Closed dirkslab closed 3 years ago
@dirkslab I am unable to repo, can you provide the logs. Please hide your secrets before sharing the log and sent them to anchauh@microsoft.com
@dirkslab any update?
@anuragc617 Apologies, did not see notification in my mail on your response. What does it mean when you say you could not repo? Are you saying a securestring parameter in subscription level deployment are not visible in azure deployment logs from your testing? I will create an example with the logs I have and send to you as requested.
subscriptiondeployment-vaults.zip ExportedTemplate-demo01-dev-vault-core-we.zip @anuragc617 I have attached an example subscription deployment template with basic vault and 1 secret. Also included exported template from azure portal deployment logs.
When deploying at subscription level (New-AzSubscriptionDeployment) the secret is visible in the azure deployment logs. If you take the same example and convert to plain resourcegroupdeployment(New-AzResourceGroupDeployment ), it will be hidden in the azure deployment logs.
Please let me know if sufficient detail. Would be great to resolve this as this is causing a problem with my automation flow.
@dirkslab I think you are trying to deploy from azure powershell and not from azure arm pipeline task. Could you reach out https://github.com/Azure/azure-powershell for this.
@ddivanshu powershell and arm template pipeline same result. easily testable by using supplied templates above.
@dirkslab tested the above template with AzureResourceManagerTemplateDeployment task , could not reproduce it.
steps:
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'ARM Template deployment: Subscription scope'
inputs:
deploymentScope: Subscription
azureResourceManagerConnection: 'xxxxxxx'
subscriptionId: 'xxxxxx'
location: 'Central US'
csmFile: 'subscriptiondeployment-vaults.json'
csmParametersFile: 'subscriptioneployment-vaults.parameters.json'
Could you share your pipeline as well.
Please can you clarify when you say you cannot reproduce the issue? Are you saying that if you go to the deployment output in the portal the secrets are not visible? I want to make sure we are aligned at what we are looking at. Please be as specific as possible.
my pipeline: steps:
I will also double check my deployment and give more detailed feedback
please find attach. Screenshot of pipeline task. json output from portal. Secret values all visible. This does not happen with resource group deployment, only subscription deployment. ExportedTemplate-demo01-dev-vault-core-we (1).zip
When deploying as Resource Group Images, expected behavior. Doing a good job at masking secrets.
@ddivanshu please advice on your results.
@ddivanshu please advice on your results.
Hey @dirkslab , thank you for the details. Looking into it.
@dirkslab this is an ARM deployment behavior and not pipeline task issue. You are using nested templates. When doing nested template deployment, ARM does not treat parent secure strings as secure in child templates. That's the reason it appears in plain text.
I could not find a good doc, but this doc talk about that. Essentially, you will need to define parameters explicitly in child template and set the expression scope.
I made changes in your template and now it works fine
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"condition": "[parameters('vaults_demo01-dev-vault-core-we_condition')]",
"name": "kptestvault",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"resourceGroup": "bishal-test-secret",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"vaults_demo01-dev-vault-core-we_condition": {
"value": true
},
"mytestsecret": {
"value": "[parameters('mytestsecret')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_demo01-dev-vault-core-we_condition": {
"type": "bool"
},
"mytestsecret": {
"type": "SecureString"
}
},
"resources": [
{
"name": "bishal-kv",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "westeurope",
"properties": {
"tenantId": "[subscription().tenantId]",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [],
"enableSoftDelete": false,
"networkAcls": {
"defaultAction": "Allow",
"ipRules": []
}
},
"condition": true,
"resources": [
{
"name": "mytestsecret",
"type": "secrets",
"apiVersion": "2019-09-01",
"tags": {
"projectKey": "demo01",
"environment": "dev",
"alias": "demo"
},
"properties": {
"value": "[parameters('mytestsecret')]",
"contentType": "SecureString",
"attributes": {
"enabled": true
}
},
"condition": true,
"resources": [],
"dependsOn": [
"bishal-kv"
]
}
]
}
]
},
"mode": "Incremental",
"debugSetting": {
"detailLevel": "none"
}
}
}
],
"parameters": {
"vaults_demo01-dev-vault-core-we_condition": {
"allowedValues": [],
"metadata": {
"description": "add a description"
},
"defaultValue": false,
"type": "bool"
},
"mytestsecret": {
"allowedValues": [],
"metadata": {
"description": "add a description"
},
"defaultValue": "test value 9",
"type": "SecureString"
}
}
}
Thanks @bishal-pdMSFT I will have a look at the feedback.
@bishal-pdMSFT cannot thank you enough. I have updated my template builder to action as per your suggestion and it now works as expected. Really thought this was a bug, happy to confirm it's working as expected.
This makes me wonder about my other big issue. I had 2 issues stopping me from reaching Subscription level template Nirvana and this resolves one of them. The existing issue: If there is a reference in the resource template, it gets evaluated and fails (if the resource does not yet exist) even though dependsOn is set at "Microsoft.Resources/deployments" level and the resource exist in the the template. Could this be related, any suggestions where to start on this. I am hoping this is also a config issues and not by design or bug.
Again, thank you very much!
hi team, the same issue affecting resource group deployments as well.
As the result everyone with just Reader access on resource group level can see SQL admin password (for example) in deployment logs.
See ticket 121011226000082 for detailed steps to reproduce the issue and screenshots.
A proper fix of the issue would be much appreciated.
@rshariy this issue is already hotfixed.
Azure ARM Template deployments. Subscription level deployments do not respect SecureString. SecureStrings are visible in azure deployment logs. Resource group level arm deployments work as expected and SecureStrings are hidden.
Will this be fixed or please send me instruction documentation on how to achieve this. Alternately explicitly highlight in the documentation that subscription level deployments are for unsecure use only?