What we are going to do in this post ?
We are going to deploy a VM using ARM template. The interesting part of this exercise is that we have stored the credential for this VM in Azure Key Vault and we will refer it from there itself.
What is ARM template ?
ARM Templates are a mechanism to declare the objects you want to create in Azure Cloud in a JSON file format. ARM Templates are what really gives Azure the ability called “Infrastructure as code”. You can keep these templates in source control and managed like any other code file.
What is Azure Key vault ?
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets.
What we need ?
- Working Azure Cloud Account.
- Knowledge and basic Understanding of Azure Cloud and ARM template deployment
- A VNet + Subnet created in which VM will be deployed or you can use ARM to deploy all this at once.
- A Key Vault where credential for this VM is stored as a secret
Please note while creating KeyVault, you have allowed access for ARM
How we are going to do it ?
Step 1 :
Create a template for VM deployment ! You can use Microsoft Library as a reference or you can build it by yourself. I have attached a example, don’t be afraid seeing the length of JSON :), its fairly simple. There is a parameter file I have also attached. The template is to build a VM using the configuration details which is going to be passed as parameter file.
Parameter file -
If you look at the template parameter file closely, there are parameters which are being referred in ARM template above. Before using this param file please update the values for vault resource group name , vnet name, subscription id etc. Replace those value as per the requirement.
** Did you see password is Null ! We can not use this template parameter for successful deployment as password is mandatory value.
Now the fun part. As a practise We should not keep the password as part of parameter file.That’s a security issue. But to create a VM we need to pass the password.
We know the password is in Key Vault. ARM templates provides a mechanism in which we can reference the Key Vault Secret directly as part of template.
Use reference key word and update your template accordingly.
You can use Powershell, AZ Cli or SDK to deploy ARM template in Azure Cloud. This flexibility makes ARM templates very powerful. We will use az cli for the time being.
az deployment group create -name ExampleDeployment -resource-group rg-devops -template-file arm_temp.json -parameters @arm_template_param.json
Once deployment will start the template will use secret value stored in Key Vault and deploy it as part of VM.
This was very basic example of ARM template using Key Vault as part of secure data reference. I will come up with some more explanation in next post.
That’s it for this post.
Thanks and Keep Learning !