azure azure-devops devops azure-keyvault cicd

Updating key vault secret via Arm template release from devops CI/CD fails

I have managed to release secrets to my Azure key vault via CI/CD from DevOps using my arm templates. The initial release went fine and added my new non existing secrets to my key vault resource. Though men trying to update the value of the secret in my ARM template and then pushing it to my GIT-repo to in turn release it as to update my secret in azure it fails giving me:

At least one resource deployment operation failed. Please list deployment operations for 
details. Please see https://aka.ms/DeployOperations for usage details.
Details:
BadRequest: 
Check out the troubleshooting guide to see if your issue is addressed: 
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
Task failed while creating or updating the template deployment.

My template looks like this:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVault": {
      "value": "test-kv-devopstest01-d"
    },
    "TestCedential_1": {
      "value": "TestCedentialSecretValue1"
    },
    "TestCedentialName_1": {
      "value": "TestCedentialSecretName1_SecondVersion"
    }
  }
}


{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVault": {
      "type": "string"
    },
    "TestCedential_1": {
      "type": "secureString"
    },
    "TestCedentialName_1": {
      "type": "string"
    }
  },
  "variables": {
  },
  "resources": [

    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
      "apiVersion": "2015-06-01",
      "properties": {
        "contentType": "text/plain",
        "value": "[parameters('TestCedential_1')]"
      }
    }
  ],
  "outputs": {}
}

I've also tried granting permissions for the pipelines in access control in the key vault resource in azure.

Am i missing something maybe?

Solution

I tested the same code in my environment and it resulted in same error :

The issue is with the below :

"TestCedentialName_1": {
      "value": "TestCedentialSecretName1_SecondVersion"
    }

In Key vault secret '_' (underscore) is not allowed in name. The allowed values are alphanumeric characters and dashes.

Changing underscore to dash fixes the issue :

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "keyVault": {
        "type": "string",
        "defaultValue" :"test-kv-ansuman-d"
      },
      "TestCedential_1": {
        "type": "secureString",
        "defaultValue":"TestCedentialSecretValue1"
      },
      "TestCedentialName_1": {
        "type": "string",
        "defaultValue": "TestCedentialSecretName1-SecondVersion"
      }
    },
    "variables": {
    },
    "resources": [
      {
        "type": "Microsoft.KeyVault/vaults/secrets",
        "name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
        "apiVersion": "2015-06-01",
        "properties": {
          "contentType": "text/plain",
          "value": "[parameters('TestCedential_1')]"
        }
      }
    ],
    "outputs": {}
  }

Output: