Azure ARM Template - Key Vault Username & Password ID Variables? - json

Is it possible to concatenate the id path of the Key Vault URL within a variable? At the moment I have adminUsername and adminPassword parameters in the parameters.json file and the id fully typed out. However, I can fill out the id based on known information so makes the deployment easier. Below is my parameters.json file as is (with the important info taken out):
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"reference": {
"keyVault": {
"id": "/subscriptions/<SubID>/resourceGroups/<RG>/providers/Microsoft.KeyVault/vaults/<KV>"
},
"secretName": "LocalAdminUsername"
}
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<SubID>/resourceGroups/<RG>/providers/Microsoft.KeyVault/vaults/<KV>"
},
"secretName": "LocalAdminPassword"
}
}
}
}
It is the id where I want to include variables - possible? Thanks.

You can only specify static values inside a parameter file. However, you can use a nested deployment to dynamically generate the KeyVault resource ID (example below).
In a nutshell;
Define parameters for parts of the resource identifier
Use template functions to assign defaults where possible
Use concat() to construct the identifier in a variable
Use a nested deployment to refer to the key vault using the variable.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"kvSubscriptionId": {
"type": "string",
"defaultValue": "[subscription().id]"
},
"kvResourceGroupName": {
"type": "string",
"defaultValue": "[resourceGroup().name]"
},
"kvResourceName": {
"type": "string",
"defaultValue": "kv-resource-name"
}
},
"functions": [],
"variables": {
"kvResourceId": "[concat('/subscriptions/', parameters('kvSubscriptionId'), '/resourceGroups/', parameters('kvResourceGroupName'), '/providers/Microsoft.KeyVault/vaults/', parameters('kvResourceName'))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"apiVersion": "2018-05-01",
"name": "nested",
"properties": {
"mode": "Incremental",
"template": {
"parameters": {
"adminUsername": {
"type": "string"
}
},
"resources": [...]
}
},
"parameters": {
"adminUsername": {
"reference": {
"keyVault": {
"id": "[variables('kvResourceId')]"
},
"secretName": "LocalAdminUserName"
}
}
}
}
]
}
This technique is documented here: Reference secrets with dynamic ID.

Related

Loop for nested template and dynamically get keyvault secret name

Based on information from Microsoft site, it is possible get key vault secrets during the implementation. I would like to have similar solution but for 5 VMs and reuse templates in Loop to create 5 VMs with different password from key vault. The key vault already exists with the secrets name. The secrets name are like: Secrets0...Secrets4.
Does anyone has any idea of how to do this? Below my solution with Loop but doesn't works for me.
I appreciate for your support.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location where the resources will be deployed."
}
},
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the keyvault that contains the secret."
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "The name of the secret."
}
},
"vaultResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the resource group that contains the keyvault."
}
},
"vaultSubscription": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]",
"metadata": {
"description": "The name of the subscription that contains the keyvault."
}
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[concat('DynamicSecret,copyIndex('VMsLoop'))]"
"copy": {
"name": "VMsLoop",
"count": 5,
"mode": "Serial",
"batchSize": 1
},
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminLogin": {
"type": "string"
},
"adminPassword": {
"type": "securestring"
},
"location": {
"type": "string"
}
},
"variables": {
"sqlServerName": "[concat('sql-', uniqueString(resourceGroup().id, 'sql'))]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2018-06-01-preview",
"name": "[variables('sqlServerName')]",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]"
}
}
],
"outputs": {
"sqlFQDN": {
"type": "string",
"value": "[reference(variables('sqlServerName')).fullyQualifiedDomainName]"
}
}
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"adminLogin": {
"value": "ghuser"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "[concat(parameters('secretName'),copyIndex('VMsLoop'))]"
}
}
}
}
}
],
"outputs": {
}
}
The template you have provided actually works (except for one tiny typo - missing closing quote after DynamicSecret at "[concat('DynamicSecret,copyIndex('VMsLoop'))]" ).
However, since the uniquestring function that is used to generate the sql server name is deterministic (i.e. generated using the passed parameters of resoure group name and 'sql' string - uniqueString(resourceGroup().id, 'sql'). So the loop is hitting the same server instance just changing the password to the next secret in the list.
You can either promote the sqlServerName to parameter and suffix it with the loop index, or keep it as a variable and expand the uniqueString function with the deployment (i.e. uniqueString(resourceGroup().id, deployment().name, 'sql') ).

Multiple IP address variable in Azure ARM Template

If I am using an ARM Template to create an IP Group within Azure and want to add Multiple IP Addresses as a Parameter rather than putting them in the body of the resource is this possible?
The template is as follows
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2021-05-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"ipAddresses": [ "10.10.10.10",
"10.10.10.11" ]
}
}
If I create a Parameter like the following
"ipgipaddress": {
"type": "string
"Value":
"10.10.10.10",
"10.10.10.11"
}
And update the code to
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2021-05-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"ipAddresses": "[parameters('ipgroupsettings')]"
}
}
want to add Multiple IP Addresses as a Parameter rather than putting
them in the body of the resource is this possible?
Yes it is possible, you can add Multiple IP Addresses as a Parameter. As per the documentation, the property ipAddresses is of type string array.
To reproduce this ,In our ARM Template we have initialized those ipaddresses to a parameter of type array & further passed those values using "[paramerter(ipaddresses)]".
We have tested this, it is working fine.
Here is the ARM Template :
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ipaddress":{
"type": "array",
"defaultValue": ["10.0.1.0/27","10.0.2.0/27"]
}
},
"functions": [],
"variables": {},
"resources": [{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2020-11-01",
"name": "testipgroups",
"location":"[resourceGroup().location]",
"properties":{
"ipAddresses": "[parameters('ipaddress')]"
}
}
],
"outputs": {}
}
Here is the sample Output for reference:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ipaddress":{
"type": "string",
"defaultValue": "10.0.1.0/27,10.0.2.0/27"
}
},
"functions": [],
"variables": {
"iparray": "[split(parameters('ipaddress'),',')]"
},
"resources": [{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2020-11-01",
"name": "testipgroups",
"location":"[resourceGroup().location]",
"properties":{
"ipAddresses": "[variables('iparray')]"
}
}
],
"outputs": {}
}
If you want to save your time in providing input as String without much double quotes(" ") ,use split function with removing delimiter (comma in above example) which will create an array of IP's.

Get array of object property names in ARM template

In an ARM template is there a way to get an array containing a JSON object's property names?
I don't see anything obvious in the documentation. The closest thing I see is length(object) to get the object's property count but I don't think I could even use a copy loop to get the property names.
The specific scenario I want to implement is deploying web appsettings with additional slot-sticky settings to a staging slot:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"webSiteName": {
"type": "string"
},
"globalAppSettings": {
"type": "object"
},
"slotName": {
"type": "string"
},
"slotAppSettings": {
"type": "object"
},
"slotStickySettings": {
"type": "array",
// but getPropertyNames(object) is not a real function :(
"defaultValue": "[getPropertyNames(parameters('slotAppSettings'))]"
}
},
"resources": [
{
"type": "Microsoft.Web/sites/config",
"name": "[concat(parameters('webSiteName'), '/appsettings')]",
"apiVersion": "2018-02-01",
"properties": "[parameters('globalAppSettings')]"
},
{
"type": "Microsoft.Web/sites/slots/config",
"name": "[concat(parameters('webSiteName'), '/', parameters('slotName'), '/appsettings')]",
"apiVersion": "2018-02-01",
"properties": "[union(parameters('globalAppSettings'), parameters('slotAppSettings'))]"
},
{
"type": "Microsoft.Web/sites/config",
"name": "[concat(parameters('webSiteName'), '/slotconfignames')]",
"apiVersion": "2015-08-01",
"properties": {
"appSettingNames": "[parameters('slotStickySettings')]"
}
}
]
}
There is not a straightforward way of doing this as there is no function to return the properties of an object. I was able to accomplish it by converting the the object to a string and then parsing it to find the property names. It should work as long as you don't have commas in your property values. You could probably add some checks to handle that case as well if needed.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"testSettings": {
"type": "object",
"defaultValue": {
"a": "demo value 1",
"b": "demo value 2"
}
}
},
"variables": {
"delimiters": [","],
"settingArray": "[split(replace(replace(replace(string(parameters('testSettings')), '{', ''), '}', ''), '\"', ''), variables('delimiters'))]",
"propNameArray": {
"copy": [
{
"name": "copyPropertyNames",
"count": "[length(variables('settingArray'))]",
"input": "[substring(variables('settingArray')[copyIndex('copyPropertyNames')], 0, indexOf(variables('settingArray')[copyIndex('copyPropertyNames')], ':'))]"
}
]
}
},
"resources": [],
"outputs": {
"paramOutput": {
"type": "array",
"value": "[variables('propNameArray').copyPropertyNames]"
}
}
}

Azure ARM Template - Running DSC script without triggering extension install?

I am trying to deploy a Active Directory forest with two DCs. I've managed to deploy the DCs and install the ADDS features on both VMs. The "PDC" had a DSC script that runs and configures the forest, again that works great. The issue I have is trying to run a second DSC script on the second DC, this script runs the ADDS configuration to promote the VM to a DC and join it to the forest. I've created a nested JSON template that gets called by the main template. But I am hitting this error:
"Multiple VMExtensions per handler not supported for OS type 'Windows'. VMExtension 'PrepareBDC' with handler 'Microsoft.Powershell.DSC' already added or specified in input."
I've spent the last hour or so whizzing around the internet looking for answers and everyone seems to say the same thing...you can't install the same extension twice. Ok, I can see why that would make sense, my question is can I configure the nested template so it doesn't try and install the extension, just uses what's already installed on the VM?
Main template snippet:
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('dc2name'), '/PrepareDC2AD')]",
"apiVersion": "2018-06-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', variables('dc2name'))]"
],
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.19",
"autoUpgradeMinorVersion": true,
"settings": {
"ModulesUrl": "[concat(parameters('Artifacts Location'), '/dsc/PrepareADBDC.zip', parameters('Artifacts Location SAS Token'))]",
"ConfigurationFunction": "PrepareADBDC.ps1\\PrepareADBDC",
"Properties": {
"DNSServer": "[variables('dc1ipaddress')]"
}
}
}
},
{
"name": "ConfiguringDC2",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2016-09-01",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/',variables('dc1name'),'/extensions/CreateADForest')]",
"[concat('Microsoft.Compute/virtualMachines/',variables('dc2name'),'/extensions/PrepareDC2AD')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(parameters('Artifacts Location'), '/nestedtemplates/configureADBDC.json', parameters('Artifacts Location SAS Token'))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"adBDCVMName": {
"value": "[variables('dc2name')]"
},
"location": {
"value": "[resourceGroup().location]"
},
"adminUsername": {
"value": "[parameters('Administrator User')]"
},
"adminPassword": {
"value": "[parameters('Administrator Password')]"
},
"domainName": {
"value": "[parameters('Domain Name')]"
},
"adBDCConfigurationFunction": {
"value": "ConfigureADBDC.ps1\\ConfigureADBDC"
},
"adBDCConfigurationModulesURL": {
"value": "[concat(parameters('Artifacts Location'), '/dsc/ConfigureADBDC.zip', parameters('Artifacts Location SAS Token'))]"
}
}
}
},
The nested template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adBDCVMName": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"adminUsername": {
"type": "string"
},
"adminPassword": {
"type": "securestring"
},
"domainName": {
"type": "string"
},
"adBDCConfigurationFunction": {
"type": "string"
},
"adBDCConfigurationModulesURL": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('adBDCVMName'),'/PrepareBDC')]",
"apiVersion": "2016-03-30",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.21",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "1.0",
"settings": {
"modulesURL": "[parameters('adBDCConfigurationModulesURL')]",
"wmfVersion": "4.0",
"configurationFunction": "[parameters('adBDCConfigurationFunction')]",
"properties": {
"domainName": "[parameters('domainName')]",
"adminCreds": {
"userName": "[parameters('adminUsername')]",
"password": "privateSettingsRef:adminPassword"
}
}
},
"protectedSettings": {
"items": {
"adminPassword": "[parameters('adminPassword')]"
}
}
}
}
]
}
this error means exactly what it says: you cannot have multiple copies of the same extension, what you need to do is apply the same extension to the vm, all the inputs have to be the same. you can have a look at this example which does exactly that. This particular template installs the extension for the second time to join bdc to the domain.
But, I don't like that approach. I use Powershell DSC to just wait for the domain to get created and join the bdc to the domain in one go. you would use this powershell dsc snippet:
xWaitForADDomain DscForestWait {
DomainName = $DomainName
DomainUserCredential = $DomainCreds
RetryCount = $RetryCount
RetryIntervalSec = $RetryIntervalSec
}
Here's a complete example

Azure ARM copy Index not working in Json

I am trying to deploy multiple Azure VNETs using the code below,it
it gives error below
{
"error": {
"code": "InvalidTemplate",
"details": null,
"message": "Deployment template validation failed: 'The template resource '[concat(variables('namePrefix'), parameters('VNetSettings').vnets.name, [copyIndex(1)])]' at line '1' and column '923' is not valid: The language expression property 'name' has an invalid array index.. Please see https://aka.ms/arm-template-expressions for usage details.'.",
"target": null
},
"properties": null
}
This is my Code below. I want to use coyIndex to loop through multiple instances of azure virtual networks. Based on number of vnet names provided i want it get number of instances to be created.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"VNetSettings": {
"type": "object"
},
"namingSettings": {
"type": "object"
}
},
"variables": {
"namePrefix": "[concat(parameters('namingSettings').name.org,'-',parameters('namingSettings').name.accountEnv,'-',parameters('namingSettings').name.sdlcEnv,'-',parameters('namingSettings').name.region,'-',parameters('namingSettings').name.appname,'-')]"
},
"resources": [
{
"apiVersion": "2018-04-01",
"type": "Microsoft.Network/virtualNetworks",
"name": "[concat(variables('namePrefix'), parameters('VNetSettings').vnets.name, [copyIndex(1)])]",
"location": "[resourceGroup().location]",
"copy": {
"name": "vnetcopy",
"count": "[length(parameters('VNetSettings').vnets.name)]"
},
"scale": null,
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('VNetSettings').vnets.cidr]"
]
}
}
}
]
}
Update
Parameter fileenter code here
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters":{
"namingSettings": {
"value": {
"name": {
"org": "it",
"accountEnv": "nonprod",
"sdlcEnv": "it-test",
"region": "eastus2",
"tier": "",
"object": "",
"networkbuild": "network",
"auditbuild": "audit",
"automationbuild": "automation",
"dnsbuild": "dns",
"appname": "network"
}
}
},
"VNetSettings": {
"value": {
"vnets": [
{
"name": "vnet0",
"cidr": "10.10.10.0/24",
}
],
}
}
}
}
Your concat() input is wrong. copyIndex() should not be inside []. Try this:
"[concat(variables('namePrefix'), parameters('VNetSettings').vnets.name, copyIndex(1))]"
copyIndex() is just another function, you only wrap the string with [] once no matter how many functions are inside
you need to adjust your template to reflect the fact you are iterating over an array (right now you iterate over the name, and vnets.name is not a valid construct in the ARM Templates).
you need to do something like this:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"VNetSettings": {
"type": "object"
},
"namingSettings": {
"type": "object"
}
},
"variables": {
"namePrefix": "[concat(parameters('namingSettings').name.org,'-',parameters('namingSettings').name.accountEnv,'-',parameters('namingSettings').name.sdlcEnv,'-',parameters('namingSettings').name.region,'-',parameters('namingSettings').name.appname,'-')]"
},
"resources": [
{
"apiVersion": "2018-04-01",
"type": "Microsoft.Network/virtualNetworks",
"name": "[concat(variables('namePrefix'), parameters('VNetSettings').vnets[copyIndex()].name)]",
"location": "[resourceGroup().location]",
"copy": {
"name": "vnetcopy",
"count": "[length(parameters('VNetSettings').vnets)]"
},
"scale": null,
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('VNetSettings').vnets[copyIndex()].cidr]"
]
}
}
}
]
}
notice you need to use copyIndex() to get to the current vnet in your array and you need to use the .vnet to determine length