[AVM Module Issue]: Key Vault Secret Reference for Domain Join Extension

[Rembrandtastic]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Security Bug

Module Name

avm/res/compute/virtual-machine

(Optional) Module Version

No response

Description

Currently when trying to pass key vault secret references for the domain join extension into the Virtual Machine module I am given the error that this parameter is not using a secure decorator which is required for the getSecret function. This means I cannot use the domain join extension as my sensitive domain account needs to be referenced from a key vault.

(Optional) Correlation Id

No response

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[avm-team-linter]

@Rembrandtastic, thanks for submitting this issue for the avm/res/compute/virtual-machine module!

Important

A member of the @Azure/avm-res-compute-virtualmachine-module-owners-bicep or @Azure/avm-res-compute-virtualmachine-module-contributors-bicep team will review it soon!

[AlexanderSehr]

Hey @Rembrandtastic,
isn't the module expecting set password via the @secure extensionDomainJoinPassword parameter?

bicep-registry-modules/avm/res/compute/virtual-machine/main.bicep

Lines 149 to 155 in 6221280

	@description('Optional. Required if name is specified. Password of the user specified in user parameter.')
	@secure()
	param extensionDomainJoinPassword string = ''
	@description('Optional. The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed.')
	@secure()
	param extensionDomainJoinConfig object = {}

being used here:

bicep-registry-modules/avm/res/compute/virtual-machine/main.bicep

Lines 713 to 734 in 6221280

	module vm_domainJoinExtension 'extension/main.bicep' = if (contains(extensionDomainJoinConfig, 'enabled') && extensionDomainJoinConfig.enabled) {
	name: '${uniqueString(deployment().name, location)}-VM-DomainJoin'
	params: {
	virtualMachineName: vm.name
	name: 'DomainJoin'
	location: location
	publisher: 'Microsoft.Compute'
	type: 'JsonADDomainExtension'
	typeHandlerVersion: extensionDomainJoinConfig.?typeHandlerVersion ?? '1.3'
	autoUpgradeMinorVersion: extensionDomainJoinConfig.?autoUpgradeMinorVersion ?? true
	enableAutomaticUpgrade: extensionDomainJoinConfig.?enableAutomaticUpgrade ?? false
	settings: extensionDomainJoinConfig.settings
	supressFailures: extensionDomainJoinConfig.?supressFailures ?? false
	tags: extensionDomainJoinConfig.?tags ?? tags
	protectedSettings: {
	Password: extensionDomainJoinPassword
	}
	}
	dependsOn: [
	vm_aadJoinExtension
	]
	}

[AlexanderSehr]

I think part of the challenge is that there is no User-defined type for the extension - and to make matters worse also not example in the max tests as there is no domain we could 'test join' the deployed VM to.
Any ideas how we could maybe work around this limitation @rahalan?

At least a UDT 'should' be possible.

[microsoft-github-policy-service]

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

• To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
• To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

[rahalan]

@Rembrandtastic thanks, will look into it