6 Ways Passing Secrets to ARM Templates

az-cli.txt

az group deployment create `
    -g "my-resource-group" `
    --template-file azuredeploy.json `
    --parameters `@azuredeploy.parameters.json `
    --parameters servicePrincipalTenantId=$tenantId

new-azurermresourcegroupdeployment.txt

# The tenand ID is randomly generated one.
$tenantId = ConvertTo-SecureString "da88225f-755d-4758-b6a6-3aaeba1e6264" `
                -AsPlainText `
                -Force

New-AzureRmResourceGroupDeployment `
    -ResourceGroupName "my-resource-group" `
    -TemplateFile azuredeploy.json `
    -TemplateParameterFile azuredeploy.parameters.json `
    -servicePrincipalTenantId $tenantId

parameters-kv.json

"parameters": {
  "keyVaultSecretValue": {
    "reference": {
      "keyVault": {
        "id": "/subscriptions/4c52543c-f468-4816-a4d8-7bb46a34e1b7/resourceGroups/rg-arm-kv/providers/Microsoft.KeyVault/vaults/kvarmkv"
      },
      "secretName": "logicAppKey"
    }
  }
}

parameters-kv.yaml

parameters:
  keyVaultSecretValue:
    reference:
      keyVault:
        # The subscription ID is randomly generated one
        id: "/subscriptions/4c52543c-f468-4816-a4d8-7bb46a34e1b7/resourceGroups/rg-arm-kv/providers/Microsoft.KeyVault/vaults/kvarmkv"
      secretName: logicAppKey

parameters.json

"parameters": {
  "keyVaultSecretValue": {
    "type": "securestring",
    "metadata": {
      "description": "Value of the secret from Key Vault."
    }
  }
}

parameters.yaml

parameters:
  keyVaultSecretValue:
    type: securestring
    metadata:
      description: Value of the secret from Key Vault.

resources.json

"resources": [
  {
    "comments": "### RESOURCE - LOGIC APP ###",
    "apiVersion": "[variables('linked').apiVersion]",
    "type": "Microsoft.Resources/deployments",
    "name": "[variables('deployments').logicApp]",
    "properties": {
      "mode": "Incremental",
      "templateLink": {
        "uri": "https://raw.githubusercontent.com/devkimchi/Handling-Secrets-around-ARM-Templates/master/LogicApp.json"
      },
      "parameters": {
        "keyVaultSecretValue": {
          "reference": {
            "keyVault": {
              "id": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVault').name)]"
            },
            "secretName": "[variables('keyVault').secrets.name]"
          }
        }
      }
    }
  }
]

resources.yaml

resources:
- comments: "### RESOURCE - LOGIC APP ###"
  apiVersion: "[variables('linked').apiVersion]"
  type: Microsoft.Resources/deployments
  name: "[variables('deployments').logicApp]"
  properties:
    mode: Incremental
    templateLink:
      uri: "https://raw.githubusercontent.com/devkimchi/Handling-Secrets-around-ARM-Templates/master/LogicApp.json"
    parameters:
      keyVaultSecretValue:
        reference:
          keyVault:
            id: "[resourceId('Microsoft.KeyVault/vaults', variables('keyVault').name)]"
          secretName: "[variables('keyVault').secrets.name]"

serviceprincipaltenantid.json

"servicePrincipalTenantId": {
  "type": "securestring",
  "metadata": {
    "description": "Tenant Id of the service principal."
  }
}

serviceprincipaltenantid.yaml

servicePrincipalTenantId:
  type: securestring
  metadata:
    description: Tenant Id of the service principal.