How do I troubleshoot "InternalServerError" returned by ARM deployment - azure-resource-manager

Trying to deploy custom module to Azure Automation account and getting error during deployment.
So there are 2 issues:
1. Deployment instead of failing ending up indefinetely stack with InternalServerError
2. Failure itself is non-descriptive and impossible to troubleshoot
Error
{
"code": "InternalServerError",
"message": "{\"Message\":\"An error has occurred.\"}"
}
Template
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Automation Account Name": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-10-31",
"location": "southcentralus",
"name": "[parameters('Automation Account Name')]",
"type": "Microsoft.Automation/automationAccounts",
"properties": {
"sku": {
"name": "Basic"
}
},
"tags": {},
"resources": [
{
"name": "cdscdockerswarm",
"type": "modules",
"apiVersion": "2015-10-31",
"properties": {
"contentLink": {
"uri": "https://github.com/artisticcheese/dockerswarmarm/raw/master/modules/cdscdockerswarm.zip"
}
},
"dependsOn": [
"[concat('Microsoft.Automation/automationAccounts/', parameters('Automation Account Name'))]"
]
}
]
}
],
"outputs": {}
}

Related

I was trying to deploy a Storage Account using ARM template. However, an error has been thrown. Can someone help me on this issue

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "North Europe"
},
"storageaccountname": {
"defaultValue": "storageforarm1910",
"type": "string"
},
"storageaccounttype": {
"type": "string",
"defaultValue": "Standard_GRS"
}
},
"functions": [],
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-01-01",
"location": "[parameters('location')]",
"name": "[parameters('storageaccountname')]",
"kind": "FileStorage",
"sku": "[parameters('storageaccounttype')]",
"properties": {}
}
],
"outputs": {}
}
Error:
{"code":"InvalidTemplate","message":"Deployment template parse failed: 'Error converting value \"Standard_GRS\" to type 'Microsoft.WindowsAzure.ResourceStack.Common.Core.Definitions.Resources.ResourceSku'. Path ''.'."}

If we want to create Azure FileStorage account, the sku must be Premium_LRS or Premium_ZRS. For more details, please refer to the official document.
Besides,please note that if we use Premium_ZRS, we just can create the storage account in some regions. Regarding the region, please refer to here.

How to deploy ARM template with user managed identity and assign a subscription level role?

The ARM template below is supposed to create the following resources:
resource group
- user managed identity
- subscription level Contributor role assignment
Currently the deployment is failing with the error "error": { "code": "ResourceGroupNotFound", "message": "Resource group 'rg-myproject-deploy' could not be found." } apparently because the role assignment step seem to not be respecting the dependsOn statements that should enforce that it should only happen after the resource group is created. Is there a way to deploy all these resources in a single ARM template?
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"projectName": {
"type": "string",
"defaultValue": "myproject",
"maxLength": 11,
"metadata": {
"description": "The name of the project"
}
},
"location": {
"type": "string",
"defaultValue": "westus2",
"metadata": {
"description": "The region were to deploy assets"
}
}
},
"variables": {
"resourceGroupName": "[concat('rg-', parameters('projectName'), '-deploy')]",
"managedIdentityName": "[concat('msi-', parameters('projectName'), '-deploy')]",
"bootstrapRoleAssignmentId": "[guid(subscription().id, 'contributor')]",
"contributorRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"managedIdentityId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"name": "[variables('resourceGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "deployment-assets-except-role-assignment",
"resourceGroup": "[variables('resourceGroupName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', variables('resourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[parameters('location')]"
}
],
"outputs": {}
}
}
}
,
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2017-09-01",
"name": "[variables('bootstrapRoleAssignmentId')]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]",
"deployment-assets-except-role-assignment"
],
"properties": {
"roleDefinitionId": "[variables('contributorRoleDefinitionId')]",
"principalId": "[reference(variables('managedIdentityId'), '2018-11-30').principalId]",
"principalType": "ServicePrincipal",
"scope": "[subscription().id]"
}
}
],
"outputs": {}
}

I think you're running into this:
https://bmoore-msft.blog/2020/07/26/resource-not-found-dependson-is-not-working/
The fix was a little more involved than I thought, but to summarize:
the nested deployment that provisions the MI must be set to inner scope evaluation
output the principalId from that deployment and use that in your reference (i.e. don't directly reference)
Due to #1 I moved some stuff around (params/vars)
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"projectName": {
"type": "string",
"defaultValue": "myproject",
"maxLength": 11,
"metadata": {
"description": "The name of the project"
}
},
"location": {
"type": "string",
"defaultValue": "westus2",
"metadata": {
"description": "The region were to deploy assets"
}
}
},
"variables": {
"identityDeploymentName": "deployment-assets-except-role-assignment",
"resourceGroupName": "[concat('rg-', parameters('projectName'), '-deploy')]",
"managedIdentityName": "[concat('msi-', parameters('projectName'), '-deploy')]",
"managedIdentityId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]",
"bootstrapRoleAssignmentId": "[guid(subscription().id, variables('contributorRoleDefinitionId'),variables('managedIdentityId'))]",
"contributorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"name": "[variables('resourceGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[variables('identityDeploymentName')]",
"resourceGroup": "[variables('resourceGroupName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions":{
"scope": "inner"
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"managedIdentityName": {
"value": "[variables('managedIdentityName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"managedIdentityName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[parameters('location')]"
}
],
"outputs": {
"principalId": {
"type": "string",
"value": "[reference(parameters('managedIdentityName')).principalId]"
}
}
}
}
}
,
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('bootstrapRoleAssignmentId')]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]",
"[variables('identityDeploymentName')]"
],
"properties": {
"roleDefinitionId": "[variables('contributorRoleDefinitionId')]",
"principalId": "[reference(variables('identityDeploymentName')).outputs.principalId.value]",
"principalType": "ServicePrincipal",
"scope": "[subscription().id]"
}
}
]
}

Function MSDeploy and Event Grid Subscription Race Condition in ARM Template

I am deploying a function using MSDeploy extensions and then deploying event grid subscription with this function as endpoint. Event grid deployment fails with message -
"details": [
{
"code": "Endpoint validation",
"message": "The attempt to validate the provided azure endpoint resource:/subscriptions/XXXXX/resourceGroups/ResourceGroupName/providers/Microsoft.Web/sites/FunctionAppName/functions/EndpointName failed."
}
]
I believe this is because event grid subscription tried to get created before the function endpoint deployed with MSDeploy is up and running.
How can i avoid this race condition?
Note: Deploying the same template again creates the event grid fine.
Template being used-
//function app
{
"apiVersion": "2018-11-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('functionAppName')]",
"location": "[resourceGroup().location]",
"kind": "functionapp",
"dependsOn": [
"[variables('azureFunction_serverFarmResourceId')]"
],
"properties": {
"serverFarmId": "[variables('azureFunction_serverFarmResourceId')]",
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]"//"[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[toLower(parameters('functionAppName'))]"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~3"
},
{
"name": "WEBSITE_NODE_DEFAULT_VERSION",
"value": "~10"
},
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(resourceId('microsoft.insights/components/', parameters('functionApp_applicationInsightsName')), '2015-05-01').InstrumentationKey]"
},
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "dotnet"
}
]
}
},
"resources": [
{
"apiVersion": "2018-11-01",
"name": "MSDeploy",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
],
"properties": {
"packageUri": "[parameters('functionAppDeployPackageUri')]"
},
"type": "extensions"
}
]
},
//event grid
{
"type": "Microsoft.Storage/storageAccounts/providers/eventSubscriptions",
"name": "[concat(parameters('storageAccountName'), '/Microsoft.EventGrid/', parameters('blobcreate_eventsubscription_name'))]",
"apiVersion": "2020-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('functionAppName'), '/extensions/MSDeploy')]",
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"properties": {
"destination": {
"endpointType": "AzureFunction",
"properties": {
"resourceId": "[concat(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '/functions/', variables('egressDataProcessorFunctionName'))]"
}
},
"filter": {
"subjectBeginsWith": "[concat('/blobServices/default/containers/', parameters('storageAccounts_mainblob_name'))]",
"subjectEndsWith": ".xml",
"includedEventTypes": [
"Microsoft.Storage.BlobCreated"
],
"advancedFilters": []
},
"retryPolicy": {
"maxDeliveryAttempts": "[parameters('eventgrid_maxDeliveryAttemps')]",
"eventTimeToLiveInMinutes": "[parameters('eventgrid_eventTimeToLiveInMinutes')]"
},
"deadLetterDestination": {
"endpointType": "StorageBlob",
"properties": {
"resourceId": "[variables('storageAccountResourceId')]",
"blobContainerName": "[parameters('storageAccounts_deadletterblob_name')]"
}
}
}
}

One way is to deploy your function app as a linked template, and then have your root template:
Deploy the function app template with the function url as an output.
Deploy an Event Grid subscription that depends on the function app deployment and references its output.
Another possibility is to spit appsettings into a childresource, and have that depend on your MSDeploy resource, then the Event Grid depend on appsettings.

Linked ARM Templates failing

Linked ARM Template for API management failing
I deployed each template individually in sequence in the same sequence as they are deployed successfully.
"resources": [
{
"apiVersion": "2017-05-10",
"name": "instanceTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "url for template",
"contentVersion": "1.0.0.0"
},
"parameters": {
"sku": { "value": "[parameters('APIManagementSku')]" },
"skuCount": { "value": "[parameters('APIManagementSkuCapacity')]" },
"publisherName": { "value": "[parameters('publisherName')]" },
"publisherEmail": { "value": "[parameters('publisherEmail')]" }
}
}
},
{
"apiVersion": "2017-05-10",
"name": "productsUsersTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "url for template",
"contentVersion": "1.0.0.0"
},
"parameters": {
"apiManagementServiceName": { "value": "[parameters('APIManagementInstanceName')]" }
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'instanceTemplate')]"
]
},
{
"apiVersion": "2017-05-10",
"name": "seviceTagsTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "url for template",
"contentVersion": "1.0.0.0"
},
"parameters": {
"apiManagementServiceName": { "value": "[parameters('APIManagementInstanceName')]" }
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'instanceTemplate')]"
]
}
]
I expect the template to be correctly deployed (As they do when deploying them individually).
However, I get the following error message:
Conflict: {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.",
"details": [
{
"code": "PreconditionFailed",
"message": "{\r\n \"error\": {\r\n \"code\": \"PreconditionFailed\",\r\n \"message\": \"Exception of type 'Microsoft.WindowsAzure.ApiManagement.Management.Core.Exceptions.PreconditionFailedException' was thrown.\",\r\n \"details\": null\r\n }\r\n}"
}
]
}
]
}
}
I also tried adding additional dependencies but I still get the same error

ARM Template.json Dynamic connectionstring

I have taken a deployment template from azure and added this to a deployment project in Visual Studio 2015. When the Resource Group is made and deployed, everything works well except for the Web Site connectionstrings.
I have TableStorage, DocumentDb, and Redis instances all being created by this and cannot figure out how to get the Primary Connection String and Primary Key of these items so that I don't have to go in by hand and add them.
looking at the ARM Template Functions ListKeys should do the trick, but after deployment the value is empty. Furthermore, trying a simple string (TestConnectionString) also adds the name, but not the value.
{
"type": "Microsoft.Web/sites",
"kind": "app",
"name": "[parameters('WebAppName')]",
"apiVersion": "2015-08-01",
"properties": {
"name": "[parameters('WebAppName')]",
"resources": [],
"siteConfig": {
"connectionstrings": [
{
"name": "DocumentDbKey",
"value": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
{
"name": "TestConnectionString",
"value": "dummystring:pleaseignore;",
"type": "Custom"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('docDbName'))]",
]
}

As your description we can use ARM Template Functions ListKeys to get the Keys. And we could use the following template code to set the connection string. I test Azure storage connection string and Document DB key, It works correctly for me , please have a try. The following is my detail steps:
1.Create Basic Azure Resource Group project with template WebApp
2.From demo remove the unnecessary resource.
3.Add the connection string setting
"resources": [
{
"name": "connectionstrings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webSiteName'))]"
],
"tags": {
"displayName": "tomConnectionString"
},
"properties": {
"documentDB": {
"value": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', variables('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
"storage": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountName'),';AccountKey=',concat(listKeys(variables('storageAccountId'),'2015-05-01-preview').key1))]",
"type": "Custom"
}
}
}
]
Add the corresponding parameters or variables such as storage info or docDbName
Deploy the Website
Check the result from the portal
Full template code:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"hostingPlanName": {
"type": "string",
"minLength": 1
},
"skuName": {
"type": "string",
"defaultValue": "S1",
"allowedValues": [
"F1",
"D1",
"B1",
"B2",
"B3",
"S1",
"S2",
"S3",
"P1",
"P2",
"P3",
"P4"
],
"metadata": {
"description": "Describes plan's pricing tier and instance size. Check details at https://azure.microsoft.com/en-us/pricing/details/app-service/"
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Storage Account to access blob storage."
}
},
"skuCapacity": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"metadata": {
"description": "Describes plan's instance count"
}
}
},
"variables": {
"webSiteName": "[concat('webSite', uniqueString(resourceGroup().id))]",
"docDbName": "tomdocumentdb",
"storageAccountId": "[concat(resourceGroup().id,'/providers/Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "[parameters('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "HostingPlan"
},
"sku": {
"name": "[parameters('skuName')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"name": "[parameters('hostingPlanName')]"
}
},
{
"apiVersion": "2015-08-01",
"name": "[variables('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"displayName": "Website"
},
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]"
],
"properties": {
"name": "[variables('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
},
"resources": [
{
"name": "connectionstrings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webSiteName'))]"
],
"tags": {
"displayName": "tomConnectionString"
},
"properties": {
"documentDB": {
"value": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', variables('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
"storage": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountName'),';AccountKey=',concat(listKeys(variables('storageAccountId'),'2015-05-01-preview').key1))]",
"type": "Custom"
}
}
}
]
}
]
}
Update:
We could get more useful info about ARM template from the azure resource.

I just had same problem, and it turns out the name of the property that holds the connection string should be named connectionString, so your siteConfig object should look like this:
"siteConfig": {
"connectionstrings": [
{
"name": "DocumentDbKey",
"connectionString": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
{
"name": "TestConnectionString",
"connectionString": "dummystring:pleaseignore;",
"type": "Custom"
}
]
}

Resources