Skip to content

Use a valid secret reference#

Operational Excellence · All resources · Rule · 2021_09 · Awareness

Use a valid secret reference within parameter files.

Description#

When referencing secrets in a template parameter file:

  • The secret reference must be a valid Azure resource ID Key Vault.
  • A secret name must be specified.
  • An optional secret version can be specified.

Recommendation#

Check the secret value Key Vault reference is valid.

Examples#

Configure with Azure template#

To define Azure template parameter files that pass this rule:

  • When a secret is referenced from Key Vault, provide a valid resource ID and secret name.

For example:

Azure Template snippet
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "gatewayName": {
      "value": "gateway-A"
    },
    "sku": {
      "value": "VpnGw1"
    },
    "subnetId": {
      "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/GatewaySubnet"
    },
    "sharedKey": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/kv-001"
        },
        "secretName": "valid-secret"
      }
    }
  }
}

Notes#

This rule is deprecated from v1.36.0. By default, PSRule will not evaluate this rule unless explicitly enabled. See https://aka.ms/ps-rule-azure/deprecations.

Comments