I'm looking for ARM Template to deploy Azure SQL Server with random password generated and later that password is saved into the key vault.
Could you please let me know if any of you have come across such ARM Template.
Asked
Active
Viewed 3,267 times
2 Answers
0
@LeonYue
The problem with your link is the authors code below:
"sqlserverAdminPassword": "[concat('P', uniqueString(resourceGroup().id, '224F5A8B-51DB-46A3-A7C8-59B0DD584A41'), 'x', '!')]",
Looking at the definition for uniqueString it is:
Creates a deterministic hash string based on the values provided as parameters.
This means that the password is not random and given the correct parameters it can be calculated.
You can solve this by inserting a new Guid for every deployment but then your password will also be updated on every deployment.
"parameters": {
"newGuid": {
"type": "string",
"defaultValue": "[newGuid()]"
}
}
"variables": {
"sqlserverAdminPassword": "[concat(uniqueString(guid(resourceGroup().id, deployment().name)), parameters('newGuid'), 'Tg2%')]"
}
newGuid is added as a parameter because that is the only way this function can be used.
This function can only be used in the default value for a parameter.
Ogglas
- 62,132
- 37
- 328
- 418
-1
Please ref this tutorial: Automatically generate a password for an Azure SQL database with ARM template:
It talked about how to create an ARM template that will create an Azure SQL database with an automatically generated password.
You can download the example ARM Template solution here:
You want to same the password in Key vault, you may learn: Set and retrieve a secret from Azure Key Vault using an ARM template.
Leon Yue
- 15,693
- 1
- 11
- 23
-
Thanks for the suggestion. I already saw this post. I need to put the same password into the KeyVault and not get it from the Key Vault. So the above Key Vault Template will not work. also can you please let me know what's this random number in the password string - '224F5A8B-51DB-46A3-A7C8-59B0DD584A41') Thanks – Mohammed Jul 22 '20 at 12:19
-
@Mohammed The blog has told us. The string "224F5A8B-51DB-46A3-A7C8-59B0DD584A41" is just an example. We could use ARM template function [uniqueString](https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions#uniquestring) to create a deterministic hash string based on the values provided as parameters. I found the blog and shared it to you, hope it's helpful. I can't help you figure it out because I'm just know ARM template but not good at it. – Leon Yue Jul 23 '20 at 02:05
-
If my answer is helpful for you, hope you can vote up or accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). This can be beneficial to other community members. Thank you. – Leon Yue Jul 23 '20 at 02:06
-
Hello @Mohammed, hope you are doing well. If you have any other concern, you could post new question, we are all glad to help you. – Leon Yue Jul 27 '20 at 01:54
-
Thanks for the suggestions. I looked at the ARM Template. How do I modify it to put the secret in a different Keyvault, located in another resource group and not in the current resource group. Thanks in advance. – Mohammed Jul 30 '20 at 11:32
-
@Mohammed You're welcome. It's my pleasure to help you. Can you please accept(mark) it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.)? This can be beneficial to other community members. Thank you and have good day! – Leon Yue Jul 31 '20 at 01:22
-
2The question asks for a random password, but the example is deterministic and thus reproducible, it is not secure. – david.barkhuizen Jul 15 '21 at 13:41
-
2Downvoted for generating a deterministic and therefore predictable password, not a random one! See uniqueString docs: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-string#uniquestring – lost Nov 08 '21 at 08:56