Skip to content

[Do not merge] Allow expressions in getSecret function#19204

Open
levimatheri wants to merge 4 commits intomainfrom
levi/get-secret
Open

[Do not merge] Allow expressions in getSecret function#19204
levimatheri wants to merge 4 commits intomainfrom
levi/get-secret

Conversation

@levimatheri
Copy link
Contributor

@levimatheri levimatheri commented Mar 16, 2026
edited
Loading

This change is pending backend rollout.

Description

This pull request introduces enhanced support for the az.getSecret function in Bicep parameter files, allowing both compile-time constant and expression-based arguments for Key Vault secret retrieval. The changes update the function overloads, expression handling, and test coverage to ensure that parameter files correctly generate Key Vault references, including scenarios with external inputs. The most important changes are grouped below by theme.

Important:
If string literal types are used for the getSecret function, then emit KV reference as before (i.e. not using resourceId() function. This prevents breaking people since the Deployments API will reject expressions in secret references below api-version 2025-04-01

Key Vault Secret Retrieval Improvements

  • Updated the az.getSecret function overload to accept both string literals and expressions for parameters, removing the compile-time constant restriction and supporting dynamic external inputs.
  • Changed the ParameterKeyVaultReferenceExpression to use Expression objects for KeyVaultId, SecretName, and SecretVersion, allowing more flexible and dynamic expression handling.

JSON Emission and Transformation

  • Updated the ParametersJsonWriter to emit Key Vault references using EmitPropertyWithTransform, enabling transformation of expressions (such as external inputs) when generating parameter files.

Example Usage

param vmPassword = getSecret(
  externalInput('subId'), 
  externalInput('rgName'), 
  externalInput('kvName'), 
  externalInput('secretName'), 
  externalInput('secretVersion'))

Checklist

Microsoft Reviewers: Open in CodeFlow

@levimatheri levimatheri changed the title Allow expressions in getSecret function [Do not merge] Allow expressions in getSecret function Mar 16, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 16, 2026
edited
Loading

Test this change out locally with the following install scripts (Action run 23161978702)

VSCode
  • Mac/Linux 
    bash <(curl -Ls https://aka.ms/bicep/nightly-vsix.sh) --run-id 23161978702
  • Windows 
    iex "& { $(irm https://aka.ms/bicep/nightly-vsix.ps1) } -RunId 23161978702"
Azure CLI
  • Mac/Linux 
    bash <(curl -Ls https://aka.ms/bicep/nightly-cli.sh) --run-id 23161978702
  • Windows 
    iex "& { $(irm https://aka.ms/bicep/nightly-cli.ps1) } -RunId 23161978702"

@levimatheri levimatheri added do not merge Do not merge this pull request yet. 📘 Docs Not Needed labels Mar 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anthony-c-martin anthony-c-martin anthony-c-martin approved these changes

Assignees

No one assigned

Labels

do not merge Do not merge this pull request yet. 📘 Docs Not Needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@levimatheri @anthony-c-martin