For this example, I’m going to provide the bare minimum code necessary to show the process. I’m going to extract a secret from Key Vault and use that secret name to build a virtual network. Ludicrous, right? What we do <\/em>with the secret doesn’t really matter though – it’s how we get that secret and leverage it in code that matters.<\/p>\n\n\n\n To start, I have a basic key vault named Be sure you’ve allowed ARM deployments to the vault – you’ll find that setting below. Failing to do this will result in your code unable to pull secrets.<\/p>\n\n\n\n That’s all the pre-requisite work. Now we’ll build two bicep files, and I’m going to describe them in reverse order from how they’re called.<\/p>\n\n\n\n The role of this file is to build a virtual network using a minimum set of parameters. Line 1 and 2 combine to create the secure parameter<\/em> called So how do we get to this file? Think of that as a separate function or module, and we’ll call it from a main bicep file that will be used in the deployment.<\/p>\n\n\n\n In the first block (lines 1 through 3), we’re simply making a reference to an existing key vault named On line 5, you can see that instead of using the It’s important to state that the If you’re not familiar with how to run the above, it’s actually quite straightforward:<\/p>\n\n\n\n The deployment name (“deployment-name” in my example) can be anything and the resource group name (“rg-tester” in my example) needs to be a pre-existing resource group. If you’re following along, and have the pre-requisites taken care of, you should get a successful deployment:<\/p>\n\n\n\nkv-vault01<\/code> with a secret named ‘networkname'<\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/www.dumpsterfirecomputing.com\/wp-content\/uploads\/2023\/03\/image-6.png\")
![\"\"](\"https:\/\/www.dumpsterfirecomputing.com\/wp-content\/uploads\/2023\/03\/image-7.png\")
![\"\"](\"https:\/\/www.dumpsterfirecomputing.com\/wp-content\/uploads\/2023\/03\/image-8.png\")
name<\/code>, the value of which will ultimately come from the key vault secret. This seems to be the only way to actually use<\/em> a secret from key vault. It must be declared as a secure parameter.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.dumpsterfirecomputing.com\/wp-content\/uploads\/2023\/03\/image-9.png\")
kv-vault01<\/code>.<\/p>\n\n\n\n 'resource' <\/code>identifier, we’re using 'module' <\/code>and calling the name of a bicep file. Lines 7 through 10 you can see the parameters that the 'vnet.bicep'<\/code> module wants, and line 8 is how we get the key vault secret.<\/p>\n\n\n\ngetSecret()<\/code> function can really only be used in this context. You can get the secret only when passing that secret as a parameter to a module. So anytime you may want to use a secret, be sure to split out your bicep code so that you’re getting the secret and passing it off to a module.<\/p>\n\n\n\nNew-AzResourceGroupDeployment -Name \"deployment-name\" -ResourceGroupName \"rg-tester\" -TemplateFile .\\main.bicep<\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/www.dumpsterfirecomputing.com\/wp-content\/uploads\/2023\/03\/image-10.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.dumpsterfirecomputing.com\/wp-content\/uploads\/2023\/03\/image-11.png\")
<\/figure>\n\n\n\n