0

I'm thinking this is the best place to post this as you guys are the cream of the crop. I'm very new to azure Devops and I am playing around ARM templates and have created a relatively simple azurekeyvault. In my code I am trying to create an inline PowerShell script that will grab someone deploying the ARM templates ObjectId and storing it into the parameter, as opposed to entering it in manually or having to deploy it from the azure portal. I just cannot seem to get it to work, and it is quite frustrating. I was wondering if someone could take a quick look and maybe explain what I am doing wrong. Very Kind regards.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vaults_azurekeyvault_vault_name": {
            "type": "String"
        },
        "tenantId": {
            "type": "String"
        },
        "objectId": {
            "type": "string"
        }
    },
    "variables": {},
    "resources": [
        {
            
            "type": "Microsoft.KeyVault/vaults",
            "apiVersion": "2022-07-01",
            "name": "[parameters('vaults_azurekeyvault_vault_name')]",
            "location": "[resourceGroup().location]",
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "[parameters('tenantId')]",
                "networkAcls": {
                    "bypass": "AzureServices",
                    "defaultAction": "Deny",
                    "ipRules": [],
                    "virtualNetworkRules": []
                },
                "accessPolicies": [
                    {
                        "tenantId": "[parameters('tenantId')]",
                        "objectId": "[parameters('objectId')]",
                        //"objectId": "[if(equals(parameters('objectId'), ''), reference('getUserObjectId').outputs.result.value, parameters('objectId'))]",
                        "permissions": {
                            "keys": [
                                "Get",
                                "List",
                                "Update",
                                "Create"
                            ],
                            "secrets": [
                                "Get",
                                "List",
                                "Set"
                            ],
                            "certificates": [
                                "Get",
                                "List",
                                "Update",
                                "Create"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": true,
                "enabledForDiskEncryption": true,
                "enabledForTemplateDeployment": true,
                "enableSoftDelete": false,
                //"softDeleteRetentionInDays": 7,
                "enableRbacAuthorization": false,
                "vaultUri": "[concat('https://', parameters('vaults_azurekeyvault_vault_name'), '.vault.azure.net/')]",
                "provisioningState": "Succeeded",
                "publicNetworkAccess": "Enabled"
            }
        },
        {
            "type": "Microsoft.Resources/deploymentScripts",
            "apiVersion": "2020-10-01",
            "name": "getUserObjectId",
            "location": "[resourceGroup().location]",
            "kind": "AzurePowerShell",
            "properties": {
                "azPowerShellVersion": "3.0",
                "arguments": "",
                "scriptContent": "Get-AzContext | Select-Object -ExpandProperty Account | Select-Object -ExpandProperty Id",
                "cleanupPreference": "OnSuccess",
                "timeout": "PT1H",
                "retentionInterval": "P1D"
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/keys",
            "apiVersion": "2022-07-01",
            "name": "[concat(parameters('vaults_azurekeyvault_vault_name'), '/azurekeyvault-certificate')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_azurekeyvault_vault_name'))]"
            ],
            "properties": {
                "attributes": {
                    "enabled": true,
                    "nbf": 1676439340,
                    "exp": 1707975940
                }
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/keys",
            "apiVersion": "2022-07-01",
            "name": "[concat(parameters('vaults_azurekeyvault_vault_name'), '/azurevault')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_azurekeyvault_vault_name'))]"
            ],
            "properties": {
                "attributes": {
                    "enabled": true,
                    "exportable": false
                }
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/secrets",
            "apiVersion": "2022-07-01",
            "name": "[concat(parameters('vaults_azurekeyvault_vault_name'), '/azurekeyvault-certificate')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_azurekeyvault_vault_name'))]"
            ],
            "properties": {
                "contentType": "application/x-pkcs12"
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/secrets",
            "apiVersion": "2022-07-01",
            "name": "[concat(parameters('vaults_azurekeyvault_vault_name'), '/azurekeyvault-secret')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_azurekeyvault_vault_name'))]"
            ],
            "properties": {
                "contentType": "text/plain"
            }
        }
    ],
    "outputs": {
        "objectId": {
            "type": "string",
            "value": "[reference('getUserObjectId').outputs.result.value]"
        }
    }
}
Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
Joshua Martin
  • 3
  • 2
  • what are the errors you are getting? – 4c74356b41 Feb 18 '23 at 08:03
  • I honestly think I am doing something wrong in the Microsoft.Resources/deploymentScripts that I'm deploying. I try and deploy into my azure portal using powershell and the inline script just doesn't want to work. I'm very green so I'm not entirely sure how to troubleshoot – Joshua Martin Feb 18 '23 at 10:28
  • I don’t think this will fix anything but ```Get-AzContext | Select-Object -ExpandProperty Account | Select-Object -ExpandProperty Id``` can be simplified to ```(Get-AzContext).Account.Id``` – mclayton Feb 18 '23 at 13:19
  • Do yourself a huge favor and use Bicep instead of trying to mess around in ARM JSON directly. – Daniel Mann Feb 20 '23 at 01:48
  • I know mate, but I have to for a work project unfortunately – Joshua Martin Feb 20 '23 at 04:55

1 Answers1

0

ah okay, forgot one obvious thing you are doing wrong:

$output = (Get-AzContext).Account.Id
Write-Output $output
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs['accountId'] = $output

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template#sample-templates

also, check you've grant all the needed permissions to run deploymentScripts

4c74356b41
  • 69,186
  • 6
  • 100
  • 141