Howto secure a string or a object inside an array of objects parameter file

[klausgh4836]

I deploy severale alert action groups with a bicep module. I run a for loop over an array of objects to deploy the alert groups.
For the webhooks I want to secure the webhookurl.

Is there a way to do this with azure key vault or via bicep?
What part of my bicpe code had to be changed?

1. This is the bicep module which is generating the alert action group.

// 
// Build Resources
//
resource ag 'microsoft.insights/actionGroups@2019-06-01' = {
  name: agName
  location: agLocation
  tags: varTags
  properties: {
    enabled: agEnable
    groupShortName: agGroupShortName
    emailReceivers: ((!empty(agEmailReceivers)) ? agEmailReceivers : json('null'))
    webhookReceivers: ((!empty(agWebhookReceivers)) ? agWebhookReceivers : json('null'))
  }
}

2. This is the main.bicep which is looping over the array of objects ActionGroups.

// Create the action group

module mActionGroup '../modules/action_group/main.bicep' = [ for a in ActionGroups: {
  name: 'mActionGroup-${uniqueString(a.agName)}'
  params: {
    agName: a.agName
    agEnable: a.agEnable
    agGroupShortName: a.agGroupShortName
    agWebhookReceivers: a.agWebhookReceivers
  }
}]

3. This is an example json file, I use as the input parameters.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "ActionGroups": { 
        "value": [ 
        {
          "agName": "action-webhook-1",
          "agEnable": true,
          "agGroupShortName": "Webhook-1",
          "agWebhookReceivers": [
              {
              "name": "webhook-1.org",
              "serviceUri": "https://user1:password1@webhook-1.org/",
              "useCommonAlertSchema": true
             }
          ]
        },
        {
            "agName": "action-webhook-2",
            "agEnable": true,
            "agGroupShortName": "Webhook-2",
            "agWebhookReceivers": [
                {
                "name": "webhook-2.org",
                "serviceUri": "https://user2:password2@webhook-2.org/",
                "useCommonAlertSchema": true
               }
            ]
          }
      ]
    }
  }
}

Thanks for your time.

[brwilkinson]

The only way to secure strings is via the secure string parameter, in which case it can be pulled from a keyvault.

• You will have to add these as individual parameters on your template.

@secure()
param serviceURI1 string

unless you are able to read it from somewhere in Azure via listkeys etc.

below is a sample of one way to achieve this via a secret lookup. You will need to pre-create the secret values in the KV.

var actionGroups = [
  {
    'name': 'AG01'
    'secretName': 'webHook1'
  }
]

var kvName = 'mykv1'

resource KV 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
  name: kvName
}

module actionGroup 'actionGroup.bicep' = [ for (ag,index) in actionGroups : {
  name: 'dp-ag-${ag.name}'
  params: {
    serviceURI1: KV.getSecret(ag.secretName)
    actionGroup: ag
  }
}]

[brwilkinson]

Hi @klausgh4836 please let us know if this option is helpful or if you have some further queries?

[klausgh4836]

Hi @brwilkinson , the option was helpful for me. Thanks for your support.