Use a valid secret reference#
Operational Excellence · All resources · Rule · 2021_09 · Awareness
Use a valid secret reference within parameter files.
Description#
When referencing secrets in a template parameter file:
- The secret reference must be a valid Azure resource ID Key Vault.
- A secret name must be specified.
- An optional secret version can be specified.
Recommendation#
Check the secret value Key Vault reference is valid.
Examples#
Configure with Azure template#
To define Azure template parameter files that pass this rule:
- When a secret is referenced from Key Vault, provide a valid resource ID and secret name.
For example:
Azure Template snippet
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"gatewayName": {
"value": "gateway-A"
},
"sku": {
"value": "VpnGw1"
},
"subnetId": {
"value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/GatewaySubnet"
},
"sharedKey": {
"reference": {
"keyVault": {
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/kv-001"
},
"secretName": "valid-secret"
}
}
}
}
Notes#
This rule is deprecated from v1.36.0. By default, PSRule will not evaluate this rule unless explicitly enabled. See https://aka.ms/ps-rule-azure/deprecations.
Links#
- OE:05 Infrastructure as code
- Reference secrets with static ID
- Create Resource Manager parameter file