I have two nested deployments:
One for resource group A which deploys a managed identity.
Second for resource group B which deploys a Keyvault and sets an access policy to the ManagedIdentity in resource group A.
I would like to have the nested deployment of the resource group B to be dependent on the nested deployment of resource group A.
(My main template is deploying to resource group C)
I have tried:
"dependsOn": [
"[variables('resourceGroupADeploymentName')]"
],
But I keep failing on:
The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/managedIdentityA' under resource group 'A' was not found.
After a while I see the ManagedIdentityA created in resource group A - so it means the dependsOn did not work and the resourceGroupB deployment did not wait for ResourceGroupA deployment.
I also tried using dependsOn resourceId but it did not work. (and also adding the dependsOn to the actual KeyVault resource deployment within ResourceGroupB)
Any idea how can I have a resource from resource group B dependent on resource from resource group A?
This is my ARM Template for resourceGroupB:
{
"name": "resourceGroupBDeploymentName",
"type": "Microsoft.Resources/deployments",
"apiVersion": "[variables('resourceDeploymentApiVersion')]",
"resourceGroup": "[parameters('B')]",
"subscriptionId": "[parameters('S')]",
"dependsOn": [
"[variables('resourceGroupADeploymentName')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('deploymentKvName'), '/add')]",
"apiVersion": "[variables('kvApiVersion')]",
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('S')]",
"objectId": "[reference(variables('ManagedIdentityResourceGroupA'), '2018-11-30').principalId]",
"permissions": {
"keys": [],
"secrets": [],
"certificates": [
"Get"
]
}
}
]
}
}
}
]
}
}
}
This is my ARM Template for resourceGroupA:
{
"name": "[variables('ManagedIdentityResourceGroupA')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "[variables('resourceDeploymentApiVersion')]",
"resourceGroup": "[parameters('A')]",
"subscriptionId": "[parameters('S')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "[variables('ManagedIdentityResourceGroupA')]",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"tags": {},
"location": "[resourceGroup().location]"
}
]
}
}
},
I dont think there is a way around that yet. Dependencies only work in the same resource gruop. you can use deployment script resource to run a script that would check the status and that can act as a dependsOn
Related
I'm looking at template generated for adding Web App which is generated by Azure portal. I chose .NET core as runtime and it's passed to metadata field in generated ARM template below with a value of dotnetcore. The end result is resource created in Azure with all the stuff you expect from web app. I don't see this field being documented and or explanation how it's being used. Is it some internal know-how or how this process works?
"resources": [
{
"apiVersion": "2018-11-01",
"name": "[parameters('name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('location')]",
"tags": {},
"dependsOn": [],
"properties": {
"name": "[parameters('name')]",
"siteConfig": {
"appSettings": [
{
"name": "ANCM_ADDITIONAL_ERROR_PAGE_LINK",
"value": "[parameters('errorLink')]"
}
],
"metadata": [
{
"name": "CURRENT_STACK",
"value": "[parameters('currentStack')]"
}
],
"phpVersion": "[parameters('phpVersion')]",
"alwaysOn": "[parameters('alwaysOn')]"
},
"serverFarmId": "[concat('/subscriptions/', parameters('subscriptionId'),'/resourcegroups/', parameters('serverFarmResourceGroup'), '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]",
"hostingEnvironment": "[parameters('hostingEnvironment')]",
"clientAffinityEnabled": true
}
}
]
I am deploying an arm template that contains the following resources
Microsoft.Storage/storageAccount
Microsoft.Sql/servers
Microsoft.Sql/servers/auditPolicies
Now everything worked until I started changing the values for the auditPolicies object. Here are the steps I took until the InternalServerError occurred.
Added the auditState property and set its value to Disabled. Deployment Successful.
Changed the auditState property to Enabled. Deployment failed. Error states that the storageAccountName is required.
Added storageAccountName and set its value to the name of the storage account. Deployment failed. Error states that storageAccountKey.
Added storageAccountKey and set its value to key1 of the storage account's keys object. Deployment failed. Internal Server Error - "An Error has occurred while saving Auditing settings, please try again later". Additionally, the errors cause the deployment to run indefinitely. Though I am not concerned about that aspect.
The following is the complete template.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"app-name-prefix": {
"type": "string",
"minLength": 1
},
"app-locations": {
"type": "array",
"minLength": 1
},
"app-friendly-names": {
"type": "array",
"minLength": 1
},
"db-user-admin-username": {
"type": "securestring"
},
"db-user-admin-password": {
"type": "securestring"
},
"database-audit-enabled": {
"defaultValue": "Enabled",
"allowedValues": [
"Enabled",
"Disabled"
],
"type": "string"
},
"storage-kind": {
"defaultValue": "BlobStorage",
"allowedValues": [
"StorageV2",
"BlobStorage"
],
"type": "string"
},
"storage-sku": {
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_ZRS",
"Standard_GRS",
"Standard_RAGRS",
"Premium_LRS"
],
"type": "string"
}
},
"variables": {
"db-service-name": "[concat(parameters('app-name-prefix'), '-database-service-')]",
"storage-name": "[concat(toLower(parameters('app-name-prefix')), 'auditstorage')]"
},
"resources": [
{
"name": "[concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()])]",
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "[parameters('storage-sku')]"
},
"kind": "[parameters('storage-kind')]",
"apiVersion": "2018-02-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"copy": {
"count": "[length(parameters('app-locations'))]",
"name": "storageCopy"
},
"properties": {
"supportsHttpsTrafficOnly": true,
"accessTier": "Hot",
"encryption": {
"services": {
"blob": {
"enabled": true
},
"file": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Sql/servers",
"name": "[concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()])]",
"apiVersion": "2014-04-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"copy": {
"name": "databaseServiceCopy",
"count": "[length(parameters('app-locations'))]"
},
"properties": {
"administratorLogin": "[parameters('db-user-admin-username')]",
"administratorLoginPassword": "[parameters('db-user-admin-password')]",
"version": "12.0"
},
"resources": [
{
"type": "auditingPolicies",
"name": "Default",
"apiVersion": "2014-04-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"properties": {
"auditingState": "[parameters('database-audit-enabled')]",
"storageAccountName": "[concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()])]",
"storageAccountKey": "[listKeys(concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').keys[0].value]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()]))]",
"storageCopy"
]
}
]
}
]
}
What am I missing that will help resolve this issue? What do I need to do to stop this internal server error?
I have added the complete template as was requested by #Pete
I have found the answer after connecting with Azure Support.
The resource type: Microsoft.Sql/servers/auditingPolicies is no longer supported and in the next few weeks Azure Resource Manager will no longer support this completely.
This resource type refers directly to table auditing, which has been reported as being deprecated for blob auditing. Though the documentation at this time does not directly report it. The docs will be updated in the coming days after this post, by the owners.
To enable the auditing you need to use the Microsoft.Sql/servers/auditingSettings object. The documentation on this is coming and until it does you will be directed to documentation for the database version of this resource type Microsoft.Sql/servers/databases/auditingSettings.
Auditing settings work much like the Auto-Tuning advisors. You can set either server or database level settings. The server settings will be inherited by the database if the database has not been configured directly.
This is a sample of the auditingSettings object that I use instead of the auditingPolicies object above. It is nested just the same.
{
"apiVersion": "2017-03-01-preview",
"type": "auditingSettings",
"name": "DefaultAuditingSettings",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()]))]",
"storageCopy"
],
"properties": {
"state": "Enabled",
"storageEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts', '/', variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').primaryEndpoints.blob]",
"storageAccountAccessKey": "[listKeys(concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').keys[0].value]",
"storageAccountSubscriptionId": "[subscription().subscriptionId]",
"isStorageSecondaryKeyInUse": false,
"retentionDays": "30"
}
}
I'm using the following to apply a policy definition. How do I add a Resource Group exclusion to the assignment?
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyAssignmentAllowedLocations')]",
"apiVersion": "[variables('deploymentsApiVersion')]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/policyDefinitions/', variables('policyDefinitionAllowedLocations'))]"
],
"properties": {
"scope": "[subscription().id]",
"policyDefinitionId": "[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]"
}
}
Exclusions can be added to a policy assignment via the notScopes property.
The following resource definition describes a policy assignment which excludes a resource group named excludedResourceGroupName:
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyAssignmentAllowedLocations')]",
"apiVersion": "[variables('deploymentsApiVersion')]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/policyDefinitions/', variables('policyDefinitionAllowedLocations'))]"
],
"properties": {
"scope": "[subscription().id]",
"policyDefinitionId": "[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]"[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]"[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]",
"notScopes" : [
"[concat(subscription().id,'/resourcegroups/',variables('excludedResourceGroupName'))]"
]
}
}
My DSC resource currently accept string as input parameter and when I do compilation via ARM template all this information is available in clear text all over the place.
What would be the appropriate method to securely compile MOF resource in Azure Automation via ARM template? Information is stored in Azure KeyVault.
{
"name": "[guid(resourceGroup().id, deployment().name)]",
"type": "Compilationjobs",
"apiVersion": "2015-10-31",
"tags": {},
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]",
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'),'/Configurations/swarmmanager')]"
],
"properties": {
"configuration": {
"name": "swarmmanager"
},
"parameters": {
"privateKey": "[parameters('privatekey')]",
"serverCert": "[parameters('serverCert')]",
"CACert": "[parameters('CACert')]"
}
}
}
"parameters": {
"privateKey": { "type": "securestring" },
"serverCert": { "type": "securestring" },
When deploying the resources for my Function App with an ARM template like this
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[parameters('appNameFunctions')]",
"apiVersion": "2015-08-01",
"location": "West Europe",
"tags": {},
"properties": {
"name": "[parameters('appNameFunctions')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('aspNameFunctions'))]"
},
"resources": [
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('appNameFunctions'))]"
],
"tags": {
"displayName": "fnAppSettings"
},
"properties": {
"AzureWebJobsStorage":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"AzureWebJobsDashboard":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"WEBSITE_CONTENTSHARE":"[parameters('appNameFunctions')]",
"FUNCTIONS_EXTENSION_VERSION":"~0.8",
"AZUREJOBS_EXTENSION_VERSION":"beta",
"WEBSITE_NODE_DEFAULT_VERSION":"6.5.0"
}
}
],
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('aspNameFunctions'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions'))]"
]
}
is it sufficient to just set FUNCTIONS_EXTENSION_VERSION to the desired version and App Service automatically adjusts / loads the correct runtime or is there something else that needs to be adjusted or executed?
Yes, it is sufficient, and is exactly what the Portal does when you click the button to upgrade your app.
Another option is to set it to "latest", which means it will always use the very latest. Though the risk in doing that is to be affected by breaking changes.