5

I have an ARM template that deploys a Resource Group and includes a Key Vault and secrets. This is deployed through CI/CD and everything works perfectly bar one exception.

If I deploy the template the first time, everything works as expected. However, if a secret is manually changed by adding a new value, then the next time the template is deployed, the secrets in the template override the manual updates and a new version is set. How do I make the template only deploy the secrets for the first time. I.e. only deploy each secret if it only exists already?

In the example below, I deploy the template through CI/CD and MagicKey is set to defaultKey. If I change MagicKey to the real key in the portal and then deploy the ARM template again, my manual entry is replaced with a new version of the secret containing defaultKey as the value. How can I stop this from happening without kludgey work-arounds?

    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "MagicKey",
      "apiVersion": "2018-02-14",
      "properties": {
        "value": "defaultKey"
      },
      "dependsOn": [
        "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]"
      ]
    },
Murray Foxcroft
  • 12,785
  • 7
  • 58
  • 86
  • This is the expecting behavior. I don't think you can't check inside the ARM template that a resource already exists. You can check (using powershell or az cli) that the secret already exists and pass a parameter to the ARM template that will deploy the resource based on this parameter. does that make sens for you ? – Thomas Sep 15 '18 at 06:42
  • Can it be done with conditions? – Martijn B Dec 19 '18 at 11:22

1 Answers1

0

You can use the "condition" tag to decide when it will be run: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-conditions

LFN
  • 196
  • 3
  • 11