Instead of using the information to retrieve the secret from the Key Vault from the parameters file, secrets from the Key Vault can be retrieved dynamically within a template. The template will need the name of the Key Vault, the resource group containing the Key Vault, and the secret name. We want to pull the SQL Server login password from the Key Vault while creating the SQL Server resource during the deployment of the ARM template. The SQL Server template needs this password for the creation of the SQL resource. So, instead of declaring the Key Vault reference in the parameters file, we will instead provide parameters in the parameters file that represent the name of the resource group containing the Key Vault, Key Vault name, and the secret name, as shown here. These parameters are part of SQL Server-related parameters:
"sqlServerProperties": {
"value": {
"administratorLogin": "eCommerceAdmin",
"databaseName": "eCommerceDatabase",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"edition": "Standard",
"maxSizeBytes": "1073741824",
"requestedServiceObjectiveName": "S0",
"sqlserverName": "armtemplatebooksqlserver",
"keyVaultName": "keyvaultarmtemplatebook",
"keyVaultResourceGroupName": "ARMPatterns",
"adminstratorPasswordSecretName": "adminstratorPasswordSQL"
}
The resource group name is ARMPatterns, and the name of the Key Vault is KeyVaultarmtemplatebook, and the secret name ID is administratorPasswordSQL.
These values are supplied to the master template file azuredeploy.json, as shown here. The parameter is of the object datatype:
"sqlServerProperties": {
"type": "object"
},
Now the values from this parameter object can be used by the linked template deployment responsible for creating the Azure SQL Server:
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10",
"name": "sharedServices-sqlServices",
"resourceGroup": "[variables('multiLocation').location[0].resourceGroupName]",
"dependsOn": [ "allResourceGroups" ],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('templateRefSharedServicesTemplateUri')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"administratorLogin": { "value": "[parameters('sqlServerProperties').administratorLogin]" },
"administratorLoginPassword": {
"reference": {
"keyVault": {
"id": "[concat(subscription().id,'/resourcegroups/', parameters('sqlServerProperties').keyVaultResourceGroupName, '/providers/Microsoft.KeyVault/vaults/', parameters('sqlServerProperties').keyVaultName)]"
},
"secretName": "[parameters('sqlServerProperties').adminstratorPasswordSecretName]"
}
},
"databaseName": { "value": "[parameters('sqlServerProperties').databaseName]" },
"customTags": { "value": "[variables('variableTags')]" },
"collation": { "value": "[parameters('sqlServerProperties').collation]" },
"edition": { "value": "[parameters('sqlServerProperties').edition] },
"maxSizeBytes": { "value": "[parameters('sqlServerProperties').maxSizeBytes]" }, "requestedServiceObjectiveName": {
"value": "[parameters('sqlServerProperties').requestedServiceObjectiveName]"
},
"sqlserverName": { "value": "[parameters('sqlServerProperties').sqlserverName]" }
}
}
},
Notice the previously listed code in bold. The code is similar to the code in the previous example using the Key Vault reference in the parameters file. However, this time, we can generate the Key Vault identifier at runtime, using the concat function. Also, note that the concat function generates a resource identifier in this format:
/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
It is also possible to use the resourceId function provided by the ARM templates to generate this Key Vault identifier. Also, note the usage of the secretName. It is provided from the sqlServerProperties object.
The sqlServerProperties parameter will also be used for configuring the connectionstring in the Azure app services web app configuration that we will see later in this chapter.