[AVM Module Issue]: Key Vault Secret Reference for Domain Join Extension

[Rembrandtastic]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Security Bug

Module Name

avm/res/compute/virtual-machine

(Optional) Module Version

No response

Description

Currently when trying to pass key vault secret references for the domain join extension into the Virtual Machine module I am given the error that this parameter is not using a secure decorator which is required for the getSecret function. This means I cannot use the domain join extension as my sensitive domain account needs to be referenced from a key vault.

(Optional) Correlation Id

No response

[avm-team-linter]

@Rembrandtastic, thanks for submitting this issue for the avm/res/compute/virtual-machine module!

Important

A member of the @Azure/avm-res-compute-virtualmachine-module-owners-bicep or @Azure/avm-res-compute-virtualmachine-module-contributors-bicep team will review it soon!

[AlexanderSehr]

Hey @Rembrandtastic,
isn't the module expecting set password via the @secure extensionDomainJoinPassword parameter?

bicep-registry-modules/avm/res/compute/virtual-machine/main.bicep

Lines 149 to 155 in 6221280

	@description('Optional. Required if name is specified. Password of the user specified in user parameter.')
	@secure()
	param extensionDomainJoinPassword string = ''
	@description('Optional. The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed.')
	@secure()
	param extensionDomainJoinConfig object = {}

being used here:

bicep-registry-modules/avm/res/compute/virtual-machine/main.bicep

Lines 713 to 734 in 6221280

	module vm_domainJoinExtension 'extension/main.bicep' = if (contains(extensionDomainJoinConfig, 'enabled') && extensionDomainJoinConfig.enabled) {
	name: '${uniqueString(deployment().name, location)}-VM-DomainJoin'
	params: {
	virtualMachineName: vm.name
	name: 'DomainJoin'
	location: location
	publisher: 'Microsoft.Compute'
	type: 'JsonADDomainExtension'
	typeHandlerVersion: extensionDomainJoinConfig.?typeHandlerVersion ?? '1.3'
	autoUpgradeMinorVersion: extensionDomainJoinConfig.?autoUpgradeMinorVersion ?? true
	enableAutomaticUpgrade: extensionDomainJoinConfig.?enableAutomaticUpgrade ?? false
	settings: extensionDomainJoinConfig.settings
	supressFailures: extensionDomainJoinConfig.?supressFailures ?? false
	tags: extensionDomainJoinConfig.?tags ?? tags
	protectedSettings: {
	Password: extensionDomainJoinPassword
	}
	}
	dependsOn: [
	vm_aadJoinExtension
	]
	}

[AlexanderSehr]

I think part of the challenge is that there is no User-defined type for the extension - and to make matters worse also not example in the max tests as there is no domain we could 'test join' the deployed VM to.
Any ideas how we could maybe work around this limitation @rahalan?

At least a UDT 'should' be possible.

[rahalan]

@Rembrandtastic thanks, will look into it

[Rembrandtastic]

I think part of the challenge is that there is no User-defined type for the extension - and to make matters worse also not example in the max tests as there is no domain we could 'test join' the deployed VM to. Any ideas how we could maybe work around this limitation @rahalan?

At least a UDT 'should' be possible.

Okay yeah I am a little new to AVM and did not think to go look at the actual module code to see the parameters. You are right though, UDT, or just an example usage in the documentation would probably help avoid this issue for AVM new comers like me.

Thanks!

[AlexanderSehr]

I think part of the challenge is that there is no User-defined type for the extension - and to make matters worse also not example in the max tests as there is no domain we could 'test join' the deployed VM to. Any ideas how we could maybe work around this limitation @rahalan?
At least a UDT 'should' be possible.

Okay yeah I am a little new to AVM and did not think to go look at the actual module code to see the parameters. You are right though, UDT, or just an example usage in the documentation would probably help avoid this issue for AVM new comers like me.

Thanks!

Hey @Rembrandtastic,
going to the code certainly would be an option - but - the readme would've already provided some insights without needing you to screen the code :)