search

Azure / deployment-stacks

Contains Deployment Stacks CLI scripts and releases
MIT License
86 stars 7 forks source link

When creating a new deployment and passing a parameter that was previously passed by `SecuredString` as a `keyvault secure parameter`. The | deployment parameter 'paramName' has specified both Value and | Reference. Please specify either the value or the reference instead. Stack updates fail with #177

Closed GABRIELNGBTUC closed 1 week ago

GABRIELNGBTUC commented 1 month ago

Describe the bug We recently updated our pipelines to pass some secure parameter as keyvault references (https://aka.ms/arm-keyvault-secure-parameter). On one of our stack, we repeatedly received the error The | deployment parameter 'parameterName' has specified both Value and | Reference. Please specify either the value or the reference. See | https://aka.ms/arm-keyvault-secure-parameter for details..

After some troubleshooting, we found that non-stack deployments using the same parameter and template file worked as expected and that only deployments through Set-AzResourceGroupDeploymentStack would fail. The issue was only fixed after deleting and recreating the stacking and recreating the stack.

We also noticed that when going to the "Deployment" tab of the stack, the page would never load instead of showing the latest successful deployment linked to the stack.

To Reproduce

Not sure if it is possible to recreate consistently since only 1 of our stacks out of dozens had issues.

But you could try a bicep file like this:

main.bicep

@secure()
param mySecureParam
...

param.json:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mySecureParam": {
      "value": "value"
    }
  }
}

Then deploy the stack with Set-AzResourceGroupDeploymentStack -Name "test" -ResourceGroupName "rgName" -TemplateFile "main.bicep" -TemplateParameterFile "param.json" ...

From there, modify the parameter file to:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mySecureParam": {
      "reference": {
        "secretName": "SecretName",
        "keyVault": {
          "id": "/subscriptions/id/resourceGroups/rg-name/providers/Microsoft.KeyVault/vaults/kv-name"
        }
      }
    }
  }
}

And update the stack with the same command

Expected behavior Stack successfully updates and deploy

Repro Environment Host OS: Linux Powershell Version: 7.4.2

Server Debugging Information Correlation ID: 0fcfc22c-61eb-4ee8-82eb-dadf211a8faf Tenant ID: f661a5c5-d1f9-4034-950d-39a1392e8c24 Timestamp of issue (please include time zone): 15:22:05 Central European Summer Time Data Center (eg, West Central US, West Europe): West Europe

Additional Information

If necessary we also have another 3-4 correlation ids with timestamps of some of our attempts

dantedallag commented 1 month ago

Hey @GABRIELNGBTUC, any chance you have a correlation id for this?

dantedallag commented 1 month ago

@GABRIELNGBTUC Sorry, completely missed your inclusion of a correlation id in the original post. I will look into this.

dantedallag commented 1 month ago

@GABRIELNGBTUC We seem to have found the issue here are working on the fix. Will ping this thread when it's fixed and you can try it out. Thanks!

azcloudfarmer commented 3 weeks ago

Hello @GABRIELNGBTUC this issue has been fixed and it is now awaiting deployment. Thanks again for reporting it!

snarkywolverine commented 1 week ago

Hi @GABRIELNGBTUC - the fix for this issue has now been released to all public Azure regions. Let us know if you have any further issues!