0

I'm deploying a Key Vault via bicep file with some standard rules, then after the initial configuration of some other resources I want to harden that Key Vault with advanced properties. For instance, I deploy the Key Vault with this bicep file:

// keyVault_1.bicep 
resource stdKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'kv-test-01'
  location: resourceGroup().location
  properties: {
    ...
  }
}

Then I apply this second template (in incremental mode):

// keyVault_2.bicep 
resource stdKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
  name: 'kv-test-01'
}

resource secKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'kv-test-01'
  location: resourceGroup().location
  // join the current properties with the new property to preserve them
  properties: union(stdKeyVault.properties, {
    publicNetworkAccess: 'Disabled'
  }
}

Would there be any other way to do this easily by extending the first bicep file instead of using two different standalone deployments?

These questions are similar but I can't see a definitive answer on this topic.

Improve this question
1
  • You don't need to use incremental mode to fetch the information of key vault and separate file to update the properties, you can also use the existing bicep which you created the configuration and update the property mentioning publicNetworkAccess: 'Disabled' @DanielM
    – Vinay B
    Commented yesterday

1 Answer 1

Reset to default
1

Updating properties of Existing Bicep template resource without using increamental mode

In this case, to avoid using two plugins in the configuration, you can use the same Bicep script that you used to create the key vault to update the network settings as expected.

Using of the same file again will not let bicep recreate the resource before it updating the network configuration as per the change suggested. If the resource already existing as we already created one and reusing the same file, bicep will check for any existing resource before it creates.

If the resource is already existed and configuration matches the existing resource properties, then it just fetches the information of the resource but don't recreate it.

I tried a configuration where I create the key vault in the first place and updated the network properties using the same file by changing the bicep configuration.

Demo configuration:

param keyVaultName string = 'bhaggi-test-01'

resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: keyVaultName
  location: resourceGroup().location
  properties: {
    tenantId: subscription().tenantId
    sku: {
      name: 'standard'
      family: 'A'
    }
    accessPolicies: []
    enabledForDeployment: true
    enabledForTemplateDeployment: true
    enabledForDiskEncryption: true
    publicNetworkAccess: 'Disabled' 
  }
}

Deployment:

enter image description here

enter image description here

Refer:

https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?pivots=deployment-language-bicep#bicep-resource-definition

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.