that while it does create the API connection to the event grid, it leaves it unauthorized and it doesn't create any subscription to the event grid topic either. At no point are any errors displayed. Everything succeeds, but it just doesn't create everything it is supposed to.
To get around this, I added commands to the Powershell script to authenticate it. This works fine, but this of course does not create the subscription.
If I run the ARM-template again, I expected it to create it now as connection is not valid, but no, it doesn't. I suppose Azure realizes nothing has changed in the template and does nothing? If I edit the ARM-template and change the subscription name, and deploy it again, then the subscription is created and it starts working.
I could of course call the template twice with 2 different subscription names as parameter but that sounds silly. There has to be some better way.
So what would be the best way to create that kind of logic app from templates and scripts?
You can create both your Event Grid Topic Subscription and the Logic Apps connection to it as separate resources. Examples template objects are below. Keep in mind that the connection is using oauth.
Event Grid Topic Subscription
{
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"name": "[concat(parameters('TopicName'), '/Microsoft.EventGrid/', variables('name'))]",
"location": "[parameters('Location')]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[parameters('Endpoint')]"
}
},
"filter": {
"includedEventTypes": [
"[parameters('EventType')]"
]
}
},
"dependsOn": [
]
}
Web Connection
{
"type": "Microsoft.Web/connections",
"name": "[variables('connectionName')]",
"apiVersion": "2016-06-01",
"location": "[parameters('ConnectionLocation')]",
"properties": {
"displayName": "[variables('connectionName')]",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/northcentralus/managedApis/azureeventgrid/')]"
},
"parameterValues": {
"token:clientId": "[parameters('ConnectionClientId')]",
"token:clientSecret": "[parameters('ConnectionClientSecret')]",
"token:TenantId": "[parameters('ConnectionTenantId')]",
"token:resourceUri": "https://management.core.windows.net/",
"token:grantType": "client_credentials"
}
},
"dependsOn": []
}
I believe there isn't a way to workaround the authorization required after the first time you deploy. So the simplest solution would be to have 2 separate templates - one for the API connection and the other for the Logic App.
Your PowerShell script would deploy the API Connection first, authorize it and then deploy the Logic App.
You could also have them in the same template too and control which is deployed by using a condition on each resource.

How can I set "Https only" for my Azure web app using an ARM template?

I know how to set Https only manually in the Azure portal. Navigating to My Web Application > Custom domains in the Azure portal opens the Custom domains pane, which has an "Https Only" option. Setting this option to "On" enables the functionality I am looking for. I found how to do this manually on Benjamin Perkins Blog. Unfortunately, it does not contain a description of how to solve the problem in an automated way using ARM templates.
How can I set this "Https only" flag in my ARM template so that I can automate this setting in my deployment? Assume I have a working ARM deployment already, and just need to know where and what to add to the template specifically for this setting.
I would like to keep answers to an ARM template based approach.
Thanks for your time!
Yes, it is possible. You could check this link. httpsOnly is a value in properties. For example:
{
"apiVersion": "2015-08-01",
"name": "[parameters('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"displayName": "Website"
},
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]"
],
"properties": {
"name": "[parameters('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]",
"httpsOnly": true
}
}
ps. Template reference might contain error, use api reference (its not perfect, but its better).

Azure Key Vault access from ARM Template

I was trying to add Azure key vault integration with our ARM deployment, so we can keep all password in Azure Key-Vault.
I was following this to try to access secret (adminPassword) I have created in Azure KeyVault (dSentienceAnalytics). Here is my template
I tried to deploy this template through Powershell, but it asked me to enter value for variable “adminPassword”, which it supposed to retrieve from Azure key vault.
Do you see what I am missing here?
You cannot use a KeyVault reference in the template itself, only in the parameters file. So your template will not look any differently if you're using KeyVault, the adminPassword parameter will simply be defined as a secureString. The template's use of the password can look exactly like this:
https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-linux/azuredeploy.json
The parameters file, is where the reference will be used. The first code sample here:
https://azure.microsoft.com/en-us/documentation/articles/resource-manager-keyvault-parameter/#reference-a-secret-with-static-id
Is showing you the parameters file, not the template file's parameter object (it is a bit confusing).
For a really simple example, see the KeyVaultUse.json and KeyVaultUse.parameters.json here:
https://github.com/rjmax/ArmExamples/tree/master/keyvaultexamples
Note that there's nothing unique or different about KeyVaultUse.json, the "key" is in the parameters file.
That help?
You can create a linked template and pass the keyvault secret to that as a parameter. Your linked template will need to be accessible to Azure at some uri.
"name": "linked-template",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri":"<your linked template uri, e.g. a blob-store file with a sas token>"
},
"parameters": {
"password": {
"reference": {
"keyVault": {
"id": "[variables('keyVaultId')]"
},
"secretName": "password"
}
},
You will need the id of your key vault, e.g. here, it's assume to be in a variable constructed from parameters on the top-level template where the user specifies a resource group and name for the key-vault:
"deploymentKeyVaultId" : "[resourceid(subscription().subscriptionId,
parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults',
parameters('keyVaultName'))]",
What are you trying to deploy? If it is an app service you can retrieve the secret from Key Vault with the combination of leveraging Managed Service Identity and access policy on the Key Vault. Here's how to turn on MSI authentication for App Service and add access policy
In the App Service can add something like this:
{
"apiVersion": "2018-11-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', WEBSITE NAME))]",
"Microsoft.ApplicationInsights.AzureWebSites",
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('secretName'))]"
],
"properties": {
"ConnectionSecret": "[concat('#Microsoft.KeyVault(SecretUri=', reference(SECRET NAME).secretUriWithVersion, ')')]"
}

Resources