Open Tapanila opened 4 years ago
interesting idea that we will discuss. If we schedule the work, it will be done at the ARM JSON level so you can use it in either bicep or ARM Templates
that could be ARM function similar to guid() or may be if PowerShell support inside bicep files is allowed that is run on bicep build?
interesting idea that we will discuss. If we schedule the work, it will be done at the ARM JSON level so you can use it in either bicep or ARM Templates
This would be amazing
PowerShell support inside bicep files
This would be truly a game changer. You could write any logic you want in your Powershell file/function and just import it to bicep file. Great idea!
Proposed that here #417 if you want to vote and discuss.
We discussed this today. This is not something we would like to take on as generating a cryptographically secure password, with a variety of restrictions based on the resource type is better handled in a deployment script or by using a key vault to generate the password.
@alex-frankel Do you know if this is something being considered by the key vault team?
Their ARM templates could perhaps support a syntax specifying that a secret is to be created, populated by a secure random value of some sort (which characters, how long).
I don't know if this is something the key vault team is working on. It would be great if someone can open up this request through one of the Key Vault teams feedback channels (I don't think it is UserVoice anymore).
Added a request here: https://feedback.azure.com/d365community/idea/48f64fff-4f51-ec11-a819-0022484e8090
since you can use PowerShell inline, why not just use PowerShell to generate the password?
resource runPowerShellInline
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..9 | sort {Get-Random})[0..13] -join ''
just fyi that's the ps used for generating key vault secrets and MS cryptography module\api. maybe bicep can just build off of this @alex-frankel?
Generating the password via script is a viable option with the deploymentScripts
resource type. You will need to make sure the code is idempotent though, otherwise you will generate a new password and if you update that in a key vault, you are effectively rotating passwords. If the code was reliable and the team approved, we could even create a module in the public registry for password generation.
Even still, it would be more optimal if the KeyVault RP provided (and maintained) the API for this as they are experts in this space.
Mildly related to #2806 where, per @alex-frankel's above reply, life would be easier (and more secure) if the corresponding RP would provide a way to generate the cryptographic value (password, SAS token).
that would certainly make it easier, it would make sense if kv had an api to just call. either way, I've created a module that I can call to generate a password.
resource runPowerShellInlineWithOutput 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
name: 'runPowerShellInlineWithOutput'
location: location
kind: 'AzurePowerShell'
properties: {
forceUpdateTag: utcValue
azPowerShellVersion: '6.4'
scriptContent: '''
$charlist = [char]94..[char]126 + [char]65..[char]90 + [char]47..[char]57
$PasswordProfile = ($charlist | Get-Random -count 66) -join ''
Write-Output $PasswordProfile
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs["text"] = $PasswordProfile
'''
arguments: '-name'
timeout: 'PT1H'
retentionInterval: 'P1H'
}
}
output result string = runPowerShellInlineWithOutput.properties.outputs.text
my issue with having to make use of a deployment script to do this is that you are just pushing the compute that could be done prior to the deployment to another costing resource. It makes more sense for this to be as part of pre-deployment actions run ether locally or in your pipeline than do it in this manner.
Also thats outputting in plain text so isn't viable for any organisation that requires secure development processes to be followed & definitely should not be used in production.
well, I can secure the output, plus the output only lasts for about an hour then disappears, and I can inject and secure the output to key vault. I just wanted to prove that it could be done through bicep, I would use a different process of just managing the password rotation after the fact with laps or cyber ark. but some people want to handle this through the dsl, if terraform has the ability to do this then bicep should offer it too, I mean honestly, all you really need is an extensible random string generator, you can model the formula I pasted, bicep already has a newguid and unique string function, why not a strong random string function? I'd use pulumi first before terraform though.
This would be a very useful addition for when keys are unavoidable.
please implemente password generator +++
This would be very useful, as windows vm's currently require a password and do not support entra id only. It would only make sense to be able to automatically generate a password on the initial run, save it to kv, and then reference it when trying to deploy a vm. I'm unsure why there hasn't been any movement on this ticket.
I think my search is around this case. I need to create azure pipeline that generate a random password and save this password into KV. The pipeline is trigger every time the generation function called by a bicep file which includes resource deployment file. For example new VM. I’d appreciate any help with my issue.
Is your feature request related to a problem? Please describe. Generating random password for VM is cumbersome when doing deployments.
Describe the solution you'd like I would like to see an bicep feature that would generate random password.