Azure ARM Template - Create KeyVault Secrets in Keyvault in different Resource Group

Question

I am deploying a Virtual Machine in Azure. The Username and Password are created automatically and passed as parameters at deployment. The resource group where the vm is deployed is also passed as parameter so can be anything.

My Keyvault is in a specific resource group and the username and password of the vm should be stored here.

When the Keyvault is in the same resource group as the vm it works fine. But when it is in a different resource group I get following error:

"error": {
    "code": "ParentResourceNotFound",
    "message": "Can not perform requested operation on nested resource. Parent resource 'mykeyvault' not found."
  }
} undefined

This is the part of the ARM template where I am creating the secrets.

{
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "[concat(variables('keyVaultName'), '/', variables('AdminUsername'))]",
      "apiVersion": "2018-02-14",
      "properties": {
        "contentType": "Secret",
        "value": "[variables('AdminUsername')]"
      },
      "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
      ]
    },
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "[concat(variables('keyVaultName'), '/', parameters('VMName'),'-AdminPassword')]",
      "apiVersion": "2018-02-14",
      "properties": {
        "contentType": "Secret",
        "value": "[parameters('AdminPassword')]"
      },
      "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
      ]
    },

I also tried to replace the keyVaultName variable with the resourceID of the keyvault but this gives a different error "Incorrect Segment Lengths"

Answer 1

that happens because ARM Templates deploys resources to the specific resource group. If the KV is in the different resource group you need to use a nested deployment and target that resource group, something like this:

{
    "apiVersion": "2017-05-10",
    "name": "nestedTemplate",
    "type": "Microsoft.Resources/deployments",
    "resourceGroup": "[parameters('kvResourceGroup')]",
    "dependsOn": [
        "[resourceId('Microsoft.Compute/virtualMachines', parameters('VMName'))]"
    ],
    "properties": {
        "mode": "Incremental",
        "template": {
            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "resources": [
                {
                    "type": "Microsoft.KeyVault/vaults/secrets",
                    "name": "[format('{0}/{1}', variables('keyVaultName'), variables('AdminUsername'))]",
                    "apiVersion": "2018-02-14",
                    "properties": {
                        "contentType": "Secret",
                        "value": "[variables('AdminUsername')]"
                    }
                },
                {
                    "type": "Microsoft.KeyVault/vaults/secrets",
                    "name": "[format('{0}/{1}-AdminPassword', variables('keyVaultName'), parameters('VMName'))]",
                    "apiVersion": "2018-02-14",
                    "properties": {
                        "contentType": "Secret",
                        "value": "[parameters('AdminPassword')]"
                    }
                }
            ]
        }
    }
},