I'm using the following to apply a policy definition. How do I add a Resource Group exclusion to the assignment?
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyAssignmentAllowedLocations')]",
"apiVersion": "[variables('deploymentsApiVersion')]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/policyDefinitions/', variables('policyDefinitionAllowedLocations'))]"
],
"properties": {
"scope": "[subscription().id]",
"policyDefinitionId": "[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]"
}
}
Exclusions can be added to a policy assignment via the notScopes property.
The following resource definition describes a policy assignment which excludes a resource group named excludedResourceGroupName:
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "[variables('policyAssignmentAllowedLocations')]",
"apiVersion": "[variables('deploymentsApiVersion')]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/policyDefinitions/', variables('policyDefinitionAllowedLocations'))]"
],
"properties": {
"scope": "[subscription().id]",
"policyDefinitionId": "[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]"[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]"[resourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionAllowedLocations'))]",
"notScopes" : [
"[concat(subscription().id,'/resourcegroups/',variables('excludedResourceGroupName'))]"
]
}
}
Related
I have two nested deployments:
One for resource group A which deploys a managed identity.
Second for resource group B which deploys a Keyvault and sets an access policy to the ManagedIdentity in resource group A.
I would like to have the nested deployment of the resource group B to be dependent on the nested deployment of resource group A.
(My main template is deploying to resource group C)
I have tried:
"dependsOn": [
"[variables('resourceGroupADeploymentName')]"
],
But I keep failing on:
The Resource 'Microsoft.ManagedIdentity/userAssignedIdentities/managedIdentityA' under resource group 'A' was not found.
After a while I see the ManagedIdentityA created in resource group A - so it means the dependsOn did not work and the resourceGroupB deployment did not wait for ResourceGroupA deployment.
I also tried using dependsOn resourceId but it did not work. (and also adding the dependsOn to the actual KeyVault resource deployment within ResourceGroupB)
Any idea how can I have a resource from resource group B dependent on resource from resource group A?
This is my ARM Template for resourceGroupB:
{
"name": "resourceGroupBDeploymentName",
"type": "Microsoft.Resources/deployments",
"apiVersion": "[variables('resourceDeploymentApiVersion')]",
"resourceGroup": "[parameters('B')]",
"subscriptionId": "[parameters('S')]",
"dependsOn": [
"[variables('resourceGroupADeploymentName')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('deploymentKvName'), '/add')]",
"apiVersion": "[variables('kvApiVersion')]",
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('S')]",
"objectId": "[reference(variables('ManagedIdentityResourceGroupA'), '2018-11-30').principalId]",
"permissions": {
"keys": [],
"secrets": [],
"certificates": [
"Get"
]
}
}
]
}
}
}
]
}
}
}
This is my ARM Template for resourceGroupA:
{
"name": "[variables('ManagedIdentityResourceGroupA')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "[variables('resourceDeploymentApiVersion')]",
"resourceGroup": "[parameters('A')]",
"subscriptionId": "[parameters('S')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "[variables('ManagedIdentityResourceGroupA')]",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"tags": {},
"location": "[resourceGroup().location]"
}
]
}
}
},
I dont think there is a way around that yet. Dependencies only work in the same resource gruop. you can use deployment script resource to run a script that would check the status and that can act as a dependsOn
I've been working on an issue and seem to be stuck, so asking on so in case anyone can help.
To describe the issue, I've got an existing Azure Key Vault setup, and wish to add a number of access policies to this resource group. It needs to be conditional as if the function name is "false" then that function should not be added to key vault access policy.
variable section:
"variables": {
"functionAccess": {
"value": [
{
"name": "[parameters('Function_1')]"
},
{
"name": "[parameters('Function_2')]"
},
{
"name": "[parameters('Function_3')]"
}
]
}
}
My Template :
{
"apiVersion": "2016-10-01",
"condition": "[not(equals(variables('functionAccess')[CopyIndex()].name, 'false'))]",
"copy": {
"batchSize": 1,
"count": "[length(variables('functionAccess'))]",
"mode": "Serial",
"name": "accessPolicies"
},
"name": "[concat(parameters('KeyVault_Name'), '/add')]",
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[if(not(equals(variables('functionAccess')[CopyIndex()].name, 'false')), reference(concat('Microsoft.Web/sites/', variables('functionAccess')[CopyIndex()].name), '2016-08-01', 'Full').identity.principalId, json('null'))]",
"permissions": {
"keys": [
"get",
"list"
],
"secrets": [
"get",
"list"
],
"certificates": [
"get",
"list"
]
}
}
]
},
"type": "Microsoft.KeyVault/vaults/accessPolicies"
}
When I deploy my ARM template for the azure key vault I got this error message:
The language expression property '0' can't be evaluated, property name must be a string.
also tried below, but same error:
{
"apiVersion": "2018-02-14",
"name": "[concat(parameters('KeyVault_Name'), '/add')]",
"properties": {
"copy": [
{
"batchSize": 1,
"count": "[length(variables('functionAccess'))]",
"mode": "serial",
"name": "accessPolicies",
"input": {
"condition": "[not(equals(variables('functionAccess')[copyIndex('accessPolicies')].name, 'false'))]",
"tenantId": "[subscription().tenantId]",
"objectId": "[if(not(equals(variables('functionAccess')[copyIndex('accessPolicies')].name, 'false')), reference(concat('Microsoft.Web/sites/', variables('functionAccess')[copyIndex('accessPolicies')].name), '2016-08-01', 'Full').identity.principalId, json('null'))]",
"permissions": {
"keys": [
"get",
"list"
],
"secrets": [
"get",
"list"
],
"certificates": [
"get",
"list"
]
}
}
}
]
},
"type": "Microsoft.KeyVault/vaults/accessPolicies"
}
There are a few options for dealing with filtering an array for copy operation. I deploy my ARM templates from PowerShell scripts and use PowerShell to setup parameter values. When I need special logic handle different inputs for different environments, I let PowerShell handle it.
If you must handle the filtering in ARM and you have the option to input a CSV list of functions, then perhaps the following will work. You can then use the functionAccessArray to iterate over in the copy operation.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
"functionAccessCsv": "Function-0,Function-1,false,Function-4,false,Function-6,Function-7",
"functionAccessFiltered": "[replace(replace(variables('functionAccessCsv'), 'false', ''), ',,', ',')]",
"functionAccessArray": "[split(variables('functionAccessFiltered'), ',')]"
},
"resources": [
],
"outputs": {
"functionAccessCsvFiltered": {
"type": "string",
"value": "[variables('functionAccessFiltered')]"
},
"functionAccessArray": {
"type": "array",
"value": "[variables('functionAccessArray')]"
}
}
}
The result:
I just had the same issue. By using an array parameter with a default value instead of a variable, I got it to work.
"parameters": {
"functionAccess": {
"type": "array",
"defaultValue": [
"value1",
"value2",
"value3"
]
}
}
I am deploying a function using MSDeploy extensions and then deploying event grid subscription with this function as endpoint. Event grid deployment fails with message -
"details": [
{
"code": "Endpoint validation",
"message": "The attempt to validate the provided azure endpoint resource:/subscriptions/XXXXX/resourceGroups/ResourceGroupName/providers/Microsoft.Web/sites/FunctionAppName/functions/EndpointName failed."
}
]
I believe this is because event grid subscription tried to get created before the function endpoint deployed with MSDeploy is up and running.
How can i avoid this race condition?
Note: Deploying the same template again creates the event grid fine.
Template being used-
//function app
{
"apiVersion": "2018-11-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('functionAppName')]",
"location": "[resourceGroup().location]",
"kind": "functionapp",
"dependsOn": [
"[variables('azureFunction_serverFarmResourceId')]"
],
"properties": {
"serverFarmId": "[variables('azureFunction_serverFarmResourceId')]",
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]"//"[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[toLower(parameters('functionAppName'))]"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~3"
},
{
"name": "WEBSITE_NODE_DEFAULT_VERSION",
"value": "~10"
},
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(resourceId('microsoft.insights/components/', parameters('functionApp_applicationInsightsName')), '2015-05-01').InstrumentationKey]"
},
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "dotnet"
}
]
}
},
"resources": [
{
"apiVersion": "2018-11-01",
"name": "MSDeploy",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
],
"properties": {
"packageUri": "[parameters('functionAppDeployPackageUri')]"
},
"type": "extensions"
}
]
},
//event grid
{
"type": "Microsoft.Storage/storageAccounts/providers/eventSubscriptions",
"name": "[concat(parameters('storageAccountName'), '/Microsoft.EventGrid/', parameters('blobcreate_eventsubscription_name'))]",
"apiVersion": "2020-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('functionAppName'), '/extensions/MSDeploy')]",
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"properties": {
"destination": {
"endpointType": "AzureFunction",
"properties": {
"resourceId": "[concat(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '/functions/', variables('egressDataProcessorFunctionName'))]"
}
},
"filter": {
"subjectBeginsWith": "[concat('/blobServices/default/containers/', parameters('storageAccounts_mainblob_name'))]",
"subjectEndsWith": ".xml",
"includedEventTypes": [
"Microsoft.Storage.BlobCreated"
],
"advancedFilters": []
},
"retryPolicy": {
"maxDeliveryAttempts": "[parameters('eventgrid_maxDeliveryAttemps')]",
"eventTimeToLiveInMinutes": "[parameters('eventgrid_eventTimeToLiveInMinutes')]"
},
"deadLetterDestination": {
"endpointType": "StorageBlob",
"properties": {
"resourceId": "[variables('storageAccountResourceId')]",
"blobContainerName": "[parameters('storageAccounts_deadletterblob_name')]"
}
}
}
}
One way is to deploy your function app as a linked template, and then have your root template:
Deploy the function app template with the function url as an output.
Deploy an Event Grid subscription that depends on the function app deployment and references its output.
Another possibility is to spit appsettings into a childresource, and have that depend on your MSDeploy resource, then the Event Grid depend on appsettings.
I am deploying an arm template that contains the following resources
Microsoft.Storage/storageAccount
Microsoft.Sql/servers
Microsoft.Sql/servers/auditPolicies
Now everything worked until I started changing the values for the auditPolicies object. Here are the steps I took until the InternalServerError occurred.
Added the auditState property and set its value to Disabled. Deployment Successful.
Changed the auditState property to Enabled. Deployment failed. Error states that the storageAccountName is required.
Added storageAccountName and set its value to the name of the storage account. Deployment failed. Error states that storageAccountKey.
Added storageAccountKey and set its value to key1 of the storage account's keys object. Deployment failed. Internal Server Error - "An Error has occurred while saving Auditing settings, please try again later". Additionally, the errors cause the deployment to run indefinitely. Though I am not concerned about that aspect.
The following is the complete template.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"app-name-prefix": {
"type": "string",
"minLength": 1
},
"app-locations": {
"type": "array",
"minLength": 1
},
"app-friendly-names": {
"type": "array",
"minLength": 1
},
"db-user-admin-username": {
"type": "securestring"
},
"db-user-admin-password": {
"type": "securestring"
},
"database-audit-enabled": {
"defaultValue": "Enabled",
"allowedValues": [
"Enabled",
"Disabled"
],
"type": "string"
},
"storage-kind": {
"defaultValue": "BlobStorage",
"allowedValues": [
"StorageV2",
"BlobStorage"
],
"type": "string"
},
"storage-sku": {
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_ZRS",
"Standard_GRS",
"Standard_RAGRS",
"Premium_LRS"
],
"type": "string"
}
},
"variables": {
"db-service-name": "[concat(parameters('app-name-prefix'), '-database-service-')]",
"storage-name": "[concat(toLower(parameters('app-name-prefix')), 'auditstorage')]"
},
"resources": [
{
"name": "[concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()])]",
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "[parameters('storage-sku')]"
},
"kind": "[parameters('storage-kind')]",
"apiVersion": "2018-02-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"copy": {
"count": "[length(parameters('app-locations'))]",
"name": "storageCopy"
},
"properties": {
"supportsHttpsTrafficOnly": true,
"accessTier": "Hot",
"encryption": {
"services": {
"blob": {
"enabled": true
},
"file": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Sql/servers",
"name": "[concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()])]",
"apiVersion": "2014-04-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"copy": {
"name": "databaseServiceCopy",
"count": "[length(parameters('app-locations'))]"
},
"properties": {
"administratorLogin": "[parameters('db-user-admin-username')]",
"administratorLoginPassword": "[parameters('db-user-admin-password')]",
"version": "12.0"
},
"resources": [
{
"type": "auditingPolicies",
"name": "Default",
"apiVersion": "2014-04-01",
"location": "[parameters('app-locations')[copyIndex()]]",
"properties": {
"auditingState": "[parameters('database-audit-enabled')]",
"storageAccountName": "[concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()])]",
"storageAccountKey": "[listKeys(concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').keys[0].value]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()]))]",
"storageCopy"
]
}
]
}
]
}
What am I missing that will help resolve this issue? What do I need to do to stop this internal server error?
I have added the complete template as was requested by #Pete
I have found the answer after connecting with Azure Support.
The resource type: Microsoft.Sql/servers/auditingPolicies is no longer supported and in the next few weeks Azure Resource Manager will no longer support this completely.
This resource type refers directly to table auditing, which has been reported as being deprecated for blob auditing. Though the documentation at this time does not directly report it. The docs will be updated in the coming days after this post, by the owners.
To enable the auditing you need to use the Microsoft.Sql/servers/auditingSettings object. The documentation on this is coming and until it does you will be directed to documentation for the database version of this resource type Microsoft.Sql/servers/databases/auditingSettings.
Auditing settings work much like the Auto-Tuning advisors. You can set either server or database level settings. The server settings will be inherited by the database if the database has not been configured directly.
This is a sample of the auditingSettings object that I use instead of the auditingPolicies object above. It is nested just the same.
{
"apiVersion": "2017-03-01-preview",
"type": "auditingSettings",
"name": "DefaultAuditingSettings",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', concat(variables('db-service-name'), parameters('app-friendly-names')[copyIndex()]))]",
"storageCopy"
],
"properties": {
"state": "Enabled",
"storageEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts', '/', variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').primaryEndpoints.blob]",
"storageAccountAccessKey": "[listKeys(concat(variables('storage-name'), parameters('app-friendly-names')[copyIndex()]), '2018-02-01').keys[0].value]",
"storageAccountSubscriptionId": "[subscription().subscriptionId]",
"isStorageSecondaryKeyInUse": false,
"retentionDays": "30"
}
}
My DSC resource currently accept string as input parameter and when I do compilation via ARM template all this information is available in clear text all over the place.
What would be the appropriate method to securely compile MOF resource in Azure Automation via ARM template? Information is stored in Azure KeyVault.
{
"name": "[guid(resourceGroup().id, deployment().name)]",
"type": "Compilationjobs",
"apiVersion": "2015-10-31",
"tags": {},
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]",
"[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'),'/Configurations/swarmmanager')]"
],
"properties": {
"configuration": {
"name": "swarmmanager"
},
"parameters": {
"privateKey": "[parameters('privatekey')]",
"serverCert": "[parameters('serverCert')]",
"CACert": "[parameters('CACert')]"
}
}
}
"parameters": {
"privateKey": { "type": "securestring" },
"serverCert": { "type": "securestring" },