Search code examples
azureazure-resource-managerazure-keyvaultazure-rm-template

ARM template dependsOn on a keyvault access policy

My issue is the following:

We have an ARM template that deploys our function app. In the template we add an access policy for the function app to our keyvault in the following way.

   {
     "name": "[concat(parameters('keyVaultName'), '/add')]",
     "type": "Microsoft.KeyVault/vaults/accessPolicies",
     "apiVersion": "2019-09-01",
     "dependsOn": [
       "[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
       "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
     ],
     "properties": {
       "accessPolicies": [
         {
           "tenantId": "[parameters('tenantId')]",
           "objectId": "[reference(variables('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
           "permissions": {
             "secrets": "[parameters('functionSecretsPermissions')]"
           }
         }
       ]
     }
   }

I would like to have a dependsOn statement in another resource in the template referencing the newly created access policy but don't quite know how to construct it. I guess I can't use the resourceId function (as I do in the access policy resource) as the access policy was not created with a specific resourcename (which I would need to pass on to the resourceId function).

Any ideas on how I can reference my access policy from the dependsOn section of another resource in the template ?

Solution

  • You have two options:

    1. Use the resource id directly:
    "dependsOn": [
  "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyVaultName'), 'add')]"
]
    1. As suggested by @Stringfellow, you put the access policy resource inside a nested template and the other resource will depend on this resource:
    {
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2019-10-01",
  "name": "key-vault-access-policy",
  "dependsOn": [
    "[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
    "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
  ],
  "properties": {
    "expressionEvaluationOptions": {
      "scope": "inner"
    },
    "mode": "Incremental",
    "parameters": {
      "functionAppResourceId": {
        "value": "[variables('functionAppResourceId')]"
      },
      "functionSecretsPermissions": {
        "value": "[parameters('functionSecretsPermissions')]"
      },
      "keyVaultName": {
        "value": "[parameters('keyVaultName')]"
      },
      "tenantId": {
        "value": "[parameters('tenantId')]"
      }
    },
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",          
      "parameters": {
        "keyVaultName": {
          "type": "string"
        },
        "tenantId": {
          "type": "string"
        },
        "functionAppResourceId": {
          "type": "string"
        },
        "functionSecretsPermissions": {
          "type": "array"
        }
      },
      "resources": [
        {
          "type": "Microsoft.KeyVault/vaults/accessPolicies",
          "apiVersion": "2020-04-01-preview",
          "name": "[format('{0}/add', parameters('keyVaultName'))]",
          "properties": {
            "accessPolicies": [
              {
                "tenantId": "[parameters('tenantId')]",
                "objectId": "[reference(parameters('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
                "permissions": {
                  "secrets": "[parameters('functionSecretsPermissions')]"
                }
              }
            ]
          }
        }
      ]
    }
  }
}

    Then you can use the resource id of the Microsoft.Resources/deployments:

    "dependsOn": [
  "[resourceId('Microsoft.Resources/deployments', 'key-vault-access-policy')]"
]