3

I have bicep files that contains a KeyVault module, and a SQL server module. In the SQL server bicep file, I run a deploymentScript which runs a PowerShell script to generator a password and adds it as a secret within the KeyVault. This password is used as the Admin password for the SQL server.

I would like to have the script only generates and saves the password if the secret doesn't already exist within the Key Vault.

main.bicep

// Resource Module
module resourceKeyVaultModule './modules/kv.bicep' = {
  name: 'resourceKeyVaultModuleDeployment'
  params: {
    application: application
    location: location
    environment: environment
    severity: severity
  }
  scope: resourceGroup
}

module resourceSqlServerModule './modules/sql.bicep' = {
  name: 'resourceSqlServerModuleDeployment'
  params: {
    application: application
    location: location
    environment: environment
    severity: severity
    nameKeyVault: resourceKeyVaultModule.outputs.name
  }
  scope: resourceGroup
}

kv.bicep

// == Key Vault
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
  name: nameKeyVault
  location: location
  tags: {
    location: location
    environment: environment
    severity: severity
  }
  properties: {
    accessPolicies: [
      {
        objectId: ''
        permissions: {
          certificates: [
            'all'
          ]
          keys: [
            'all'
          ]
          secrets: [
            'all'
          ]
          storage: [
            'all'
          ]
        }
        tenantId: ''
      }
    ]
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: '
  }
}

output name string = keyVault.name

sql.bicep

// == Generate Password
resource generatePassword 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'generatePassword'
  location: location
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '3.0'
    retentionInterval: 'PT1H'
    arguments: '-lowercase 4 -uppercase 4 -numbers 4 -symbols 2'
    scriptContent: loadTextContent('../../../Scripts/generatePassword.ps1')
  }
}

// == Key Vault
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: nameKeyVault
}

// == SQL Server
resource sqlServer 'Microsoft.Sql/servers@2022-05-01-preview' = {
  name: nameSqlServer
  location: location
  tags: {
    location: location
    environment: environment
    severity: severity
  }
  properties: {
    administratorLogin: nameSqlServer
    administratorLoginPassword: generatePassword.properties.outputs.password
    minimalTlsVersion: '1.2'
  }
}

resource secretPasswordSqlAdmin 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
  name: 'password-sql-admin'
  parent: keyVault
  tags: {
    location: location
    environment: environment
    severity: severity
  }
  properties: {
    value: generatePassword.properties.outputs.password
  }
}
Ross
  • 2,463
  • 5
  • 35
  • 91

1 Answers1

0

While this isn't possible within the bicep file itself, you should instead check for the secret within the PowerShell script directly before generating a new secret.

PramodValavala
  • 6,026
  • 1
  • 11
  • 30