How to add RBAC in Azure Databricks using ARM - azure-resource-manager

I am trying to add RBAC in Azure Databricks using ARM. I have managed to add RBAC using ARM in App Insights with the following code
"resources": [
{
"type": "Microsoft.Insights/components/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('AppInsightName'),'/Microsoft.Authorization/',guid('AppInsightName'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
Looking for some input in creating RBAC in Databricks using ARM

you'd use the exact same approach:
{
"type": "Microsoft.Databricks/workspaces/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('databricks_name'),'/Microsoft.Authorization/',guid('something'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}

Related

Landing Zone Automation - Disable Owner requirement from ESLZ ARM template

I am trying to deploy ESLZ Arm template in this link "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/adventureworks/README.md" and it requires owner permission to do that. Is it possible to remove the Global Admin and/or Owner requirement and run the template using contributor role
I created a management group under tenant root and assigned contributor role. Now I'm trying to create additional management groups using below ARM template
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide prefix for the management group structure."
}
},
"platformMgs": {
"type": "array",
"defaultValue": [
"management",
"connectivity",
"identity"
],
"metadata": {
"description": "Management groups for platform specific purposes, such as management, networking, identity etc."
}
},
"landingZoneMgs": {
"type": "array",
"defaultValue": [
"online",
"corp"
],
"metadata": {
"description": "These are the landing zone management groups."
}
}
},
"variables": {
"enterpriseScaleManagementGroups": {
"ESLZ": "[concat(parameters('topLevelManagementGroupPrefix'))]",
"platform": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'platform')]"
}
},
"resources": [
{
// Create management group for platform management groups
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"scope": "/",
"name": "[variables('enterpriseScaleManagementGroups').platform]",
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').platform]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
}
],
"outputs": {}
}
While deploying the template i'm getting permission error, however able to create management group manually. Am I missing something in this template. Any help is really appreciated
You should be able to be able to deploy the template with contributor permissions at the tenant level... You need an owner/userAccessAdmin/global admin to grant those permissions.

Add new ip to existing CosmosDB account via ARM template

I halve arm template that is overwriting existing iprules of cosmosDb account, is it possible to modify arm template so it will only add new ip and not to clean already existing rules.
My template:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2021-10-15",
"name": "cosmosdbaccountname",
"location": "East US",
"properties": {
"ipRules": {
"ipAddressOrRange": "some ip"
}
}
}
If configuring IP Firewall to an already deployed Cosmos account, ensure the locations array matches what is currently deployed. You cannot simultaneously modify the locations array and other properties.
Below example shows how the ipRules property is exposed in API version 2020-04-01 or later:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('accountName')]",
"apiVersion": "2020-04-01",
"location": "[parameters('location')]",
"kind": "GlobalDocumentDB",
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"enableAutomaticFailover": "[parameters('automaticFailover')]",
"ipRules": [
{
"ipAddressOrRange": "40.76.54.131"
},
{
"ipAddressOrRange": "52.176.6.30"
},
{
"ipAddressOrRange": "52.169.50.45"
},
{
"ipAddressOrRange": "52.187.184.26"
}
]
}
}
Here's the same example for any API version prior to 2020-04-01:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('accountName')]",
"apiVersion": "2019-08-01",
"location": "[parameters('location')]",
"kind": "GlobalDocumentDB",
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"enableAutomaticFailover": "[parameters('automaticFailover')]",
"ipRangeFilter":"40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26"
}
}
Refer this configure IP to Cosmos account using ARM

Does Azure portal using undocumented ARM features to deploy App Services?

I'm looking at template generated for adding Web App which is generated by Azure portal. I chose .NET core as runtime and it's passed to metadata field in generated ARM template below with a value of dotnetcore. The end result is resource created in Azure with all the stuff you expect from web app. I don't see this field being documented and or explanation how it's being used. Is it some internal know-how or how this process works?
"resources": [
{
"apiVersion": "2018-11-01",
"name": "[parameters('name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('location')]",
"tags": {},
"dependsOn": [],
"properties": {
"name": "[parameters('name')]",
"siteConfig": {
"appSettings": [
{
"name": "ANCM_ADDITIONAL_ERROR_PAGE_LINK",
"value": "[parameters('errorLink')]"
}
],
"metadata": [
{
"name": "CURRENT_STACK",
"value": "[parameters('currentStack')]"
}
],
"phpVersion": "[parameters('phpVersion')]",
"alwaysOn": "[parameters('alwaysOn')]"
},
"serverFarmId": "[concat('/subscriptions/', parameters('subscriptionId'),'/resourcegroups/', parameters('serverFarmResourceGroup'), '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]",
"hostingEnvironment": "[parameters('hostingEnvironment')]",
"clientAffinityEnabled": true
}
}
]

How do I secure data in ARM template to pass to DSC compilation resource?

My DSC resource currently accept string as input parameter and when I do compilation via ARM template all this information is available in clear text all over the place.
What would be the appropriate method to securely compile MOF resource in Azure Automation via ARM template? Information is stored in Azure KeyVault.
{
"name": "[guid(resourceGroup().id, deployment().name)]",
"type": "Compilationjobs",
"apiVersion": "2015-10-31",
"tags": {},
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]",
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'),'/Configurations/swarmmanager')]"
],
"properties": {
"configuration": {
"name": "swarmmanager"
},
"parameters": {
"privateKey": "[parameters('privatekey')]",
"serverCert": "[parameters('serverCert')]",
"CACert": "[parameters('CACert')]"
}
}
}
"parameters": {
"privateKey": { "type": "securestring" },
"serverCert": { "type": "securestring" },

Is setting FUNCTIONS_EXTENSION_VERSION sufficient when updating Azure Function App with ARM template?

When deploying the resources for my Function App with an ARM template like this
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[parameters('appNameFunctions')]",
"apiVersion": "2015-08-01",
"location": "West Europe",
"tags": {},
"properties": {
"name": "[parameters('appNameFunctions')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('aspNameFunctions'))]"
},
"resources": [
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('appNameFunctions'))]"
],
"tags": {
"displayName": "fnAppSettings"
},
"properties": {
"AzureWebJobsStorage":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"AzureWebJobsDashboard":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"WEBSITE_CONTENTSHARE":"[parameters('appNameFunctions')]",
"FUNCTIONS_EXTENSION_VERSION":"~0.8",
"AZUREJOBS_EXTENSION_VERSION":"beta",
"WEBSITE_NODE_DEFAULT_VERSION":"6.5.0"
}
}
],
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('aspNameFunctions'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions'))]"
]
}
is it sufficient to just set FUNCTIONS_EXTENSION_VERSION to the desired version and App Service automatically adjusts / loads the correct runtime or is there something else that needs to be adjusted or executed?
Yes, it is sufficient, and is exactly what the Portal does when you click the button to upgrade your app.
Another option is to set it to "latest", which means it will always use the very latest. Though the risk in doing that is to be affected by breaking changes.

Resources