Reputation: 75
ARM template dependsOn on a keyvault access policy
My issue is the following:
We have an ARM template that deploys our function app. In the template we add an access policy for the function app to our keyvault in the following way.
{
"name": "[concat(parameters('keyVaultName'), '/add')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(variables('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
"permissions": {
"secrets": "[parameters('functionSecretsPermissions')]"
}
}
]
}
}
I would like to have a dependsOn statement in another resource in the template referencing the newly created access policy but don't quite know how to construct it. I guess I can't use the resourceId function (as I do in the access policy resource) as the access policy was not created with a specific resourcename (which I would need to pass on to the resourceId function).
Any ideas on how I can reference my access policy from the dependsOn section of another resource in the template ?
Upvotes: 3
Views: 1177
Answers (1)
Reputation: 29482
You have two options:
- Use the resource id directly:
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyVaultName'), 'add')]"
]
- As suggested by @Stringfellow, you put the access policy resource inside a nested template and the other resource will depend on this resource:
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "key-vault-access-policy",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"functionAppResourceId": {
"value": "[variables('functionAppResourceId')]"
},
"functionSecretsPermissions": {
"value": "[parameters('functionSecretsPermissions')]"
},
"keyVaultName": {
"value": "[parameters('keyVaultName')]"
},
"tenantId": {
"value": "[parameters('tenantId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string"
},
"tenantId": {
"type": "string"
},
"functionAppResourceId": {
"type": "string"
},
"functionSecretsPermissions": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2020-04-01-preview",
"name": "[format('{0}/add', parameters('keyVaultName'))]",
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(parameters('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
"permissions": {
"secrets": "[parameters('functionSecretsPermissions')]"
}
}
]
}
}
]
}
}
}
Then you can use the resource id of the Microsoft.Resources/deployments:
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'key-vault-access-policy')]"
]
Upvotes: 7
Related Questions
- ARM KeyVault Access Policies Conditional Add
- How to add Access Policy to a Keyvault in different Resource Group through ARM Templates
- Azure ARM Template Keyvault Resources keeps removing other access policies
- Azure Key Vault access from ARM Template
- Azure ARM template ResourceNotFound error when referencing managed identity in key vault access policy
- referencing a KeyVault secret in an ARM template fails with 'The resource is not defined in the template'
- ARM template Key vault access policy to group instead of identity principle
- Azure ARM template - check for existing Key Vault access policies
- Azure ARM template keyvault override in Azure DevOps
- "The resource identifier of the KeyVault parameter '' is invalid" error during ARM template deployment