'KeyVault ARM template overrides secrets when re-deploying
I have an ARM template that deploys a Resource Group and includes a Key Vault and secrets. This is deployed through CI/CD and everything works perfectly bar one exception.
If I deploy the template the first time, everything works as expected. However, if a secret is manually changed by adding a new value, then the next time the template is deployed, the secrets in the template override the manual updates and a new version is set. How do I make the template only deploy the secrets for the first time. I.e. only deploy each secret if it only exists already?
In the example below, I deploy the template through CI/CD and MagicKey is set to defaultKey. If I change MagicKey to the real key in the portal and then deploy the ARM template again, my manual entry is replaced with a new version of the secret containing defaultKey as the value. How can I stop this from happening without kludgey work-arounds?
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "MagicKey",
"apiVersion": "2018-02-14",
"properties": {
"value": "defaultKey"
},
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]"
]
},
Solution 1:[1]
You can use the "condition" tag to decide when it will be run: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-conditions
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | LFN |