0

I want to do the following by using bicep:

  • Create a keyvault
  • Create a keyvault secret
  • Use this secret as the input for the creation of a Synapse Workspace(admin password)

I am using modules for creating all of the resources.

module keyVault 'modules/keyVault.bicep' = {
  scope: resourceGroup
  name: 'keyVault'
  params: {
    keyVaultName: keyVaultName  
    location: location 
    tenantID: subscription().tenantId
  }
}
module  keyVaultSecret 'modules/keyVaultSecret.bicep' = {
  scope: resourceGroup
  name: 'keyVaultSecretSynapseSQLAdminPassword'
  params: {
    secretName: 'synapseSQLAdministratorLoginPassword'
    secretValue: synapseSqlAdministratorLoginPassword
    keyVaultName: keyVaultName
    keyVaultSecretName: '${keyVault.name}/synapseSQLAdministratorLoginPassword'
  }
}

module synapse 'modules/synapseWs.bicep' = {
  scope: resourceGroup
  name: 'synapse'
  params: {
    
    synapseWSName: synapseWSName
    synapseWSLocation: location
    defaultAccountUrl: storageAccount.outputs.accURL
    synapseSqlAdministratorLogin:synapseSqlAdministratorLogin
    synapseSqlAdministratorLoginPassword: keyVault.getSecret('keyVaultSecretSynapseSQLAdminPassword')
    managedResourceGroupName: '${environmentName}-cargo-${applicationName}-synapsemanaged-rg'
    sqlPoolName: sqlPoolName
    synapsePrivateLinkHubName: synapsePrivateLinkHubName
    synapsePrivateLinkHubLocation: location
  }
}

The getSecret function used in the line

synapseSqlAdministratorLoginPassword: keyVault.getSecret('keyVaultSecretSynapseSQLAdminPassword')

gives the error: "The type "module" does not contain function "getSecret"." Apparently this function can only be used in resources. How could I do this in a different way?

Thanks

caroline101
  • 1
  • because you're already passing the `synapseSqlAdministratorLoginPassword` why are you not using it as well to populate the `synapseSqlAdministratorLoginPassword` param in the synapse module ? – Thomas Oct 06 '21 at 07:20
  • Hi Thomas. Thanks for the reply. I want to be sure that for future deployments the password will not get overwritten. That's why I want to take the password directly from the key vault. – caroline101 Oct 06 '21 at 11:09

1 Answers1

1

You has to reference the keyvault as existing in the bicep template. You can not use that function referencing a module. You has to reference the resource.

  1. Create the keyvault with the module
  2. Reference existing keyvault (as you just created)
  3. Use the function on the existing keyvault reference.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/resource-declaration?tabs=azure-powershell#reference-existing-resources

Jonatan Karlsson
  • 46
  • 2