How to pass an Azure pipeline variable to an ARM template used by AzureResourceManagerTemplateDeployment@3 task?

Question

I am trying to perform the following 2 steps in my Azure pipeline scheduled for every night:

1. Put a self-signed cert into a keyvault
2. Deploy Service Fabric cluster via ARM template and use the cert thumbprint and secret id as params.

The first step of creating the certificate in the keyvault works well for me:

# import the self-signed certificate ccg-self-signed-cert into the Keyvault
- task: AzurePowerShell@5
  inputs:
    azureSubscription: '${{ parameters.ArmConnection }}'
    ScriptType: 'InlineScript'
    azurePowerShellVersion: '3.1.0'
    Inline: |
      $Pwd = ConvertTo-SecureString -String 'MyPassword' -Force -AsPlainText
      $Base64 = 'MIIKqQ____3000_CHARS_HERE______1ICAgfQ=='
      $Cert = Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
      echo "##vso[task.setvariable variable=Thumbprint;isOutput=true]$Cert.Thumbprint"

And I think I set the pipeline variable by the echo line (not quite sure, how to verify that...)

But how can I pass the pipeline variable holding the cert thumbprint value to the ARM template in the next pipeline task?

# deploy SF cluster by ARM template and use the SF Cluster certificate thumbsprint as admin cert
- task: AzureResourceManagerTemplateDeployment@3
  inputs:
    deploymentScope: 'Resource Group'
    azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
    subscriptionId: 'XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX'
    action: 'Create Or Update Resource Group'
    resourceGroupName: '${{ parameters.resourceGroupName }}'
    location: 'West Europe'
    templateLocation: 'Linked artifact'
    csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
    csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
    deploymentMode: 'Incremental'

I am using the azure-quickstart-template for creating an SF cluster.

And if you look at it, it expects a certificate thumbprint as a parameter:

"certificateThumbprint": {
  "type": "string",
  "metadata": {
    "description": "Certificate Thumbprint"
  }
},

"certificateUrlValue": {
  "type": "string",
  "metadata": {
    "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://<name of the vault>.vault.azure.net:443/secrets/<exact location>"
  }
},

How to pass the value from the AzurePowerShell@5 taks to the ARM template used by the subsequent AzureResourceManagerTemplateDeployment@3 task?

UPDATE:

I have tried following Nilay's suggestion and have put 3 variables into my sfcluster.json ARM template:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "clusterName": {
            "type": "string",
            "defaultValue": "ccg-sfcluster",
            "minLength": 5,
            "metadata": {
                "description": "Name of the SF cluster"
            }
        },
        "certificateThumbprint": {
            "type": "string",
            "defaultValue": "[$env:THUMBPRINT]",
            "metadata": {
                "description": "Certificate Thumbprint"
            }
        },
        "sourceVaultResourceId": {
            "type": "string",
            "defaultValue": "[$env:KEYVAULTID]",
            "metadata": {
                "description": "Resource Id of the key vault, is should be in the format of /subscriptions/<Sub ID>/resourceGroups/<Resource group name>/providers/Microsoft.KeyVault/vaults/<vault name>"
            }
        },
        "certificateUrlValue": {
            "type": "string",
            "defaultValue": "[$env:SECRETID]",
            "metadata": {
                "description": "Refers to the location URL in your key vault where the certificate was uploaded, it is should be in the format of https://<name of the vault>.vault.azure.net:443/secrets/<exact location>"
            }
        }
    },
    "variables": {

However I get the syntax error:

2020-05-27T12:31:54.1327314Z There were errors in your deployment. Error code: InvalidTemplate.
2020-05-27T12:31:54.1354742Z ##[error]Deployment template language expression evaluation failed: 'The language expression '$env:THUMBPRINT' is not valid: the string character ':' at position '4' is not expected.'. Please see https://aka.ms/arm-template-expressions for usage details.
2020-05-27T12:31:54.1361090Z ##[debug]Processed: ##vso[task.issue type=error;]Deployment template language expression evaluation failed: 'The language expression '$env:THUMBPRINT' is not valid: the string character ':' at position '4' is not expected.'. Please see https://aka.ms/arm-template-expressions for usage details.

Similar error comes if I omit the square brackets in

"defaultValue": "$env:THUMBPRINT",

Answer 1

Below is what have worked for me, but Brian's suggestion to use overrideParameters works even better, so I have set it as accepted answer.

First thing is I was using wrong format for setting the variables.

For correct string extrapolation I have to use the $ char twice (as in $($Cert.Thumbprint)) and I don't really need ;isOutput=true because it is a single job:

# import the self-signed certificate ccg-self-signed-cert into the Keyvault
- task: AzurePowerShell@5
  inputs:
    azureSubscription: '${{ parameters.ArmConnection }}'
    ScriptType: 'InlineScript'
    azurePowerShellVersion: '3.1.0'
    Inline: |
      $Pwd = ConvertTo-SecureString -String 'MyPassword' -Force -AsPlainText
      $Base64 = 'MIIKqQ____3000_CHARS_HERE______1ICAgfQ=='
      $Cert = Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
      echo "##vso[task.setvariable variable=Thumbprint]$($Cert.Thumbprint)"
      echo "##vso[task.setvariable variable=SecretId]$($Cert.SecretId)"

Then I have added a task to replace the 3 values I needed:

# replace Thumbprint, SecretId and KeyvaultId in the sfcluster-params.json file
- task: replacetokens@3
  displayName: 'Replace tokens in sfcluster-params.json'
  inputs:
    rootDirectory: '$(Build.SourcesDirectory)/pipelines/templates/'
    targetFiles: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
    encoding: 'auto'
    writeBOM: true
    actionOnMissing: 'fail'
    keepToken: false
    tokenPrefix: '$('
    tokenSuffix: ')'

While my entire sfcluster-params.json file is below (the KEYVAULTID is coming from keyvault ARM deployment):

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "clusterName": {
            "value": "my-sfcluster"
        },
        "certificateThumbprint": {
            "value": "$(THUMBPRINT)"
        },
        "sourceVaultResourceId": {
            "value": "$(KEYVAULTID)"
        },
        "certificateUrlValue": {
            "value": "$(SECRETID)"
        }
    }
}

And finally I have deployed the SF cluster:

# deploy SF cluster by ARM template and use the SF Cluster certificate thumbsprint as admin cert
- task: AzureResourceManagerTemplateDeployment@3
  inputs:
    deploymentScope: 'Resource Group'
    azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
    subscriptionId: 'XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX'
    action: 'Create Or Update Resource Group'
    resourceGroupName: '${{ parameters.resourceGroupName }}'
    location: 'West Europe'
    templateLocation: 'Linked artifact'
    csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
    csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
    deploymentMode: 'Incremental'

Answer 2

You need to set the override parameters on the deployment task. Remove all of those defaultValues you added to the template. You task yaml will look something like:

- task: AzureResourceManagerTemplateDeployment@3
  inputs:
    deploymentScope: 'Resource Group'
    action: 'Create Or Update Resource Group'
    overrideParameters: '-certificateThumbprint $(Thumbprint) -sourceVaultResourceId $(vaultId) -certificateUrlValue $(certUrl)'

The $(paren) syntax is how you reference a variable in the task defintion - so change those to whatever you named the variable.

Answer 3

You can verify that your variable Thumbprint has the value by having another PowerShell step after it and do a Write-Host.

Write-Host $env:THUMBPRINT

You can reference the variable that you created in your ARM Template parameter using $env:THUMBPRINT

Here is a reference link: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch