Search code examples
azureazure-resource-managerazure-rm-template

Unable to pass secure values between linked ARM templates

I am trying to output a secret created in one linked template and reference this as a parameter in another. Test scenario:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "templateBaseUrl": {
      "type": "string"
    }
  },
  "variables": {
    "deployment1url": "[concat(parameters('templateBaseUrl'), '/deployment1.json')]",
    "deployment2url": "[concat(parameters('templateBaseUrl'), '/deployment2.json')]"
  },
  "resources": [
    {
      "apiVersion": "2017-08-01",
      "name": "deployment1",
      "dependsOn": [],
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "templateLink": {
          "uri": "[variables('deployment1url')]",
          "contentVersion": "1.0.0.0"
        },
        "parameters": {}
      }
    },
    {
      "apiVersion": "2017-08-01",
      "name": "deployment2",
      "dependsOn": [],
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "templateLink": {
          "uri": "[variables('deployment2url')]",
          "contentVersion": "1.0.0.0"
        },
        "parameters": {
          "testInput2": {
            "value": "[reference('deployment1').outputs.testOutput1.value]"
          }
        }
      }
    }
  ],
  "outputs": {}
}

Deployment1:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    },
    "resources": [],
    "outputs": {
        "testOutput1": {
            "type": "securestring",
            "value": "thisisapassword"
        }
    }
}

Deployment2:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "testInput2": {
            "type": "securestring"
        }
    },
    "resources": [],
    "outputs": {}
}

Running this scenario throws the error "Unable to process template language expressions for resource '/subscriptions//resourceGroups/testrg1/providers/Microsoft.Resources/deployments/deployment2' at line '34' and column '9'. 'The language expression property 'value' doesn't exist, available properties are 'type'.'"

So '.value' on the securestring output doesn't work, if I change the reference parameter to 

"testInput2": {
                "value": "[reference('deployment1').outputs.testOutput1]"
              }

the errors changes to 'Deployment template validation failed: 'The provided value for the template parameter 'testInput2' at line '5' and column '23' is not valid.'.'

Is it possible to achieve what I am doing?

Thanks in advance

Solution

  • I think the only way to pass secureStrings across deployments is using a KeyVault reference. The secureString output isn't very useful in that securestrings are masked by ARM at the deployment level.

    That help?