We have a generic cloud template that deploys our Windows servers into our cloud deployment zones. Domain join is being done via a local netdom ps1 command defined in cloud-config, which requires the secret to be available at build time. We have multiple AD domains at play and a customer requirement that account passwords must be different across domains (we use an account with same name however), hence the requirement for seperate secrets and the need to select them at the request.
Is there any restriction in referencing secrets such they may be passed as objects into cloud-config? Statically setting the secret as "${secret.[named_secret]}" in cloud-config has no issue.
To date we've attempted to add secret selection automatically via workflow algorithm based on input domain, ABX actions via local VRA ABX via same, as well as input menu item, none of which seem update the cloud-config variable with a secret. Every attempt to update the field fails with a "null".
Any advice would be most appreciated.