Linked ARM templates result in Invalid Template

Question

Let's start with what I'm trying to accomplish.

What I'd like to do is create an ARM template where I'm retrieving secrets from the Azure Key Vault, without specifying too much details on the specific Key Vault. Sounds easy enough and probably something which is implemented in every production system.

Doing a quick search I discovered the syntax for such a thing is the following.

"parameters": {
  "adminPassword": {
    "reference": {
      "keyVault": {
        "id": "[resourceId(subscription().subscriptionId,  parameters('vaultResourceGroup'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
      },
      "secretName": "[parameters('secretName')]"
    }
  },

From what I gather you need to add this in an external template as the used methods can't be used in the 'main' method.

So I started creating a 'main' ARM template and a new template called appservice.json which contains all of the stuff necessary for my App Service, including the appSettings block which need the secrets from Key Vault.

In my main template I've done the following, as described in the documentation.

{
      "apiVersion": "2017-05-10",
      "name": "linkedTemplate",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "templateLink": {
          "uri": "[uri(deployment().properties.templateLink.uri, 'appservice.json')]",
          "contentVersion": "1.0.0.0"
        },

However, when deploying I'm confronted with the following error.

"error": {
    "code": "InvalidTemplate",
    "message": "Unable to process template language expressions for resource '/subscriptions/ba49bae7-2b37-4504-914b-441763a2bcd3/resourceGroups/cfpexchange-jan-test/providers/Microsoft.Resources/deployments/linkedTemplate' at line '1' and column '1526'. 'The language expression property 'templateLink' doesn't exist, available properties are 'name, properties'.'"
  }

I also tried the following because I noticed IntelliSense in Visual Studio told me properties doesn't exits and I should use templateLink directly.

{
      "apiVersion": "2017-05-10",
      "name": "linkedTemplate",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "templateLink": {
          "uri": "[uri(deployment().templateLink.uri, 'appservice.json')]",
          "contentVersion": "1.0.0.0"
        },

This of course isn't right either.

   "error": {
    "code": "InvalidTemplate",
    "message": "Unable to process template language expressions for resource '/subscriptions/ba49bae7-2b37-4504-914b-441763a2bcd3/resourceGroups/cfpexchange-jan-test/providers/Microsoft.Resources/deployments/linkedTemplate' at line '1' and column '1526'. 'The language expression property 'templateLink' doesn't exist, available properties are 'name, properties'.'"
  }

And when using it as a variable, like in the documentation

"variables": {
    "sharedTemplateUrl": "[uri(deployment().properties.templateLink.uri, 'shared-resources.json')]"
  },
...
"properties": {
        "mode": "Incremental",
        "templateLink": {
          "uri": "[variables('sharedTemplateUrl')]",
          "contentVersion": "1.0.0.0"
        },

I'm also getting an error.

2018-07-04T19:14:34.4204720Z ##[error]Deployment template validation failed: 'The template variable 'sharedTemplateUrl' is not valid: The language expression property 'templateLink' doesn't exist, available properties are 'template, parameters, mode, debugSetting, provisioningState'.. Please see https://aka.ms/arm-template-expressions for usage details.'.

At this time I'm a bit lost. From what I understand from the documentation it appears I'm doing everything correct. Apparently I'm not. Any ideas on how to continue with this?

For completeness, the two actual files which I'm using at this time:

• The main ARM template: https://github.com/Jandev/CfpExchange/blob/b998bb0c49cf369b2f7584e20556aefb5224ace0/Deployment/CFPExchange.json

• The linked template: https://github.com/Jandev/CfpExchange/blob/522f48aa19d19730e5474ce11ead57a48d330389/Deployment/appservice.json

There have been multiple iterations on it in order to try and fix it, but as mentioned noting appeared to be working so far.

Answer 1

First of all, this is how you are supposed to use KV in a nested template. Example with Admin password:

"adminPassword": {
    "reference": {
        "keyVault": {
            "id": "kv_resource_id"
        },
        "secretName": "[concat('secret', copyindex(1))]"
    }
},

This section supposed to be in the nested template parameters WHEN you invoke it (just look at the example link).

Your error seems to be in the variable. So the templateLink property is only available when you deploy your main template from the url, if you use local file to deploy main template it wont work.

Compare this to remote template execution:

New-AzureRmResourceGroupDeployment -ResourceGroupName xxx -TemplateUri 'https://paste.ee/d/XI1Rc/0'

As this is a remote url, it should show you the same output, but this time with a templateLink property.

Name             Type                       Value
===============  =========================  ==========
test             Object                     {

"name": "theDeploymentName",
"properties": {
  "templateLink": {
    "uri": "theRemoteTemplateUri"
  },
  "template": {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {},
    "resources": [],
    "outputs": {
      "test": {
        "type": "Object",
        "value": "[deployment()]"
      }
    }
  },
  "parameters": {},
  "mode": "Incremental",
  "provisioningState": "Accepted"
}
}