Skip to content

Allow expressions in getSecret function#19204

Merged
levimatheri merged 4 commits intomainfrom
levi/get-secret
Apr 10, 2026
Merged

Allow expressions in getSecret function#19204
levimatheri merged 4 commits intomainfrom
levi/get-secret

Conversation

@levimatheri
Copy link
Copy Markdown
Contributor

@levimatheri levimatheri commented Mar 16, 2026
edited
Loading

Description

This pull request introduces enhanced support for the az.getSecret function in Bicep parameter files, allowing both compile-time constant and expression-based arguments for Key Vault secret retrieval. The changes update the function overloads, expression handling, and test coverage to ensure that parameter files correctly generate Key Vault references, including scenarios with external inputs. The most important changes are grouped below by theme.

Important:
If string literal types are used for the getSecret function, then emit KV reference as before (i.e. not using resourceId() function. This prevents breaking people since the Deployments API will reject expressions in secret references below api-version 2025-04-01

Key Vault Secret Retrieval Improvements

  • Updated the az.getSecret function overload to accept both string literals and expressions for parameters, removing the compile-time constant restriction and supporting dynamic external inputs.
  • Changed the ParameterKeyVaultReferenceExpression to use Expression objects for KeyVaultId, SecretName, and SecretVersion, allowing more flexible and dynamic expression handling.

JSON Emission and Transformation

  • Updated the ParametersJsonWriter to emit Key Vault references using EmitPropertyWithTransform, enabling transformation of expressions (such as external inputs) when generating parameter files.

Example Usage

param vmPassword = getSecret(
  externalInput('subId'), 
  externalInput('rgName'), 
  externalInput('kvName'), 
  externalInput('secretName'), 
  externalInput('secretVersion'))

Checklist

Microsoft Reviewers: Open in CodeFlow

@levimatheri levimatheri changed the title Allow expressions in getSecret function [Do not merge] Allow expressions in getSecret function Mar 16, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 16, 2026
edited
Loading

Test this change out locally with the following install scripts (Action run 24260318214)

VSCode
  • Mac/Linux 
    bash <(curl -Ls https://aka.ms/bicep/nightly-vsix.sh) --run-id 24260318214
  • Windows 
    iex "& { $(irm https://aka.ms/bicep/nightly-vsix.ps1) } -RunId 24260318214"
Azure CLI
  • Mac/Linux 
    bash <(curl -Ls https://aka.ms/bicep/nightly-cli.sh) --run-id 24260318214
  • Windows 
    iex "& { $(irm https://aka.ms/bicep/nightly-cli.ps1) } -RunId 24260318214"

@levimatheri levimatheri added do not merge Do not merge this pull request yet. 📘 Docs Not Needed labels Mar 16, 2026
@levimatheri levimatheri changed the title [Do not merge] Allow expressions in getSecret function Allow expressions in getSecret function Apr 10, 2026
@levimatheri levimatheri removed the do not merge Do not merge this pull request yet. label Apr 10, 2026
@levimatheri levimatheri merged commit fdf3f31 into main Apr 10, 2026
42 checks passed
@levimatheri levimatheri deleted the levi/get-secret branch April 10, 2026 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anthony-c-martin anthony-c-martin anthony-c-martin approved these changes

Assignees

No one assigned

Labels

📘 Docs Not Needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@levimatheri @anthony-c-martin