Share via

Define a secret and reference it in two services w/o a cycle in bicep.

Eimantas 0 Reputation points
2023-10-09T05:18:03.2433333+00:00

My goal is to have a template that lets me deploy an infrastructure for a client that runs a web application with a database.

I have defined resources for my web app:

  • app service (w/ a plan)
  • postgresql db
  • key vault
  • key vault secret

The problem is though, that I have caused a cycle in app service -> secret -> vault. I'd love to know how I could avoid this and still be able to define everything in and deploy everything from a single template. Here are relevant snippets:

var tenantId = subscription().tenantId

resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: 'vault-${clientId}'
  location: location
  properties: {
    /* .. */
    enabledForTemplateDeployment: true
    tenantId: tenantId
    accessPolicies: [
      {
        tenantId: tenantId
        objectId: appService.identity.principalId
        permissions: { /* */ }
      }
    ]
  }
}

@secure()
param dbPassword string = newGuid()

resource dbPasswordSecret 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
  parent: vault
  name: 'db-password-${clientId}'
  properties: {
    value: dbPassword
  }
}

resource appService 'Microsoft.Web/sites@2022-09-01' = {
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    siteConfig: {
      appSettings: [
        {
          name: 'DB_PASSWORD'
          value: '${reference(dbPasswordSecret).secretValue}'
        }
      ]
    }
  }
}
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,194 questions
Azure Database for PostgreSQL
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,407 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2023-10-13T05:24:30.22+00:00

    @Eimantas

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking to use an Azure Key Vault secret in a bicep template.

    Please do correct me if this is not the case by responding in the comments section.

    Kindly try the sample given here : Review the Bicep file for testing as we already have defined templates available in documentation.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.***

    0 comments