Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Issue] Support for secret reference in parameters.json files #1474

Open
1 task done
pamelafox opened this issue Feb 1, 2023 · 4 comments
Open
1 task done

[Issue] Support for secret reference in parameters.json files #1474

pamelafox opened this issue Feb 1, 2023 · 4 comments
Labels
Bicep iac
Milestone
Backlog

Comments

@pamelafox
Copy link
Member

pamelafox commented Feb 1, 2023
edited
Loading

Output from azd version
azd version 0.5.0-beta.4-pr.2128509 (commit 8b3f34d)

Output from az version
{
"azure-cli": "2.40.0",
"azure-cli-core": "2.40.0",
"azure-cli-telemetry": "1.0.8",
"extensions": {
"containerapp": "0.3.11",
"containerapp-compose": "0.2.2"
}
}

Describe the bug

I am trying to come up with a secure way to pass secrets into the container apps module. Unfortunately, container app environment variables don't support keyvault references the way that app service does, so the secrets need to be stored in the app itself.

My first approach was in this PR where I passed it from main.parameters.json to web.parameters.json to web.bicep to the container apps module. That approach didn't work since the parameters became outputs, and we can't have secrets in outputs.

Then I tried to use the keyVault.getSecret() function in my web.bicep file. That did not work, because that function can only be used directly for passing a parameter into a module - I can't use it inside an array or object. I could conceivably add an entirely new bicep file between web.bicep and container-app.bicep to satisfy that constraint, but that adds a lot of unnecessary bicep.

Then I tried to reference keyvault secrets inside web.parameters.json. When I tried it with azd up, it did not work on the deployment step, giving this error:

Deploying services (azd deploy)   
(✓) Done: Deploying service web

ERROR: deploying service: deploying service web package: provisioning infrastructure for app deployment: error deploying infrastructure: failed deploying: starting deployment to resource group: PUT https://management.azure.com/subscriptions/32ea8a26-5b40-4838-b6cb-be5c89a57c16/resourcegroups/flasksurveys-rg/providers/Microsoft.Resources/deployments/flasksurveys-web

--------------------------------------------------------------------------------
RESPONSE 400: 400 Bad Request
ERROR CODE: InvalidDeploymentParameterValue
--------------------------------------------------------------------------------
{  "error": {    "code": "InvalidDeploymentParameterValue",    "message": "The value of deployment parameter 'postgresPassword' is null. Please specify the value or use the parameter reference. See https://aka.ms/arm-create-parameter-file for details."  }}

To figure out whether the problem was azd or Bicep, I then tried using it with the Azure CLI:

az deployment group create --resource-group flasksurveys-rg --template-file infra/web.bicep --parameters infra/web.parameters.json

That didn't work at first, but I realized I had to enable template deployment for the key vault. Once I did that, my deployment worked and I confirmed the container app secret matched the key vault secret.

I double checked with azd up again, and it still did not work.
That version of the code is in this branch:
https://github.com/pamelafox/flask-surveys-container-app/compare/secretstuff?expand=1

As a workaround, I am using the Python SDK to retrieve the Key Vault secrets in the app code itself:
https://github.com/pamelafox/flask-surveys-container-app/blob/main/backend/settings/production.py

That's fine, but some developers may need a declarative way to pass secrets in the infra files, so azd could consider supporting referencing key vault secrets in parameters.json files.

To Reproduce

  1. git clone this branch:

https://github.com/pamelafox/flask-surveys-container-app/compare/secretstuff?expand=1

  1. Change the values here back to the environment variable references:
    https://github.com/pamelafox/flask-surveys-container-app/compare/secretstuff?expand=1#diff-3828544b78949b9b207e34357d5f185cdbd6c9e7e6eeacbf261239b73452bf41

  2. Run azd up
@pamelafox pamelafox mentioned this issue Feb 1, 2023
Closed
@ghost ghost added the needs-triage For new issues label Feb 2, 2023
@rajeshkamal5050
Copy link
Contributor

@jongio can you take a look and see if we need to create any issue upstream with Bicep?

@ghost ghost removed the needs-triage For new issues label Feb 7, 2023
@rajeshkamal5050 rajeshkamal5050 added this to the On Deck milestone Feb 7, 2023
@jongio
Copy link
Member

jongio commented Feb 7, 2023

It looks like azd needs to be updated to support key value in params file.

@pamelafox
Copy link
Member Author

Update: Thanks to the new flow for container apps that doesn't require the additional *.parameters.json file, I can use the approach of specifying the secrets on the container app itself (and then secretRefs in the env variables). Here's a PR where I did that:
https://github.com/pamelafox/flask-surveys-container-app/pull/27/files#diff-2f06b0134fd9f3d722ed460c2b3425720dda2da330db115f2bb81f96382468ab

@pamelafox
Copy link
Member Author

Update: And now container apps supports fetching secrets from key vault, so that approach would work as well. I think it'd be fine to close this issue if noone else needs it. I no longer need it.

@rajeshkamal5050 rajeshkamal5050 modified the milestones: On Deck, Backlog Mar 13, 2024
@JeffreyCA JeffreyCA mentioned this issue Jan 17, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bicep iac
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@pamelafox @jongio @rajeshkamal5050