Create vm create linux with secret from keyvault (#409)

* Create azuredeploy.json Making a version to use with linux * Create azuredeploy.parameters.json * Create metadata.json * Create README.md * Update azuredeploy.json * Update README.md * Update azuredeploy.json * Update azuredeploy.json * Update azuredeploy.json
2019-06-13 15:20:53 -06:00 · 2019-06-13 15:20:53 -06:00 · a3b903769c
--- a/101-vm-linux-create-passwordfromkv/README.md
+++ b/101-vm-linux-create-passwordfromkv/README.md
@ -0,0 +1,36 @@
+# Very simple deployment of a Linux VM
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%101-vm-linux-create-passwordfromkv%2Fazuredeploy.json" target="_blank">
+    <img src="http://azuredeploy.net/deploybutton.png"/>
+</a>
+<a href="http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2101-vm-linux-create-passwordfromkv%2Fazuredeploy.json" target="_blank">
+    <img src="http://armviz.io/visualizebutton.png"/>
+</a>
+
+This template allows you to deploy a simple Linux VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file.
+
+## Add Secret to the Key Vault
+You can add the password to the Key Vault using the below commands:
+
+#### PowerShell
+```
+$Secret = ConvertTo-SecureString -String 'Password' -AsPlainText -Force
+Set-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret
+```
+#### CLI
+```
+azure keyvault secret set --vault-name Contoso --secret-name ITSecret --value azurepass
+```
+
+## Enable Key Vault for VM and Template secret access
+After this you'll need to enable the Key Vault for template deployment. You can do this using the following commands:
+
+## PowerShell
+```
+Set-AzureRmKeyVaultAccessPolicy -VaultName Contoso -EnabledForTemplateDeployment
+```
+
+### CLI
+```
+azure keyvault set-policy --vault-name Contoso --enabled-for-template-deployment true
+```
--- a/101-vm-linux-create-passwordfromkv/azuredeploy.json
+++ b/101-vm-linux-create-passwordfromkv/azuredeploy.json
@ -0,0 +1,203 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "apiProfile": "2018-03-01-hybrid",
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Username for the Virtual Machine."
+      },
+      "defaultValue": "vmadmin1"
+    },
+    "authentication-type": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Using password or ssh."
+      },
+      "allowedValues": [
+        "ssh",
+        "password"
+      ],
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the Virtual Machine."
+      },
+      "defaultValue": "[concat('Subscription#',substring(resourcegroup().id,15,36))]"
+    },    
+    "sshPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the Virtual Machine."
+      },
+      "defaultValue": "[cat ~/.ssh/id_rsa.pub]"
+    },
+    "dnsLabelPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
+      },
+      "defaultValue": "mydns882017"
+    },
+    "osImageSku": {
+      "type": "string",
+      "defaultValue": "2-0",
+      "allowedValues": [
+        "2-0"
+      ],
+      "metadata": {
+        "description": "The linux version for the VM. This will pick a fully patched image of this given linux version. Allowed values: 2-0"
+      }
+    },
+    "osImagePublisher": {
+      "type": "string",
+      "defaultValue": "Bitnami",
+      "metadata": {
+        "description": "Maps to the publisher in the Azure Stack Platform Image Repository manifest file."
+      }
+    },
+    "osImageOffer": {
+      "type": "string",
+      "defaultValue": "simplemachinesforum",
+      "metadata": {
+        "description": "Maps to the Offer in the Azure Stack Platform Image Repository manifest file."
+      }
+    }
+  },
+  "variables": {
+    "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'sawinvm')]",
+    "vmStorageAccountContainerName": "vhds",
+    "OSDiskName": "osdisk",
+    "nicName": "myVMNic",
+    "addressPrefix": "10.0.0.0/16",
+    "subnetName": "Subnet",
+    "subnetPrefix": "10.0.0.0/24",
+    "storageAccountType": "Standard_LRS",
+    "publicIPAddressName": "myPublicIP",
+    "publicIPAddressType": "Dynamic",
+    "vmName": "VMInstance",
+    "vmSize": "Standard_DS1_v2",
+    "virtualNetworkName": "MyVNET",
+    "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]",
+    "subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "name": "[variables('storageAccountName')]",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "accountType": "[variables('storageAccountType')]"
+      }
+    },
+    {
+      "type": "Microsoft.Network/publicIPAddresses",
+      "name": "[variables('publicIPAddressName')]",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "publicIPAllocationMethod": "[variables('publicIPAddressType')]",
+        "dnsSettings": {
+          "domainNameLabel": "[parameters('dnsLabelPrefix')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "[variables('virtualNetworkName')]",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[variables('addressPrefix')]"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "[variables('subnetName')]",
+            "properties": {
+              "addressPrefix": "[variables('subnetPrefix')]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.Network/networkInterfaces",
+      "name": "[variables('nicName')]",
+      "location": "[resourceGroup().location]",
+      "dependsOn": [
+        "[concat('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",
+        "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"
+      ],
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "ipconfig1",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
+              },
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              }
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "name": "[variables('vmName')]",
+      "location": "[resourceGroup().location]",
+      "dependsOn": [
+        "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
+        "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]"
+      ],
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "[variables('vmSize')]"
+        },
+        "osProfile": {
+          "computerName": "[variables('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "if" : [
+          {"==": [{"var":"authentication-type"}, "ssh"] }, 
+          "ssh-key-value": "[parameters('sshPassword')]",
+          "adminPassword": "[parameters('adminPassword')]"
+          ]
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "[parameters('osImagePublisher')]",
+            "offer": "[parameters('osImageOffer')]",
+            "sku": "[parameters('osImageSku')]",
+            "version": "latest"
+          },
+          "osDisk": {
+            "createOption": "FromImage",
+            "name": "osdisk",
+            "vhd": {
+              "uri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob, variables('vmStorageAccountContainerName'),'/',variables('OSDiskName'),'.vhd')]"
+            }
+          }
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
+            }
+          ]
+        },
+        "diagnosticsProfile": {
+          "bootDiagnostics": {
+            "enabled": "true",
+            "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob)]"
+          }
+        }
+      }
+    }
+  ]
+}
--- a/101-vm-linux-create-passwordfromkv/azuredeploy.parameters.json
+++ b/101-vm-linux-create-passwordfromkv/azuredeploy.parameters.json
@ -0,0 +1,20 @@
+{
+    "$schema":  "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion":  "1.0.0.0",
+    "parameters":  {
+                       "adminUsername":  {
+                                             "value":  "vmadmin1"
+                                         },
+                       "adminPassword":  {
+                                             "reference":  {
+                                                               "keyVault":  {
+                                                                                "id":  "/subscriptions/XXXXXXX/resourceGroups/resourceGroupName/providers/Microsoft.KeyVault/vaults/vaultName"
+                                                                            },
+                                                               "secretName":  "secretName"
+                                                           }
+                                         },
+                       "dnsLabelPrefix":  {
+                                              "value":  "mydns882017"
+                                          }
+                   }
+}
--- a/101-vm-linux-create-passwordfromkv/metadata.json
+++ b/101-vm-linux-create-passwordfromkv/metadata.json
@ -0,0 +1,7 @@
+{
+  "itemDisplayName": "Secure VM password with Key Vault",
+  "description": "This template allows you to deploy a simple linux VM by retrieving the password that is stored in a Key Vault. Therefore the password is never put in plain text in the template parameter file",
+  "summary": "This template deploys a VM by retrieving the password securely from a Key Vault",
+  "githubUsername": "WiseMack",
+  "dateUpdated": "2019-01-04"
+}