3

I am using Terraform to provision my Azure resources which works great, however, for some resources such as Logic Apps, doing this natively doesn't really work so I am using the Logic Apps ARM template and doing a Terraform "azurerm_resource_group_template_deployment" in order to provision. I know doing an ARM template deployment within Terraform is a bit of a last resort. It works ok though and deploys fine but I have a Service Bus connection defined and that is of type "securestring". By default, these are not saved as part of ARM deployment so everytime Terraform runs in my pipeline, even if the Logic App ARM template has not changed, it still does the deployment as the top level deployment state Terraform knows about previously did not have the value saved so will always see it as new. Is there any way around this other than changing the "securestring" to "string" which I obviously do not want to do given the endpoint contains the SAS key etc?

Steve
  • 89
  • 1
  • 1
  • 4
  • 1
    we are facing this issue. did you find any way around this? or is there a github issue somewhere – Suraj N Aug 11 '21 at 16:38
  • no I didn't find a decent way around this. I have currently chosen to change the SecureString to String. My thought being we can only see the SAS key in the "Deployment" resource within the resource group and access to the resource group is controlled through Azure RBAC so the same people that can see the terraform pipeline (and the SAS key anyway) are the same people that could access the resource group and see it through deployment also. – Steve Aug 13 '21 at 12:22
  • ah yes underneath its about RBAC who can see and what but since we have jenkins and CI CD pipeline it shows up for everyone in the plan which is not something that everyone should see :) – Suraj N Aug 25 '21 at 15:49

1 Answers1

0

Hit same issues today - really limits what is viable. Managed to work around my two scenario's.

For things like keys and connection strings you can use the listkeys function inside of the ARM template - some examples here. I had this exact issue trying to get a log analytics workspace key in to the template - https://github.com/Azure/azure-quickstart-templates/blob/master/demos/arm-template-retrieve-azure-storage-access-keys/azuredeploy.json - Get connection strings in ARM

Another scenario I had was wanting to pass a service principal secret from TF to template as securestring, to get around this I ended up getting the secret from keyvault inside of the ARM template instead.

James W
  • 1
  • Thanks James...ill take a look at these for reference. I have since switched my attentions to Azure Bicep given I am only using Azure and is the cloud provider of choice where I work. It seems very similar in declarative form to Terraform just without having to worry about the state file management which is nice change. – Steve Dec 03 '21 at 15:58