Creating Azure KeyVault secret as a child resource in nested template
Question
I'm trying to create resource group, key vault and key vault secret using a single template json with subscription level scope. I'm able to create resource group and key vault without any issues. However, adding a key vault secret template as a child resource to key vault template with 'dependsOn' section generates errors like "Key vault secret doesn't depend on parent resource. Please add dependency explicitly using the 'dependsOn' syntax." Here is the template:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {... parameters for key vault and key vault secret resources ...},
"variables": {
"rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
"keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "[parameters('location')]",
"name": "[variables('rgName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
]
}
}
}
]
}
I've also tried to move key vault secret template out of key vault section:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {... parameters for key vault and key vault secret resources ...},
"variables": {
"rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
"keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "[parameters('location')]",
"name": "[variables('rgName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
}
}
]
}
But it has generated the error "Key vault resource is not defined in the template." Is there a way to use child resources in subscription scope templates at all?
1 answers
solution1
0 ACCPTED 2022-03-21 14:31:49
I figured it out. Since I was working mostly with resource group deployments, I've used resourceId() function to pass values for 'dependsOn' template parameter. However, in subscription deployment scenario with child resources defined in the template resourceId() function wasn't working properly. As it turned out, you have to use either concat() or format() functions (or plain text) to pass the value for 'dependsOn' parameter for a child resource.
Here is the code that worked:
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
]
}
}
}
This is probably pretty obvious for more experienced users, but I've worked with multiple templates and multiple deployment tasks in my pipelines so I had to use resourceId() functions. Probably the conclusion above is valid for any child resources in any scope (subscription or resource group).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.