How-To: Serie Deploy Secure ASF with ARM – Step 05 – Create the Key Vaults with ARM

This step 5 of 10 in the post-serie “How-To: How installing a secure Service Azure Fabric Cluster (ASF) with Azure Resource Management (ARM) Template”. We need Key Vault to store the certificates and secrets. In this step we will create the build and release tasks in VSTS and then run the ARM template that will create the Key Vaults. We need two Key Vaults:

  • Key Vault – AppSecrets: In this Key Vault we will store some app secrets, like IoT Hub Connectionstring. This Key Vault will be used in the run phase.
  • Key Vault – InstallCert: This Key Vault will be used for storing the certificates and will only be used during installation of Service Fabric.

ARM Template to create the Key Vaults can be found here.

Overview of the steps
01. Create and import the certificates
02. Register SF Application in AAD and create AppKey
03. Generate encrypted AppKey
04. Lookup the service principles
05. [CURRENT] Create the Key Vaults with ARM
06. Adjust the SF Application settings
07. Upload certificates to Key Vault
08. Register the Service Fabric System Applications
09. Install SF Cluster with ARM
10. Coming soon!
Step 05: Create Key Vaults FROM CI/CD Pipeline

The values you have written down in the previous steps are necessary in this step.  I assume you have downloaded the ARM templates from mine GitHub and placed them into a Git repository on your own VSTS.

Create Build task in VSTS

Goto Builds of your repository.

Click on Process under Tasks. Give the build definition a name and select the agent ‘Hosted VS2017’.

Click on Get Sources and select you code repository which contains you KeyVault – ARM Templates.

Click on the PLUS-sign next to “Phase 1” and search for copy and select this task. Fill in the correct values, see screenshot.

Do the same, but then select publish task

Repeat adding the copy and publish task, fill the correct properties for the second Key Vault. Click on Save and Queue and in the popup again. Click on the link in the green box.

When the build tasks is done. It should look like below screenshot.

Create Release task in VSTS

Goto Releases of your repository. Select on the PLUS-sign ‘Create Release Definition’

Click on Empty process.

Enter name of the environment. e.g. Develop and close the popup.

Give the release definition a proper name

Click on Add next to “Artifacts”. And Select the Build definition you made earlier in this step and click Add.

Click the tab “Tasks” and click on the PLUS-sign in the block Agent phase.

Click on the added task. Fill in the appropiate values. At template (parameters) select the Key Vault artifact “Install Cert (ic)”

When you subscription is not available the field Azure Subscription, you can try to add it via the link Manage, when you still cannot select your subscription, you can take a look at this link. Go the section “Create an Azure Active Directory Service Principal Name” and the next paragraph. This way I was able to add mine Azure subscription to which I wanna deploy.

For the field Override template parameters you can use the following:

-environment $(environment) -organization $(organization) -project $(project) -AADKeyVaultObjectId $(AADKeyVaultObjectId) -AADGroupObjectId $(AADGroupObjectId) -vaultSku Standard -enabledForDeployment true -enabledForTemplateDeployment true -enableVaultForVolumeEncryption false

Add the same task type again, but now select the other KeyVault (App Secrets) at Template and Template parameters.

At Override template parameters use:
-environment $(environment) -organization $(organization) -project $(project) -AADKeyVaultObjectId $(AADKeyVaultObjectId) -AADGroupObjectId $(AADGroupObjectId) -vaultSku Standard -enabledForDeployment true -enabledForTemplateDeployment true -enableVaultForVolumeEncryption false -ASdeviceRegistrationObjectId $(ObjectIdDeviceRegistrationApp) -JWTSecretKey $(JWTSecretKey) -AADdmaURI $(AADdmaURI) -AADInstance $(AADInstance)

Set the variables of the release tasks

In the field “Override template parameters” we have used environment variables, these can be recognized by $(<name variable>). The variables are maintained per environment. Go to the tab VARIABLES. And set the variables, see screenshot below:

If needed you can add more environments, each with its own variables, when variables are equal over the environments you can use Variable Groups. when using variable group put a prefix or suffix to the variable this way you know that the variable is managed by a variable group when using it in the release tasks.

Manual Deploy
If you want to deploy immediately do the following:

  • In the popup select the DEVELOP environment and click CREATE
  • A link appear in the green box, click on that link.
  • Click on the dashes under ACTIONS. For the environment, you want to deploy and click DEPLOY
  • In the next screen click DEPLOY. The screen closes and return to the previous screen.
  • You see that the release is in Progress. You can watch the progress of the release by clicking on the LOG link. When everything went OK, you see green check marks.

Verify in the Azure Portal

  • When you got to the Azure portal and go to the Resource group where you deployed the Key Vaults, you will see this:
  • When click on the KeyVault AppSecrets and then click on Access Policies, you will see the three access policies which we also defined in our ARM template
  • When click on Secrets and then on JWTSecret and then on Current Version  and then on Show Secret Value  you will see the value we entered in the variables of the release on VSTS.

Next step: Step 06 – Adjust the SF Application settings