Azure Key Vault Secrets -> Azure App Config: recommended pattern

[jacksorjacksor]

Hi there,

What would be the recommended way to:

• Read multiple secrets (~50) from a bicepparams file*
• Store these secrets in Azure Key Vault
• Make Key Vault References to each of these secrets in an Azure App Config

I ran into various issues looping over each secret, specifically around accessing the .properties.secretUri of each secret - this was largely resolved through iterative looping.

However when running this bicep file we're running into an "Aggregated deployment error is too large" error, which seems to imply that we're not approaching the problem correctly.

While there is this example for passing in one secret from Key Vault to Azure App Config, I'd appreciate some guidance on needing to pass multiple secrets.

Any advice would be greatly appreciated!

Rich

*please ignore the obvious any security issues with this!

[GABRIELNGBTUC]

Read multiple secrets (~50) from a bicepparams file

With that many secrets, I would create a type @secure() \n type mySecrets = { @secure() \n *: string} to pass all secrets inside a single parameter so that it can also be looped for later.

Store these secrets in Azure Key Vault

Loop over a module that creates a secret and outputs the key name and keyvault name

Make Key Vault References to each of these secrets in an Azure App Config

Loop over a module reusing the outputs of the previous module creating the secrets

Here is an example since there isn't many samples of modules doing this:

metadata name = 'Create a keyvault reference in an existing app configuration store'

@description('Name of the app configuration store')
param configuration_store_name string = replace(resourceGroup().name, '-rg-', '-cfg-')

@description('Name of the key-value that will be created')
param configuration_store_key_name string

@description('Name of the secret as found inside the keyvault')
@secure()
param keyvault_secret_name string

@description('Content type specific to the keyvault reference')
@allowed([
  'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8'
])
param configuration_store_key_content_type string = 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8'

@description('Name of the keyvault where the secret is stored.')
param keyvault_name string

@description('Tags')
param tags object = {}

@description('Value of the keyvault reference to be inserted')
var keyvault_reference_value = '{"uri":"https://${keyvault_name}${az.environment().suffixes.keyvaultDns}/secrets/${keyvault_secret_name}"}'

resource configuration_store_resource 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
  name: configuration_store_name
  resource configuration_store_key_resource 'keyValues' = {
    name: configuration_store_key_name
    properties: {
      contentType: configuration_store_key_content_type
      tags: tags
      value: keyvault_reference_value
    }
  }
  
}

Pseudo code of the whole solution:

main.bicep

@secure()
type mySecrets = {
@secure()
*: string
}

param secrets mySecrets

param kv_name string = 'smth'
param app_config_name string = 'smth'

module kv_secrets_module 'create-secrets.bicep' = for secret in items(secrets): {
 params:
   kv_name: kv_name
  secret_name: secret.key
  secret_value: secret.value
}

module app_cfg_references_module 'create-acfg-references.bicep' = for (secret, i) in items(secrets): {
params:
  acfg_name: app_config_name
  secret_name: kv_secrets_module[i].outputs.secret_name
  kv_name: kv_secrets_module[i].outputs.kv_name
dependsOn: kv_secrets_module[i]
]

[jacksorjacksor]

Hi @GABRIELNGBTUC

Thank you so much for taking the time to give such a detailed response! As someone quite new to Bicep, your code was a great example of some concepts I hadn't come across before.

I've now created a solution I'm satisfied with, so wanted to give my own response.

1. Loved the user-defined data type for type mySecrets. Mine ended up looking like:

type mySecretArray = {
  key: string
  @secure()
  value: string
}[]

2. Hadn't realised I could get the key vault reference in this way:

keyvault_reference_value = '{"uri":"https://${keyvault_name}${az.environment().suffixes.keyvaultDns}/secrets/${keyvault_secret_name}"}'

I'd been trying to use different properties, and this was was much more straightforward.

3. I decided against the looped modules, mainly because this created a separate deployment for each individual secret I was adding. After some working I was able to create two separate modules for "Key Vault: Create key:value pairs" and "App Config: Create references to key:value pairs" which encompassed all the secrets (passed in as a mySecretArray object.

4. Unrelated but for anyone reading this - be aware you can only create key vault secrets with alphanumeric keys! This caught me out for longer than I'd like to admit...

Anyway, thank you for your input, greatly appreciated!

Rich