Import certificate from Key Vault (preview API) fails with ARM/Bicep

[prutsert]

Please provide us with the following information:

This issue is a: (mark with an x)

• [x] bug report -> please search issues before submitting
• [ ] documentation issue or request
• [ ] regression (a behavior that used to work and stopped in a new release)

Issue description

I am trying to use the preview feature for importing a certificate from Azure Key Vault with Bicep. I wish to dynamically pass the URI to the Key Vault Secret as a property (keyVaultUrl: certsecret.properties.secretUriWithVersion):

param containerAppEnvName string
param keyvaultName string
param certificateName string

resource containerAppEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' existing = {
  name: containerAppEnvName
}

resource managedId 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
  name: '${containerAppEnvName}-uai'
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyvaultName
}

resource certSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' existing = {
  name: certificateName
  parent: keyVault
}

// Add Certificate
@description('Certificate')
resource cert 'Microsoft.App/managedEnvironments/certificates@2023-11-02-preview' = {
  parent: containerAppEnv
  location: location
  name: certificateName
  properties: {
    certificateKeyVaultProperties: {
      identity: managedId.id
      keyVaultUrl: certsecret.properties.secretUriWithVersion
    }
  }
}

When I try to deploy the Certificate this way, the deployment fails with the following error:

{
  "code": "InvalidTemplateDeployment",
  "message": "The template deployment 'Deploy-ContainerAppEnv-20240605T111846Z' is not valid according to the validation procedure. The tracking id is 'fbd225e2-cd87-4b85-863b-5b11ad8ba5c6'. See inner errors for details.",
  "details": [
    {
      "code": "ValidationForResourceFailed",
      "message": "Validation failed for a resource. Check 'Error.Details[0]' for more information.",
      "details": [
        {
          "code": "CertificateKeyVaultUrlInvalid",
          "message": "Certificate key vault url '[reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyvaultName'), parameters('certificateName')), '2023-07-01').secretUriWithVersion]' is invalid. Should be a valid URL pointing to the Azure Key Vault secret that holds the certificate."
        }
      ]
    }
  ]
}

When I pass the actual value of the Secret URI, instead of certsecret.properties.secretUriWithVersion, the deployment works. Another workaround is to put the Certificate deployment in a module with the keyVaultUrl as a parameter, and do the evaluation of certsecret.properties.secretUriWithVersion in the parent bicep file.

Steps to reproduce

1. Use the bicep content above to deploy a Container Apps Env Certificate with Key Vault reference.

Expected behavior [What you expected to happen.] The dynamic property (ARM: [reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyvaultName'), parameters('certificateName')), '2023-07-01').secretUriWithVersion]) gets evaluated by the API, like everywhere else in ARM/Bicep deployments.

Actual behavior [What actually happened.] The dynamic property (ARM: [reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyvaultName'), parameters('certificateName')), '2023-07-01').secretUriWithVersion]) is taken as a literary value by the API.

Additional context

I'm using Azure Devops pipelines for deployment, which uses az-cli as the underlying tool for deployment.

[howang-ms]

Thank you for reporting this. We have identified the root cause will fix this ASAP.