When executing the New-AzureRmResourceGroupDeployment command you can pass template parameters via the TemplateParameterObject parameter. That works great for simple properties and arrays but I cannot seem to get it to work for references. So something that would look like this in an ARM template parameter file:
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/365d8c14-efa0-437e-a2c8-c3ffc8f6287a/resourceGroups/musw1-prf-jboyd-kv-rg/providers/Microsoft.KeyVault/vaults/musw1-prf-jboyd-kv"
},
"secretName": "adminPassword"
}
}
I have tried this:
$parameters = @{
adminPassword = @{
reference = @{
keyVault = @{
id = $KeyVaultId
}
secretName = 'adminPassword'
}
}
}
New-AzureRmResourceGroupDeployment `
-ResourceGroupName $ResourceGroupName `
-TemplateFile $TemplateFile `
-TemplateParameterObject $parameters
But all I get is:
Deployment template validation failed: 'The provided value for the template parameter 'adminPassword' at line '13' and column '27' is not valid.'.
Currently, Key Vault references in ARM Template Parameters appears only to be supported via Parameter Files and not Parameter Objects: See here for the issue that's been raised with Microsoft
Whilst it's not as friendly as using -TemplateParameterObject, one work-around which would allow you scripting without exposing your Key Vault secrets, would be to programatically create and populate your JSON Template file via PowerShell, then pass that into New-AzureRmResourceGroupDeployment. By doing this, you can continue to reference the Key Vault secret indirectly without storing it locally or exposing it as clear text in any way.