Author: Mark Johnson

Chief Technical Strategist/Architect in Bournemouth
Azure

Cloning Azure Key Vault Secrets

Posted on by Mark Johnson

Recently I had a need to clone secrets in one Key Vault into another Key Vault in a different subscription. I wasn’t sure if it was even possible to do but with a bit of PowerShell and the Azure CLI it turns out you can, here’s the script:

$sourceVault="<source vault>"
$destinationVault="<destination vault>"

$secrets=(az keyvault secret list --vault-name $sourceVault --query "[].{id:id,name:name}") | ConvertFrom-Json | ForEach-Object { 
  $secretName = $_.name
  $secretExists=(az keyvault secret list --vault-name $destinationVault --query "[?name=='$name']" -o tsv)  
  if($secretExists -eq $null) {
    write-host "Copy Secret across $secretName"
    $secretValue=(az keyvault secret show --vault-name $sourceVault -n $secretName --query "value" -o tsv)
    az keyvault secret set --vault-name $destinationVault -n $secretName --value "$secretValue"
  } else {
    write-host "$secretName already exists in $destinationVault"
  } 
}

Happy cloning!!! 🙂

NOTE: I used PowerShell 7.2.5 and Azure CLI 2.37.0

Azure, Bicep, DevOps, IaC

Bicep – Variable JSON Files

Posted on by Mark Johnson

Introduction

Recently I was looking into others ways to provide inputs to Bicep. In previous posts I have used various techniques to pass parameters in via Azure Pipelines, either updating a parameters JSON file or creating the whole file in the pipeline (I bundled those techniques into one post if you want to take a look).

If you are not sure about creating a parameters file to use with Bicep I recommend the Visual Studio Code extension Azure Resource Manager (ARM) Tools as this provides an easy way to create them. Also there is a PowerShell module written by Stefan Ivemo (and others) that has a command ‘New-BicepParameterFile’ that creates a parameter file from a Bicep file (see github and/or the PowerShell gallery)

In other Infrastructure as Code (IaC) frameworks like Terraform, there are ways to load variable files in and they are usually in the same language as the framework. Bicep however doesn’t currently support variables files in the Bicep language, but as I discovered, it does have a function called loadTextContent, this coupled with the json function allows JSON files to be loaded in and therefore could be used as variable files.

So, in this post I am going to explore using these functions to load variables into Bicep.

NOTE: I will be using az bicep version 0.6.1

The Code

Let’s start with something small like creating a storage account.

First create some settings for the account, name, sku, etc. in a JSON file (vars_storage.json) e.g.

{
    "name": "stmvarsdemodevweu",
    "sku": "Standard_LRS",
    "kind": "StorageV2",
    "properties": {
        "minimumTlsVersion": "TLS1_2"
    }
}

Next create the bicep file (deploy.bicep) to create the storage account and load in the variables from the json file using loadTextContent and json functions:

param location string = resourceGroup().location 
var storageConfig = json(loadTextContent('vars_storage.json'))

resource storageaccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
  name: storageConfig.name
  location: location
  kind: storageConfig.kind
  sku: {
    name: storageConfig.sku
  }
  properties: {
    minimumTlsVersion: storageConfig.properties.minimumTlsVersion
  }
}

NOTE: With the Visual Studio Code Bicep extension you get intellisense on the json properties as well which is really nice

I already created the resource group in Azure and so just need to deploy the Bicep via the Azure CLI

 az deployment group create --resource-group rg-varsdemo-dev-weu --template-file deploy.bicep

Now, what if we wanted multiple variable files? as you can imagine you can just load in another file.

Let’s add a Virtual network to Bicep.

As before, starting with the JSON file (vars_network.json) define the network configuration

{
    "name": "vnet-varsdemo-dev-weu",
    "addressPrefixes": [
        "10.72.0.0/16"
    ],
    "subnets": [
        {
            "name": "Subnet-1",
            "properties": {
                "addressPrefix": "10.72.252.0/24"
            }
        },
        {
            "name": "Subnet-2",
            "properties": {
                "addressPrefix": "10.72.254.0/24"
            }
        }
    ]
}

And then add the Virtual Network to Bicep and load in the new json file into a variable

param location string = resourceGroup().location 
var storageConfig = json(loadTextContent('vars_storage.json'))
var networkConfig = json(loadTextContent('vars_network.json'))

resource storageaccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
  name: storageConfig.name
  location: location
  kind: storageConfig.kind
  sku: {
    name: storageConfig.sku
  }
  properties: {
    minimumTlsVersion: storageConfig.properties.minimumTlsVersion
  }
}

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2019-11-01' = {
  name: networkConfig.name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: networkConfig.addressPrefixes
    }
    subnets: networkConfig.subnets
  }
}

Multiple Environments

Often when we use IaC we are deploying to multiple environments. Can files be dynamically loaded by a parameter value? something like this?

param location string = resourceGroup().location
param env string
var storageConfig = json(loadTextContent('vars_${env}_storage.json'))
var networkConfig = json(loadTextContent('vars_${env}_network.json'))

Unfortunately this is not a supported configuration in Bicep

The reason for this is that Param is determined at runtime and loadTextContent is determined at compile time

It is possible however to define environments in the file and load the desired section at runtime.

NOTE: One downside of using this way of loading environments is that Visual Studio Code loses intellisense on the JSON properties due to the runtime env parameter

Let’s change the JSON files to support multiple environments

vars_storage.json

{
    "dev": {
        "name": "stmvarsdemodevweu",
        "sku": "Standard_LRS",
        "kind": "StorageV2",
        "properties": {
            "minimumTlsVersion": "TLS1_2"
        }
    },
    "prod": {
        "name": "stmvarsdemoprodweu",
        "sku": "Premium_LRS",
        "kind": "StorageV2",
        "properties": {
            "minimumTlsVersion": "TLS1_2"
        }
    }
}

vars_network.json

{
    "dev": {
        "name": "vnet-varsdemo-dev-weu",
        "addressPrefixes": [
            "10.72.0.0/16"
        ],
        "subnets": [
            {
                "name": "Subnet-1",
                "properties": {
                    "addressPrefix": "10.72.252.0/24"
                }
            },
            {
                "name": "Subnet-2",
                "properties": {
                    "addressPrefix": "10.72.254.0/24"
                }
            }
        ]
    },
    "prod": {
        "name": "vnet-varsdemo-dev-weu",
        "addressPrefixes": [
            "10.74.0.0/16"
        ],
        "subnets": [
            {
                "name": "Subnet-1",
                "properties": {
                    "addressPrefix": "10.74.252.0/24"
                }
            },
            {
                "name": "Subnet-2",
                "properties": {
                    "addressPrefix": "10.74.254.0/24"
                }
            }
        ]
    }
}

And finally add the loading of the environment in Bicep

param location string = resourceGroup().location
param env string
var storageConfig = json(loadTextContent('vars_storage.json'))['${env}'] 
var networkConfig = json(loadTextContent('vars_network.json'))['${env}'] 

resource storageaccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
  name: storageConfig.name
  location: location
  kind: storageConfig.kind
  sku: {
    name: storageConfig.sku
  }
  properties: {
    minimumTlsVersion: storageConfig.properties.minimumTlsVersion
  }
}

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2019-11-01' = {
  name: networkConfig.name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: networkConfig.addressPrefixes
    }
    subnets: networkConfig.subnets
  }
}

As before this can now be deployed into Azure via the Azure CLI adding the env parameter

Dev

az deployment group create --resource-group rg-varsdemo-dev-weu --template-file deploy.bicep --parameters env=dev

Prod

az deployment group create --resource-group rg-varsdemo-prod-weu --template-file deploy.bicep --parameters env=prod

Conclusion

You can of course provide all the variables inside the Bicep file including multiple environments and that is a valid way of defining values. However if you have a lot of variables, using a separate file whether that be a parameters file or following this technique can reduce the noise inside the Bicep file. Separate files also allow values to be overridden by a CI/CD pipeline, share variables between multiple Bicep files and it might be easier to maintain configuration if it is in separate files.

I think loading files in is a nice way of injecting values into Bicep, its a shame that other file formats like YAML are not currently supported or using Bicep style variable/parameters files. Hopefully these features will become part of Bicep in the future.

Well I hope you found this useful and discovered another way to get inputs into Bicep. Bicep is certainly improving more and more and I look forward to future releases.

Happy IaCing !!