Use your private linked ARM templates with ease

Everyone that worked with ARM templates knows that they are error prone. More often than not it’s a struggle get them right. So, if you don’t want your team to wonder if that 6th floor window isn’t an easier way out, you provide them reusable templates. One problem with linked templates is that they must be publicly available. As not all companies want their resources be publicly exposed, you need to find another way.

As you want to use ARM templates, I assume you’re already working with Azure. It’s kind of logical you want to store your ARM templates in Azure as well.

Put your ARM templates in Azure storage

Create an Azure storage account. Create a blob container and make sure you set the “Public access level” to “Private (no anonymous access)

private blob

Once the container is created you can upload all your reusable ARM templates. In a previous post you can verify how I set up reusable and linked templates.

Inject a SAS token in your Azure DevOps pipeline

To access the private blob files, you can use a SAS token. A SAS token can be generated for your CD pipeline by adding a simple Azure Powershell script:

Set-AzCurrentStorageAccount -ResourceGroupName "<name-of-your-resource-group>" -Name "<name-of-your-storage-account>"
$token = New-AzStorageContainerSASToken -Name "<name-of-the-private-blob-container>" -Permission r -ExpiryTime (Get-Date).AddMinutes(30.0)
Write-Host ("##vso[task.setvariable variable=infra_armTemplateToken;issecret=true;]$token")

The script generates a token and inject the variable $(infra_armTemplateToken) in your DevOps pipeline so you can use it in your ARM deployment task. Notice that the token is only valid for 30 minutes. Please note that your Service Principle (used by your Azure DevOps) needs to have access on the resource group where the storage account lives.

If you get the error [error]The term ‘Set-AzCurrentStorageAccount’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. You can solve it by using the Azure Powershell Task version 4 (currently in preview)