.NET CLI
A cross-platform toolchain for developing, building, running, and publishing .NET applications.
323 questions
How to run Azure Bicep -what-if deployment with new keyvault.getSecret() ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 86%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Matt Mazzola
6
Reputation points Microsoft Employee
Context of Problem:
I have a Bicep deployment setup and working using the Azure CLI
I realize a key from the one the module/resource A should be passed as parameter to one of the other resources in module B.
- I update module A to use it's
resource.listKeys().primaryKeyand write this value to a secret in KeyVault during deployment and set this secret name as a module output variable. - I update module B to take in @secure() parameter of the new key, and assign it something like
keyVault.getSecret(resourceA.outputs.secretName).
Then in order to test that I have changed things correctly I want to run a --what-if deployment to ensure the new secret will be written to keyvault.
Expected
The deployment runs as normal and says the new secret will be written.
Actual
The deployment fails because of the new keyVault.getSecret(resourceA.outputs.secretName) which says something like this:
NotFound - The secret of KeyVault parameter 'secretName' cannot be retrieved. Http status code: 'NotFound'. Error message: 'A secret with (name/id) secretName was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182'. Please see https://aka.ms/arm-keyvault for usage details.
`
This is the conflict. Azure Bicep is executing the keyVault.getSecret function to verify that it would work; however, that secret would only exist if I had actually run a full deployment so that module A's updated code would create that secret.
I think this like a paradox or catch 22 situation.
What are the recommended solutions for this problem?
I saw these options and none of them seemed good.
- Comment out the
keyvault.getSecret()functions the reference secrets that aren't deployed yet - Run a partial deployment do create the secrets, then run what-if for full deployment
This seems like a common problem the Azure Bicep should solve for me. I thought if Bicep knows I'm doing a what-if deployment and the secret doesn't exist, perhaps it would give a Warning instead of completely failing? However, I understand Bicep wouldn't know if the secret doesn't exist because I have mistake in code, or if I simply haven't created it yet.
- There doesn't seem to be any appropriate tags for: azure, azure-cli, or azure-bicep but yet the form requires me to add some