Add new ip to existing CosmosDB account via ARM template - azure-resource-manager

I halve arm template that is overwriting existing iprules of cosmosDb account, is it possible to modify arm template so it will only add new ip and not to clean already existing rules.
My template:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2021-10-15",
"name": "cosmosdbaccountname",
"location": "East US",
"properties": {
"ipRules": {
"ipAddressOrRange": "some ip"
}
}
}


If configuring IP Firewall to an already deployed Cosmos account, ensure the locations array matches what is currently deployed. You cannot simultaneously modify the locations array and other properties.
Below example shows how the ipRules property is exposed in API version 2020-04-01 or later:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('accountName')]",
"apiVersion": "2020-04-01",
"location": "[parameters('location')]",
"kind": "GlobalDocumentDB",
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"enableAutomaticFailover": "[parameters('automaticFailover')]",
"ipRules": [
{
"ipAddressOrRange": "40.76.54.131"
},
{
"ipAddressOrRange": "52.176.6.30"
},
{
"ipAddressOrRange": "52.169.50.45"
},
{
"ipAddressOrRange": "52.187.184.26"
}
]
}
}
Here's the same example for any API version prior to 2020-04-01:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('accountName')]",
"apiVersion": "2019-08-01",
"location": "[parameters('location')]",
"kind": "GlobalDocumentDB",
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"enableAutomaticFailover": "[parameters('automaticFailover')]",
"ipRangeFilter":"40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26"
}
}
Refer this configure IP to Cosmos account using ARM

Related

Azure ARM and SQL Database size

Here is the portion of my ARM file about the database:
{
"type": "Microsoft.Sql/servers/databases",
"name": "[concat(variables('SqlServerName'), '/', variables('dbName'))]",
"tags": {
"displayName": "Database"
},
"location": "[resourceGroup().location]",
"apiVersion": "2020-02-02-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('SqlServerName'))]"
],
"properties": {
"collation": "[parameters('dbCollation')]",
"edition": "[parameters('dbEdition')]",
"maxSizeBytes": "53687091200",
"requestedServiceObjectiveName": "[parameters('dbRequestedServiceObjectiveName')]"
}
}
And here my parameters:
"dbEdition": {
"value": "Standard"
},
"dbRequestedServiceObjectiveName": {
"value": "S2"
}
But these database properties are ignored and the deployed database doesn't respect them.
What's wrong?
UPDATE
As #SwathiDhanwada pointed out in comments, the edition property may not exist as per the doc.
I should use sku defined like:
Yet the powershell script to get a list of available skus for a given location returns something like:
The headers of the table are not the same as the properties of the sku object 🤦‍♂️

Landing Zone Automation - Disable Owner requirement from ESLZ ARM template

I am trying to deploy ESLZ Arm template in this link "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/adventureworks/README.md" and it requires owner permission to do that. Is it possible to remove the Global Admin and/or Owner requirement and run the template using contributor role
I created a management group under tenant root and assigned contributor role. Now I'm trying to create additional management groups using below ARM template
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide prefix for the management group structure."
}
},
"platformMgs": {
"type": "array",
"defaultValue": [
"management",
"connectivity",
"identity"
],
"metadata": {
"description": "Management groups for platform specific purposes, such as management, networking, identity etc."
}
},
"landingZoneMgs": {
"type": "array",
"defaultValue": [
"online",
"corp"
],
"metadata": {
"description": "These are the landing zone management groups."
}
}
},
"variables": {
"enterpriseScaleManagementGroups": {
"ESLZ": "[concat(parameters('topLevelManagementGroupPrefix'))]",
"platform": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'platform')]"
}
},
"resources": [
{
// Create management group for platform management groups
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"scope": "/",
"name": "[variables('enterpriseScaleManagementGroups').platform]",
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').platform]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
}
],
"outputs": {}
}
While deploying the template i'm getting permission error, however able to create management group manually. Am I missing something in this template. Any help is really appreciated

You should be able to be able to deploy the template with contributor permissions at the tenant level... You need an owner/userAccessAdmin/global admin to grant those permissions.

Does Azure portal using undocumented ARM features to deploy App Services?

I'm looking at template generated for adding Web App which is generated by Azure portal. I chose .NET core as runtime and it's passed to metadata field in generated ARM template below with a value of dotnetcore. The end result is resource created in Azure with all the stuff you expect from web app. I don't see this field being documented and or explanation how it's being used. Is it some internal know-how or how this process works?
"resources": [
{
"apiVersion": "2018-11-01",
"name": "[parameters('name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('location')]",
"tags": {},
"dependsOn": [],
"properties": {
"name": "[parameters('name')]",
"siteConfig": {
"appSettings": [
{
"name": "ANCM_ADDITIONAL_ERROR_PAGE_LINK",
"value": "[parameters('errorLink')]"
}
],
"metadata": [
{
"name": "CURRENT_STACK",
"value": "[parameters('currentStack')]"
}
],
"phpVersion": "[parameters('phpVersion')]",
"alwaysOn": "[parameters('alwaysOn')]"
},
"serverFarmId": "[concat('/subscriptions/', parameters('subscriptionId'),'/resourcegroups/', parameters('serverFarmResourceGroup'), '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]",
"hostingEnvironment": "[parameters('hostingEnvironment')]",
"clientAffinityEnabled": true
}
}
]

Internal server error when deploying ARM Template

I am deploying an arm template that contains the following resources
Microsoft.Storage/storageAccount
Microsoft.Sql/servers
Microsoft.Sql/servers/auditPolicies
Now everything worked until I started changing the values for the auditPolicies object. Here are the steps I took until the InternalServerError occurred.
Added the auditState property and set its value to Disabled. Deployment Successful.
Changed the auditState property to Enabled. Deployment failed. Error states that the storageAccountName is required.
Added storageAccountName and set its value to the name of the storage account. Deployment failed. Error states that storageAccountKey.
Added storageAccountKey and set its value to key1 of the storage account's keys object. Deployment failed. Internal Server Error - "An Error has occurred while saving Auditing settings, please try again later". Additionally, the errors cause the deployment to run indefinitely. Though I am not concerned about that aspect.
The following is the complete template.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"app-name-prefix": {
"type": "string",
"minLength": 1
},
"app-locations": {
"type": "array",
"minLength": 1
},
"app-friendly-names": {
"type": "array",
"minLength": 1
},
"db-user-admin-username": {
"type": "securestring"
},
"db-user-admin-password": {
"type": "securestring"
},
"database-audit-enabled": {
"defaultValue": "Enabled",
"allowedValues": [
"Enabled",
"Disabled"
],
"type": "string"
},
"storage-kind": {
"defaultValue": "BlobStorage",
"allowedValues": [
"StorageV2",
"BlobStorage"
],
"type": "string"
},
"storage-sku": {
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_ZRS",
"Standard_GRS",
"Standard_RAGRS",
"Premium_LRS"
],
"type": "string"
}
},
"variables": {
"db-service-name": "[concat(parameters('app-name-prefix'), '-database-service-')]",
"storage-name": "[concat(toLower(parameters('app-name-prefix')), 'auditstorage')]"
},
"resources": [
{
"name": "[concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()])]",
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "[parameters('storage-sku')]"
},
"kind": "[parameters('storage-kind')]",
"apiVersion": "2018-02-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"copy": {
"count": "[length(parameters('app-locations'))]",
"name": "storageCopy"
},
"properties": {
"supportsHttpsTrafficOnly": true,
"accessTier": "Hot",
"encryption": {
"services": {
"blob": {
"enabled": true
},
"file": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Sql/servers",
"name": "[concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()])]",
"apiVersion": "2014-04-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"copy": {
"name": "databaseServiceCopy",
"count": "[length(parameters('app-locations'))]"
},
"properties": {
"administratorLogin": "[parameters('db-user-admin-username')]",
"administratorLoginPassword": "[parameters('db-user-admin-password')]",
"version": "12.0"
},
"resources": [
{
"type": "auditingPolicies",
"name": "Default",
"apiVersion": "2014-04-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"properties": {
"auditingState": "[parameters('database-audit-enabled')]",
"storageAccountName": "[concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()])]",
"storageAccountKey": "[listKeys(concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').keys[0].value]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()]))]",
"storageCopy"
]
}
]
}
]
}
What am I missing that will help resolve this issue? What do I need to do to stop this internal server error?
I have added the complete template as was requested by #Pete

I have found the answer after connecting with Azure Support.
The resource type: Microsoft.Sql/servers/auditingPolicies is no longer supported and in the next few weeks Azure Resource Manager will no longer support this completely.
This resource type refers directly to table auditing, which has been reported as being deprecated for blob auditing. Though the documentation at this time does not directly report it. The docs will be updated in the coming days after this post, by the owners.
To enable the auditing you need to use the Microsoft.Sql/servers/auditingSettings object. The documentation on this is coming and until it does you will be directed to documentation for the database version of this resource type Microsoft.Sql/servers/databases/auditingSettings.
Auditing settings work much like the Auto-Tuning advisors. You can set either server or database level settings. The server settings will be inherited by the database if the database has not been configured directly.
This is a sample of the auditingSettings object that I use instead of the auditingPolicies object above. It is nested just the same.
{
"apiVersion": "2017-03-01-preview",
"type": "auditingSettings",
"name": "DefaultAuditingSettings",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()]))]",
"storageCopy"
],
"properties": {
"state": "Enabled",
"storageEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts', '/', variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').primaryEndpoints.blob]",
"storageAccountAccessKey": "[listKeys(concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').keys[0].value]",
"storageAccountSubscriptionId": "[subscription().subscriptionId]",
"isStorageSecondaryKeyInUse": false,
"retentionDays": "30"
}
}

How do I secure data in ARM template to pass to DSC compilation resource?

My DSC resource currently accept string as input parameter and when I do compilation via ARM template all this information is available in clear text all over the place.
What would be the appropriate method to securely compile MOF resource in Azure Automation via ARM template? Information is stored in Azure KeyVault.
{
"name": "[guid(resourceGroup().id, deployment().name)]",
"type": "Compilationjobs",
"apiVersion": "2015-10-31",
"tags": {},
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]",
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'),'/Configurations/swarmmanager')]"
],
"properties": {
"configuration": {
"name": "swarmmanager"
},
"parameters": {
"privateKey": "[parameters('privatekey')]",
"serverCert": "[parameters('serverCert')]",
"CACert": "[parameters('CACert')]"
}
}
}
"parameters": {
"privateKey": { "type": "securestring" },
"serverCert": { "type": "securestring" },

Resources