3

I am having below bicep which is returning keyvault. I like to access the properties/functions in keyvault in parent bicep. But not sure how to achieve when using it as a module.

  1. I have keyvault.bicep
    resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
         name: kvName
         scope: resourceGroup(subscriptionId, kvResourceGroup )
       }
       output kv1 object=kv
  1. I have parent.bicep (where keyvault.bicep is included as module)
   module kv './keyvault.bicep' = {
     name: 'get Secrets'
     params: {
       subscriptionId: subscriptionId
       kvResourceGroup: resourceGroupName
       kvName: keyVaultName
     }
   }
   var pwd= kv.outputs.kv1.getSecret('key')
  1. but getSecret method is unknown in parent bicep

Kindly suggest how to proceed?

old_timer
  • 69,149
  • 8
  • 89
  • 168
sub
  • 527
  • 1
  • 7
  • 24
  • do you really need the key vault bicep file ? you could just reference key vault directly in the parent bicep file ? – Thomas Oct 15 '21 at 20:40
  • How are you going to use this `pwd` variable in the rest of the template? The thing is that [getSecret](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/key-vault-parameter?tabs=azure-cli#use-getsecret-function) function has some special requirements on how it can be used. – ochzhen Oct 15 '21 at 23:50
  • @Thomas Here Keyvault is just an example.. It can be storage account or resource group.. – sub Oct 17 '21 at 20:28
  • @ochzhen I agree with you, that it cannot be assigned to the variable. It can only be assigned to a secure parameter to the module. As I was saying, the key vault is an example. I understood from the below answer that this feature is currently unsupported in the bicep. – sub Oct 19 '21 at 21:11
  • 1
    I am not sure why it is downvoted. Please comment why it is downvoted? – sub Oct 19 '21 at 21:13

1 Answers1

2

The short answer is that is not supported.

In your parent.bicep file, kv is a module reference, not a resource. In order to correctly understand the parent-child resource hierarchy, Bicep requires a resource reference of the correct parent type in the parent property value.

Tho there is a proposal to simplify resource referencing:

Let say you have keyvault.bicep module that creates a key vault

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: kvName
  ...
}

output name string = kv.name

In the parent.bicep, you could get a reference to key vault like that:

module kvModule './keyvault.bicep' = {
  name: 'key-vault-${keyVaultName}'
  params: {
    kvName: keyVaultName
    ...
  }
}

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: kvModule.outputs.name
}

In you example, there are few things:

  • The key vault module just gets a reference to key vault so you don't really need a module, you could just reference the key vault directly in the parent.bicep file.
  • The getSecret function is a really specific function, you can only use it to pass secure parameter to another module:

    Returns a secret from an Azure Key Vault. The getSecret function can only be called on a Microsoft.KeyVault/vaults resource. Use this function to pass a secret to a secure string parameter of a Bicep module. The function can be used only with a parameter that has the @secure() decorator.

Thomas
  • 24,234
  • 6
  • 81
  • 125
  • 1
    Thank you... So means `getSecret` function cannot be used if the resource is present in `parent bicep`... it can only be passed as a secure param to the module. Please correct me if my understanding is wrong. – sub Oct 18 '21 at 10:22
  • 3
    This will not work: resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = { name: kvModule..outputs.name } This expression is being used in an assignment to the "name" property of the "Microsoft.KeyVault/vaults" type, which requires a value that can be calculated at the start of the deployment. Properties of keyVaultModule which can be calculated at the start include "name".bicep(BCP120) – Markus Meyer Jan 05 '22 at 07:56
  • @MarkusMeyer could you please elaborate ? not sure if it is related – Thomas Apr 19 '22 at 08:56
  • 1
    @sub, the secret must exist before the deployment starts. You could wrap it in it s own module to make it work – Thomas Apr 19 '22 at 08:57