CODEWITHSUNDEEP
azureazure-devopsazure-data-factory
Kurt S
Kurt S

Reputation: 21357

Azure DevOps ARM Template - override linked service parameter

I'm using an Azure DevOps pipeline to deploy a Data Factory to various environments, using DevOps' ARM Template deployment task. This is where you specify a path to your ARMTemplateForFactory.json and ARMTemplateParametersForFactory.json and override template parameters accordingly.

My Data Factory has a Azure Function linked service. The Function App Url is automatically included as an ARM Template parameter such as MyFunctions_properties_typeProperties_functionAppUrl and I'm able to override it successfully. I'm also able to override the KeyVault url to my linked service KeyVault (these are both automatically included in ARMTemplateParametersForFactory.json). However, I also need to override the function key using a secret from my KeyVault, as seen in the ADF UI here:

enter image description here

How can I add this as an overridable ARM Template parameter, such that I can specify my secret name in Dev Ops as in this example below?

enter image description here

I've reviewed this guide for parameterizing linked services, but this makes no mention of how to set the parameter value from a DevOps ARM template task: https://learn.microsoft.com/en-us/azure/data-factory/parameterize-linked-services?tabs=data-factory I've tried adding a linked service parameter as described @(linkedservice().myParamName but this doesn't get added to the ARMTemplateParametersForFactory.json. Can I add it manually? What format would it follow?

I do know how, and am able to set an override for an ADF global parameter from the ARM template task, but it seems you can't use a global parameter in a linked service field... pipeline().globalParameters.myParamName is not a valid value to enter in the "Secret name" field.

I've also referenced https://learn.microsoft.com/en-us/azure/data-factory/continuous-integration-delivery-resource-manager-custom-parameters which suggests ways to customize the parameterization template, including this quote about parameterizing Linked Services:

The property secretAccessKey happens to be an AzureKeyVaultSecret (for example, in an Amazon S3 linked service). It's automatically parameterized as an Azure Key Vault secret and fetched from the configured key vault. You can also parameterize the key vault itself.

...but no specific example of how to actually do this.

How can I parameterize an Azure Function Linked Service's function key via KeyVault secret in my ARM Template deployment?

Upvotes: 0

Views: 1975

Answers (1)

DreadedFrost
DreadedFrost

Reputation: 2978

This desired behavior is possible leveraging the manual adding of the Key Vault URL via the secret identifier. enter image description here

This URL will append the specific version of the secret; however, if you remove this after the endpoint it will get the latest version.

Here is how it is configured in my Key Vault: enter image description here

Then to confirm how this is configured in the parameters this is what the ARM template is expecting:

    "AzureKeyVault1_properties_typeProperties_baseUrl": {
    "type": "string",
    "defaultValue": "https://kv-comsosfeed-dev-eus.vault.azure.net/secrets/test"
}

Thus the parameter value passed into this either via override or defined separately in the parameters file would be the complete URL of the secret. This would allow for secret names to be different across environments. The caveat is this will increase the number of parameters with this approach i.e. multiple secrets in the same Key Vault would require a parameter for each Linked Service and there is the hard limit of 256.

Upvotes: 1

Related Questions