Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bicep params support for Key Vault secrets #10652

Closed
stephaniezyen opened this issue May 8, 2023 · 2 comments · Fixed by #11236
Closed

Bicep params support for Key Vault secrets #10652

stephaniezyen opened this issue May 8, 2023 · 2 comments · Fixed by #11236
Assignees
@polatengin
Labels
story: bicep parameters

Comments

@stephaniezyen
Copy link
Contributor

I can use the "getSecret()" function in Bicep params file to access Key Vault Secrets
@github-project-automation github-project-automation bot moved this to Todo in Bicep May 8, 2023
@stephaniezyen stephaniezyen changed the title Support for Key Vault secrets Bicep params support for Key Vault secrets May 8, 2023
@polatengin
Copy link
Member

polatengin commented May 19, 2023
edited
Loading

Proposal: Adding az.getSecret() method support in .bicepparam files

I'd like to share the Proposal for the az.getSecret() method in .bicepparam files

Introduction

Currently, accessing a KeyVault and referencing a Secret with a parameter is only possible with Nested ARM Deployments, via modules in bicep files. Example;

// main.bicep
resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: 'testkeyvault'
}

module secret 'secret.bicep' = {
  name: 'secret'
  params: {
    mySecret: kv.getSecret('mySecret')
  }
}

// secret.bicep
@secure()
param mySecret string

output exposed string = mySecret

There are some missing features;

  • it's not possible to reference a Secret from a KeyVault, inside of a .bicepparam file
  • if .bicep file doesn't have the KeyVault resource, it's not possible to reference a Secret

Proposed change

Have az.getSecret() function in az namespace and make it available to .bicepparam files

az.getSecret() function gets the following parameters;

  • required: subscriptionId "Id of the Subscription that has the target KeyVault"
  • required: resourceGroupName "Name of the Resource Group that has the target KeyVault"
  • required: keyVaultName "Name of the target KeyVault"
    -required: secretName "Name of the Secret"
  • optional: secretVersion "Version of the Secret"

During the compilation time, getSecret() method serialize as a Reference Typed Parameter syntax, so, compiler/builder doesn't have to access to the KeyVault and get the Secret value. But at the deployment time, ARM grabs the Secret value and uses it.

// parameters.bicepparam

using 'main.bicep'

param sqlPwd = az.getSecret('<subscriptionId>', '<resourceGroupName>', '<keyVaultName>', '<secretName>')
param webPwd = az.getSecret('<subscriptionId>', '<resourceGroupName>', '<keyVaultName>', '<secretName>', '<secretVersion>')

Compiled ARM Parameters Json file would look like this;

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "sqlPwd": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName>"
        },
        "secretName": "<secretName>"
      }
    },
    "webPwd": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName>"
        },
        "secretName": "<secretName>",
        "secretVersion": "<secretVersion>"
      }
    }
  }
}

Conclusion

Overall, these changes will enhance the .bicepparam file experience and make the deployments safer by referencing secrets to parameters 👍

@polatengin polatengin mentioned this issue May 22, 2023
Closed
3 tasks
@polatengin polatengin moved this from Todo to In Progress in Bicep May 22, 2023
@stephaniezyen stephaniezyen mentioned this issue May 23, 2023
Open
11 tasks
@polatengin polatengin mentioned this issue Jun 2, 2023
Closed
3 tasks
@jikuja jikuja mentioned this issue Jun 9, 2023
Closed
@polatengin polatengin mentioned this issue Jul 14, 2023
Merged
3 tasks
@Jarod1662
Copy link

I'm at a blocker with a project that I am working on. I've tried a few various methods which either don't work or simply makes the secrets appear in plain text. Is there any confirmation when the support will be available?

polatengin added a commit that referenced this issue Jul 28, 2023
@polatengin
adding getSecret helper to az namespace for bicepparam files (#11236)
08f9979 
## Contributing a feature

* [x] I have opened a new issue for the proposal, or commented on an
existing one, and ensured that the Bicep maintainers are good with the
design of the feature being implemented
* [x] I have included "Fixes #{issue_number}" in the PR description, so
GitHub can link to the issue and close it when the PR is merged
* [x] I have appropriate test coverage of my new feature

Fixes #10652

Design Proposal for the `getSecret() support in .bicepparam files` can
be found on;
#10652 (comment)

`getSecret()` helper is added to `az` namespace, so, it can be used in
`.bicepparam` files as;

`param sqlPwd = getSecret('<subscriptionId>', '<resourceGroupName>',
'<keyVaultName>', '<secretName>')`

or, with the `az` namespace alias

`param webPwd = az.getSecret('<subscriptionId>', '<resourceGroupName>',
'<keyVaultName>', '<secretName>', '<secretVersion>')`

I added tests to make sure the functionality is working as expected.
IntegrationTests and UnitTests projects are passing;

`Cli.IntegrationTests`

![image](https://github.com/Azure/bicep/assets/118744/03a2573e-441b-4dac-aaac-2663089998ad)

`Core.IntegrationTests`

![image](https://github.com/Azure/bicep/assets/118744/d9a3b9ae-b0b4-40e4-887a-ea907213d59b)

`Decompiler.IntegrationTests`

![image](https://github.com/Azure/bicep/assets/118744/01ba311f-40a6-495d-b1e8-52e405bddb1d)

`LangServer.IntegrationTests`

![image](https://github.com/Azure/bicep/assets/118744/81ba1fb2-8572-40fb-8616-c00d2135e95a)

`Cli.UnitTests`

![image](https://github.com/Azure/bicep/assets/118744/5e69b415-5fed-4996-859d-e51613af05e5)

`Core.UnitTests`

![image](https://github.com/Azure/bicep/assets/118744/1791a638-e9d6-403a-8351-3c27998aff6c)

`Decompiler.UnitTests`

![image](https://github.com/Azure/bicep/assets/118744/08287f78-46b2-46bd-8e72-bcf433bff3f2)

`LangServer.UnitTests`

![image](https://github.com/Azure/bicep/assets/118744/915545e7-da49-4c23-88ac-9c8fb53c8a6f)


###### Microsoft Reviewers: [Open in
CodeFlow](https://portal.fabricbot.ms/api/codeflow?pullrequest=https://github.com/Azure/bicep/pull/10879)
###### Microsoft Reviewers:
codeflow:open?pullrequest=#11236
@github-project-automation github-project-automation bot moved this from In Progress to Done in Bicep Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@polatengin polatengin

Labels
story: bicep parameters
Projects
Bicep
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

adding getSecret helper to az namespace for bicepparam files Azure/bicep
3 participants
@polatengin @Jarod1662 @stephaniezyen