[Feature Request] Variable group linked to Azure Key Vault keys

[atbagga]

Variable group linked to Azure Key Vault keys would be a great addition as well

Originally posted by @LaurentLesle in https://github.com/Azure/azure-devops-cli-extension/issues/639#issuecomment-498039169

[geverghe]

For clarification - there are no documented APIs to support this and we are working with the stakeholder to get an estimate on timeline. Will keep this thread posted.

[atbagga]

For those blocked on this can use the az devops invoke command to automate this if required using the undocumented API (API signature can change in future).

Here is the sample command with Json Request- az devops invoke --http-method post --area distributedtask --resource variablegroups --debug --in-file .\vgroup_azure_rm.json --encoding ascii --route-parameters project=atbagga --api-version 5.0-preview

{
    "description": "vgroup description",
    "name": "vgroup1",
    "providerData": {
        "serviceEndpointId": "5763599f-0a8b-403a-a4ca-dsdsdsd4b6",
        "vault": "MyAzureKeyvaultName"
    },
    "type": "AzureKeyVault",
    "variables": {
        "VARIABLE_NAME": {
            "isSecret": true,
            "value": "",
            "enabled": true,
            "contentType": "",
            "expires": null
        }
    }
}

ServiceEndpoint Id is the AzureRm Service endpoint id which can be created using az devops service-endpoint command.

[CharlieStokes]

For those blocked on this can use the az devops invoke command to automate this if required using the undocumented API (API signature can change in future).

Here is the sample command with Json Request- az devops invoke --http-method post --area distributedtask --resource variablegroups --debug --in-file .\vgroup_azure_rm.json --encoding ascii --route-parameters project=atbagga --api-version 5.0-preview

{
    "description": "vgroup description",
    "name": "vgroup1",
    "providerData": {
        "serviceEndpointId": "5763599f-0a8b-403a-a4ca-dsdsdsd4b6",
        "vault": "MyAzureKeyvaultName"
    },
    "type": "AzureKeyVault",
    "variables": {
        "VARIABLE_NAME": {
            "isSecret": true,
            "value": "",
            "enabled": true,
            "contentType": "",
            "expires": null
        }
    }
}

ServiceEndpoint Id is the AzureRm Service endpoint id which can be created using az devops service-endpoint command.

This worked for me, however it doesn't allow you to associate a service connection with the the variable group to access they key vault. Looks like there hasn't been an update to the cli yet, does anyone know if this is possible?

[yradsmikham]

Any updates on this feature?

[lpalerm]

@geverghe > For clarification - there are no documented APIs to support this and we are working with the stakeholder to get an estimate on timeline. Will keep this thread posted.

Any updates?

[balazzii]

Any update on this feature?

[brian-duffy]

+1

[cT-m00cat]

please give us this. would be incredibly useful for CRM solution/portal deployment

[cT-m00cat]

plus one

[daguadofnttdata]

+1

[frnode]

+1 Do you have any information about a future implementation?

[cT-m00cat]

bump +4

[DanielGoehler]

+1

[rafaelvelosoAZ]

+1

[mddavisjha]

We definitely need this, as it's just about the last thing we can't automate for our pipeline creation. To have secrets in the keyvault, we have to manually go in and link the variable group to the keyvaults.

[sderrico-descartes]

+1 Thank you!

[pavel-rudenko]

And what about updating already existing VG that linked with KeyVault, adding existing secrets to variable group in particular? While this article says that PUT method should be used, modification to your command returns the following:

cli.azure.cli.core.azclierror: The requested resource does not support http method 'PUT'.
az_command_data_logger: The requested resource does not support http method 'PUT'.

Full CLI command:

az devops invoke --http-method put --area distributedtask --resource variablegroups --debug --in-file ./body3.json --encoding ascii --route-parameters project=redacted --api-version 7.1-preview

#body3.json
{
    "name": "redacted",
    "providerData": {
        "serviceEndpointId": "redacted",
        "vault": "redacted"
    },
    "type": "AzureKeyVault",
    "variableGroupProjectReferences": [
        {
            "projectReference": {
                "id": "redacted",
                "name": "redacted"
            },
            "name": "redacted",
            "description": ""
        }
    ],
    "variables": {
        "redacted": {
            "isSecret": true,
            "value": "",
            "enabled": true,
            "contentType": "",
            "expires": null
        }
    }
}

Invoking POST method to existing keyvault linked variable group results in:

cli.azure.cli.core.azclierror: Variable group 'vgsecretlookup-secret2' already exists.
az_command_data_logger: Variable group 'vgsecretlookup-secret2' already exists.

Please advice :)

[luismesa-io]

I do this with POST, exactly as the suggested az devops invoke comment states, and I add

    "authorized": true,
    "variableGroupProjectReferences": [
            {
                "projectReference": {
                    "id": "redacted",
                    "name": "redacted"
                },
                "name": "redacted",
                "description": ""
            }
        ],

[StylezDevops]

I do this with POST, exactly as the suggested az devops invoke comment states, and I add

    "authorized": true,
    "variableGroupProjectReferences": [
            {
                "projectReference": {
                    "id": "redacted",
                    "name": "redacted"
                },
                "name": "redacted",
                "description": ""
            }
        ],

And you are then able to create/update/link variable groups to keyvault without manual intervention?