Problem
I have a shared secret and a certificate in an Azure Key Vault (KV) that needs to be pulled into different deployments.
E.g. DEV, TEST, UAT, Production all have their own key vaults BUT need access to the shared KV for wild card ssl cert.
I’ve tried a few different ways, but they all have flaws. I’m doing something similar with KV in the deployment resource group, and it’s working fine.
Is it feasible to have this as a module and then use it? Something along these lines…
sharedKV.bicep
var kvResourceGroup = 'project-shared-rg'
var subscriptionId = subscription().id
var name = 'project-shared-kv'
resource project_shared_kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: name
scope: resourceGroup(subscriptionId, kvResourceGroup )
}
Then there’s something like template.bicep.
module shared_kv './sharedKeyVault/template.bicep' = {
name: 'sharedKeyVault'
}
resource add_secrect 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
name: '${shared_kv.name}/mySecretKey'
properties: {
contentType: 'string'
value: 'secretValue'
attributes: {
enabled: true
}
}
}
Asked by user3067684
Solution #1
If you need to target a different resourceGroup (and/or sub) than the rest of the deployment, you must use the module’s scope attribute to do so.
module shared_kv './sharedKeyVault/template.bicep' = {
scope: resourceGroup(kvSubscription, kvResourceGroupName)
name: 'sharedKeyVault'
params: {
subId: kvSubscription
rg: kvResourceGroupName
...
}
}
The KV sub/rg should ideally be provided into the module rather than hardcoded (which you probably knew, but just in case…)
Answered by bmoore-msft
Post is based on https://stackoverflow.com/questions/71078765/azure-bicep-use-key-vault-from-different-resource-group