Azure ARM Resource provisioning with secrets:

Introduction: Secrets are passwords, certificates, symmetric keys, managed service identities and other such closely guarded and sensitive information that must be both generated and renewed for accessing resources services on Azure. One of the requirements for using a secret store is the automation of these routines. Some secrets must be deployed with their own resources. For example, virtual machines and virtual machine scale sets can be designated with the use of certain secrets. Similarly, storage accounts can also be provisioned with the use of secrets that can be requested over encrypted web traffic. These must be deployed as part of PaaS V2 offering for these scenarios. PaasV2 is a term denoted for managed applications involving infrastructure such as – Virtual Machines, Virtual Machine Scale Sets (VMSS), Service Fabric, Elastic-AP, Azure Container Service etc. Integration of the secret management routines with the Compute Resource Provider is necessary to enable this PaaS integration. A use case for using secrets with compute is when a PAAS deployment requires VMSS to span one or more fabric controllers with each fabric controller managing a fabric tenant. Secrets are serviced by a service that is available regionally for such use case.

The workflow involves an application deployment using ARM Templates which in turn creates VMs and VMSS using a regional Compute resource provider that relies on say Fabric controllers. The regional secret provider service will push to the fabrics secret cache which improves the scale up/down of resources without relying on the service providing the secrets. Once the resources are created, they can individually poll for updates to their secrets using the endpoint for the service that generates and renews the secrets.

The following components are involved to implement this workflow.

• A configurations layer which provides the implementation for registered features usage. Usage of the secrets provided by the secret management service is supported for subscriptions that have been registered with a specified feature flag. Customers must use approval workflow to register their subscriptions with this feature flag.

• VM & VMSS controllers: which implement the various APIs that are invoked by ARM. The VM/VMSS validations also happen in this layer.  The provisioning of resources with secrets must conform to the provisioning of regular resources. Just their ARM Templates will be different because they will have the reference to the provisioning of a secret. Deployments can be parallelized across locations.

• State reconciliation that creates the async operations and persists the goal state for a given definition of VM/VMSS involving the secrets.

• The state reconciliation might involve both a composition of states such as for the VM pipeline and VMSSS pipeline. Each pipeline is further sub divided into multiple blocks responsible for driving the pipeline to its desired state. Blocks can be executed in parallel and when required to be synchronized. A state reconciliation will require a state seeking engine that implements a graph traversal and state machine workflow.