DependsOn Failing in ARM Template - azure-resource-manager

Im trying to connect our website to a Application Insights component via ARM but havning troubles in setting the Intstrumentation Key as an website application setting. This works sometimes and sometimes not.
My guess is that im having incorrect dependsOn settings. Can anyone have a look on my template and see if im doing something wrong? Have a look on the resource called "appSettings" of type "config" in the website resource. Here I am supposed to wait for completion of the Application Insight and then read the Instrumentation Key.
{
"name": "[variables('webAppNameFinal')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('appServicePlanLocation')]",
"apiVersion": "2015-04-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', variables('appServicePlanNameFinal'))]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', variables('appServicePlanNameFinal'))]": "Resource",
"displayName": "webApp"
},
"properties": {
"name": "[variables('webAppNameFinal')]",
"serverFarmId": "[variables('appServicePlanNameFinal')]"
},
"resources": [
{
"apiVersion": "2015-04-01",
"name": "connectionstrings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('webAppNameFinal'))]",
"[resourceId('Microsoft.Sql/servers', variables('sqlServerNameFinal'))]"
],
"properties": {
"Watches": {
"value": "[concat('Server=tcp:', reference(concat('Microsoft.Sql/servers/', variables('sqlServerNameFinal'))).fullyQualifiedDomainName, ',1433;Database=', variables('sqlDatabaseNameFinal'), ';User ID=', parameters('sqlServerAdminLogin'), ';Password=', parameters('sqlServerAdminLoginPassword'), ';Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;')]",
"type": "SQLAzure"
}
}
},
{
"apiVersion": "2015-08-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('webAppNameFinal'))]",
"[concat('Microsoft.Insights/components/', variables('applicationInsightsNameFinal'))]"
],
"properties": {
"Watches.Webjobs.VitecConnect.WatchersExport.Run": "false",
"ApplicationInsights.InstrumentationKey": "[reference(concat('Microsoft.Insights/components/', variables('applicationInsightsNameFinal'))).InstrumentationKey]"
}
},
{
"apiVersion": "2015-04-01",
"name": "web",
"type": "sourcecontrols",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('webAppNameFinal'))]"
],
"properties": {
"RepoUrl": "[parameters('gitUrl')]",
"branch": "[parameters('gitBranch')]"
}
},
{
"apiVersion": "2015-08-01",
"name": "web",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('webAppNameFinal'))]"
],
"properties": "[variables('siteProperties')]"
}
]
},
{
"name": "[variables('applicationInsightsNameFinal')]",
"type": "Microsoft.Insights/components",
"location": "Central US",
"apiVersion": "2014-04-01",
"dependsOn": [ ],
"tags": {
"displayName": "Application Insights"
},
"properties": {
"applicationId": "[variables('webAppNameFinal')]"
}
},
Best reagards
Niclas

Have you tried to place the dependsOn inside the insight resource declaration?
Have a look at the Quickstart template for a web+sql here: https://github.com/Azure/azure-quickstart-templates/blob/master/201-web-app-sql-database/azuredeploy.json
They placed the dependsOn on the Insight declaration and nothing on the website declaration. Would that work for you?
{
"apiVersion": "2015-05-01",
"name": "[concat('AppInsights', variables('webSiteName'))]",
"type": "Microsoft.Insights/components",
"location": "centralus",
"dependsOn": [
"[variables('webSiteName')]"
],
"tags": {
"[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('webSiteName')))]": "Resource",
"displayName": "AppInsightsComponent"
},
"properties": {
"ApplicationId": "[variables('webSiteName')]"
}
}

Related

Change web app .NET framework version with ARM template

I'm updating an existing web app to .NET 5. There is an ARM template that describes the web app configuration.
In the ARM template I have added
"netFrameworkVersion": "v5.0",
inside the Microsoft.Web/sites/config properties object.
The ARM template deployment succeeds, but the web app configuration is not changed from .NET Core 3.1 to .NET 5.
Oddly, when I look at the Azure Resource manager, it does contain the net netFrameworkVersion value.
This configuration is what I'm trying to change to .NET 5:
Am I missing a setting, or is it not possible to update the .NET version using an ARM template?
The answer for me was setting the property netFrameworkVersion to v6.0. No other change was necessary.
This is the partial ARM template, the section changed:
{
"name": "[parameters('webSiteName')]",
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"location": "[parameters('location')]",
"tags": {
"[concat('hidden-related:', resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName')))]": "empty"
},
"dependsOn": [
"[variables('hostingPlanName')]",
"[variables('appInsightsName')]"
],
"properties": {
"name": "[parameters('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"siteConfig": {
"appSettings": [
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(resourceId('Microsoft.Insights/components/', variables('appInsightsName')), '2020-02-02-preview').InstrumentationKey]"
},
{
"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
"value": "[reference(resourceId('Microsoft.Insights/components', variables('appInsightsName')), '2020-02-02-preview').ConnectionString]"
}
],
"connectionStrings": [
{
"name": "DefaultConnection",
"connectionString": "[concat('Data Source=tcp:', reference(resourceId('Microsoft.Sql/servers/', variables('sqlServerName'))).fullyQualifiedDomainName, ',1433;Initial Catalog=', parameters('databaseName'), ';User Id=', parameters('databaseUserLogin'), '#', reference(resourceId('Microsoft.Sql/servers/', variables('sqlServerName'))).fullyQualifiedDomainName, ';Password=', parameters('databaseUserPassword'), ';')]",
"type": "SQLAzure"
}
],
"ftpsState": "FtpsOnly",
"netFrameworkVersion": "v6.0"
},
"httpsOnly": true
}
}
You can find the full resource and ARM template at: https://github.com/feliperomero3/MoneySmart/blob/e2210eb6217eb6e06a299870acaf115d2e50c6a5/AzureResourceGroup/azuredeploy.json
Except for the netFrameworkVersion you need to change, also you need to add another resource to the resources in your template, just add it like below, it works fine on my side.
Note: It is for the web app whose OS is Windows.
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('webapp_name'), '/metadata')]",
"location": "Central US",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('webapp_name'))]"
],
"properties": {
"CURRENT_STACK": "dotnet"
}
}
My complete sample:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"webapp_name": {
"defaultValue": "joyweb11",
"type": "String"
},
"serviceplan_resourceid": {
"defaultValue": "/subscriptions/xxxxx/resourceGroups/xxxx/providers/Microsoft.Web/serverfarms/joyplan",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('webapp_name')]",
"location": "Central US",
"tags": {},
"kind": "app",
"properties": {
"enabled": true,
"hostNameSslStates": [
{
"name": "[concat(parameters('webapp_name'), '.azurewebsites.net')]",
"sslState": "Disabled",
"hostType": "Standard"
},
{
"name": "[concat(parameters('webapp_name'), '.scm.azurewebsites.net')]",
"sslState": "Disabled",
"hostType": "Repository"
}
],
"serverFarmId": "[parameters('serviceplan_resourceid')]",
"reserved": false,
"isXenon": false,
"hyperV": false,
"siteConfig": {},
"scmSiteAlsoStopped": false,
"clientAffinityEnabled": true,
"clientCertEnabled": false,
"hostNamesDisabled": false,
"containerSize": 0,
"dailyMemoryTimeQuota": 0,
"httpsOnly": false,
"redundancyMode": "None"
}
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('webapp_name'), '/web')]",
"location": "Central US",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('webapp_name'))]"
],
"tags": {
},
"properties": {
"numberOfWorkers": 1,
"defaultDocuments": [
"Default.htm",
"Default.html",
"Default.asp",
"index.htm",
"index.html",
"iisstart.htm",
"default.aspx",
"index.php",
"hostingstart.html"
],
"netFrameworkVersion": "v5.0",
"requestTracingEnabled": false,
"remoteDebuggingEnabled": false,
"remoteDebuggingVersion": "VS2019",
"httpLoggingEnabled": false,
"logsDirectorySizeLimit": 35,
"detailedErrorLoggingEnabled": false,
"publishingUsername": "$joyweb11",
"azureStorageAccounts": {},
"scmType": "None",
"use32BitWorkerProcess": true,
"webSocketsEnabled": false,
"alwaysOn": true,
"managedPipelineMode": "Integrated",
"virtualApplications": [
{
"virtualPath": "/",
"physicalPath": "site\\wwwroot",
"preloadEnabled": true
}
],
"loadBalancing": "LeastRequests",
"experiments": {
"rampUpRules": []
},
"autoHealEnabled": false,
"localMySqlEnabled": false,
"ipSecurityRestrictions": [
{
"ipAddress": "Any",
"action": "Allow",
"priority": 1,
"name": "Allow all",
"description": "Allow all access"
}
],
"scmIpSecurityRestrictions": [
{
"ipAddress": "Any",
"action": "Allow",
"priority": 1,
"name": "Allow all",
"description": "Allow all access"
}
],
"scmIpSecurityRestrictionsUseMain": false,
"http20Enabled": false,
"minTlsVersion": "1.2",
"ftpsState": "AllAllowed",
"reservedInstanceCount": 0
}
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('webapp_name'), '/', parameters('webapp_name'), '.azurewebsites.net')]",
"location": "Central US",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('webapp_name'))]"
],
"properties": {
"siteName": "[parameters('webapp_name')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('webapp_name'), '/metadata')]",
"location": "Central US",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('webapp_name'))]"
],
"properties": {
"CURRENT_STACK": "dotnet"
}
}
]
}

Not able to apply CMK encryption to Azure Storage Account through ARM Template

I am trying to attach CMK Encryption with Azure Storage Account through ARM Template but I am getting error as below. Need quick help with it. Able to apply it through portal after Storage Account is created but not able to do via ARM Template while creating Storage Account.
Error- [error]FeatureNotSupportedForAccount: Missing pre-requisites to enable EncryptionAtRest/Customer Managed Key for this storage account.
ARM:-
"resources": [
{​​​​​​​
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageaccountname')]",
"location": "[resourceGroup().location]",
"sku": {​​​​​​​
"name": "[parameters('storageaccountype')]"
}​​​​​​​,
"kind": "[parameters('storagekind')]",
"properties": {​​​​​​​
"supportsHttpsTrafficOnly": true,
"accesstier": "[parameters('accesstier')]",
"largeFileSharesState": "[parameters('largefilesharesstate')]",
"allowBlobPublicAccess": false,
"encryption": {​​​​​​​
"services": {​​​​​​​
"file": {​​​​​​​
"enabled": true
}​​​​​​​,
"blob": {​​​​​​​
"enabled": true
}​​​​​​​
}​​​​​​​,
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {​​​​​​​
"keyvaulturi": "[parameters('kvuri')]",
"keyname": "[parameters('keyname')]",
"keyversion": "[parameters('keyversion')]"
}​​​​​​​
}​​​​​​​
}​​​​​​​,
"tags": {​​​​​​​
"abcid": "[parameters('abcid')]"
}​​​​​​​
}​​​​​​​
According to the document, if you want to configure encryption with customer-managed keys stored in Azure key valt, we need to do the following steps
Create storage account and Enable Identity
Update Azure Key vault. Enable soft delete and purge protection.
Configure access policy for the storage account's Identity
Configure customer-managed keys for the storage account.
Regarding how to configure these with arm template, please refer to the following template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyName": {
"type": "string",
"defaultValue": ""
},
"keyVersion": {
"type": "string",
"defaultValue": ""
},
"vaultName": {
"defaultValue": "",
"type": "String"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"accountNmae": {
"type": "string",
"defaultValue": "tetsdfgfgdffd"
},
},
"variables": {},
"resources": [{
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"name": "[ parameters('accountNmae')]",
"apiVersion": "2019-06-01",
"location": "[ parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"supportsHttpsTrafficOnly": true
},
"dependsOn": []
}, {
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaultName')]",
"location": "eastasia",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('accountNmae'))]"
],
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantid]",
"accessPolicies": [],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true
}
}, {
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-07-01",
"name": "updateStorageAccount",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "0.1.0.0",
"resources": [{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [{
"tenantId": "[subscription().tenantid]",
"objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('accountNmae')),'2019-06-01', 'full').identity.principalId]",
"permissions": {
"keys": [
"wrapkey",
"unwrapkey",
"get"
],
"secrets": [],
"certificates": []
}
}
]
}
}, {
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"name": "[parameters('accountNmae')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"encryption": {
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
},
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults',parameters('vaultName')),'2016-10-01', 'full').properties.vaultUri]",
"keyname": "[parameters('keyName')]",
"keyversion": "[parameters('keyversion')]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('vaultName'), 'add')]"
]
}
]
}
}
}
]
}
For more details, please refer to the blog

How to deploy ARM template with user managed identity and assign a subscription level role?

The ARM template below is supposed to create the following resources:
resource group
- user managed identity
- subscription level Contributor role assignment
Currently the deployment is failing with the error "error": { "code": "ResourceGroupNotFound", "message": "Resource group 'rg-myproject-deploy' could not be found." } apparently because the role assignment step seem to not be respecting the dependsOn statements that should enforce that it should only happen after the resource group is created. Is there a way to deploy all these resources in a single ARM template?
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"projectName": {
"type": "string",
"defaultValue": "myproject",
"maxLength": 11,
"metadata": {
"description": "The name of the project"
}
},
"location": {
"type": "string",
"defaultValue": "westus2",
"metadata": {
"description": "The region were to deploy assets"
}
}
},
"variables": {
"resourceGroupName": "[concat('rg-', parameters('projectName'), '-deploy')]",
"managedIdentityName": "[concat('msi-', parameters('projectName'), '-deploy')]",
"bootstrapRoleAssignmentId": "[guid(subscription().id, 'contributor')]",
"contributorRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"managedIdentityId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"name": "[variables('resourceGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "deployment-assets-except-role-assignment",
"resourceGroup": "[variables('resourceGroupName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', variables('resourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[parameters('location')]"
}
],
"outputs": {}
}
}
}
,
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2017-09-01",
"name": "[variables('bootstrapRoleAssignmentId')]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]",
"deployment-assets-except-role-assignment"
],
"properties": {
"roleDefinitionId": "[variables('contributorRoleDefinitionId')]",
"principalId": "[reference(variables('managedIdentityId'), '2018-11-30').principalId]",
"principalType": "ServicePrincipal",
"scope": "[subscription().id]"
}
}
],
"outputs": {}
}
I think you're running into this:
https://bmoore-msft.blog/2020/07/26/resource-not-found-dependson-is-not-working/
The fix was a little more involved than I thought, but to summarize:
the nested deployment that provisions the MI must be set to inner scope evaluation
output the principalId from that deployment and use that in your reference (i.e. don't directly reference)
Due to #1 I moved some stuff around (params/vars)
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"projectName": {
"type": "string",
"defaultValue": "myproject",
"maxLength": 11,
"metadata": {
"description": "The name of the project"
}
},
"location": {
"type": "string",
"defaultValue": "westus2",
"metadata": {
"description": "The region were to deploy assets"
}
}
},
"variables": {
"identityDeploymentName": "deployment-assets-except-role-assignment",
"resourceGroupName": "[concat('rg-', parameters('projectName'), '-deploy')]",
"managedIdentityName": "[concat('msi-', parameters('projectName'), '-deploy')]",
"managedIdentityId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]",
"bootstrapRoleAssignmentId": "[guid(subscription().id, variables('contributorRoleDefinitionId'),variables('managedIdentityId'))]",
"contributorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"name": "[variables('resourceGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[variables('identityDeploymentName')]",
"resourceGroup": "[variables('resourceGroupName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions":{
"scope": "inner"
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"managedIdentityName": {
"value": "[variables('managedIdentityName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"managedIdentityName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('managedIdentityName')]",
"apiVersion": "2018-11-30",
"location": "[parameters('location')]"
}
],
"outputs": {
"principalId": {
"type": "string",
"value": "[reference(parameters('managedIdentityName')).principalId]"
}
}
}
}
}
,
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('bootstrapRoleAssignmentId')]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]",
"[variables('identityDeploymentName')]"
],
"properties": {
"roleDefinitionId": "[variables('contributorRoleDefinitionId')]",
"principalId": "[reference(variables('identityDeploymentName')).outputs.principalId.value]",
"principalType": "ServicePrincipal",
"scope": "[subscription().id]"
}
}
]
}

how can I create user assigned identity and system assign identity with arm template on a app service

Is it possible to assign both userAssigned identity and system assigned identity to app service with ARM template. if so, how can it be done.
5 seconds in google:
{
"apiVersion": "2016-08-01",
"type": "Microsoft.Web/sites",
"name": "[variables('appName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('appName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"hostingEnvironment": "",
"clientAffinityEnabled": false,
"alwaysOn": true
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"
]
}
{
"apiVersion": "2016-08-01",
"type": "Microsoft.Web/sites",
"name": "[variables('appName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}
}
},
"properties": {
"name": "[variables('appName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"hostingEnvironment": "",
"clientAffinityEnabled": false,
"alwaysOn": true
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
]
}
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#add-a-system-assigned-identity
ps. if you are asking to have both at the same time - its not possible

ARM Template.json Dynamic connectionstring

I have taken a deployment template from azure and added this to a deployment project in Visual Studio 2015. When the Resource Group is made and deployed, everything works well except for the Web Site connectionstrings.
I have TableStorage, DocumentDb, and Redis instances all being created by this and cannot figure out how to get the Primary Connection String and Primary Key of these items so that I don't have to go in by hand and add them.
looking at the ARM Template Functions ListKeys should do the trick, but after deployment the value is empty. Furthermore, trying a simple string (TestConnectionString) also adds the name, but not the value.
{
"type": "Microsoft.Web/sites",
"kind": "app",
"name": "[parameters('WebAppName')]",
"apiVersion": "2015-08-01",
"properties": {
"name": "[parameters('WebAppName')]",
"resources": [],
"siteConfig": {
"connectionstrings": [
{
"name": "DocumentDbKey",
"value": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
{
"name": "TestConnectionString",
"value": "dummystring:pleaseignore;",
"type": "Custom"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('docDbName'))]",
]
}
As your description we can use ARM Template Functions ListKeys to get the Keys. And we could use the following template code to set the connection string. I test Azure storage connection string and Document DB key, It works correctly for me , please have a try. The following is my detail steps:
1.Create Basic Azure Resource Group project with template WebApp
2.From demo remove the unnecessary resource.
3.Add the connection string setting
"resources": [
{
"name": "connectionstrings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webSiteName'))]"
],
"tags": {
"displayName": "tomConnectionString"
},
"properties": {
"documentDB": {
"value": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', variables('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
"storage": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountName'),';AccountKey=',concat(listKeys(variables('storageAccountId'),'2015-05-01-preview').key1))]",
"type": "Custom"
}
}
}
]
Add the corresponding parameters or variables such as storage info or docDbName
Deploy the Website
Check the result from the portal
Full template code:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"hostingPlanName": {
"type": "string",
"minLength": 1
},
"skuName": {
"type": "string",
"defaultValue": "S1",
"allowedValues": [
"F1",
"D1",
"B1",
"B2",
"B3",
"S1",
"S2",
"S3",
"P1",
"P2",
"P3",
"P4"
],
"metadata": {
"description": "Describes plan's pricing tier and instance size. Check details at https://azure.microsoft.com/en-us/pricing/details/app-service/"
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Storage Account to access blob storage."
}
},
"skuCapacity": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"metadata": {
"description": "Describes plan's instance count"
}
}
},
"variables": {
"webSiteName": "[concat('webSite', uniqueString(resourceGroup().id))]",
"docDbName": "tomdocumentdb",
"storageAccountId": "[concat(resourceGroup().id,'/providers/Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "[parameters('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "HostingPlan"
},
"sku": {
"name": "[parameters('skuName')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"name": "[parameters('hostingPlanName')]"
}
},
{
"apiVersion": "2015-08-01",
"name": "[variables('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"displayName": "Website"
},
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]"
],
"properties": {
"name": "[variables('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
},
"resources": [
{
"name": "connectionstrings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webSiteName'))]"
],
"tags": {
"displayName": "tomConnectionString"
},
"properties": {
"documentDB": {
"value": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', variables('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
"storage": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountName'),';AccountKey=',concat(listKeys(variables('storageAccountId'),'2015-05-01-preview').key1))]",
"type": "Custom"
}
}
}
]
}
]
}
Update:
We could get more useful info about ARM template from the azure resource.
I just had same problem, and it turns out the name of the property that holds the connection string should be named connectionString, so your siteConfig object should look like this:
"siteConfig": {
"connectionstrings": [
{
"name": "DocumentDbKey",
"connectionString": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('docDbName')), '2015-11-06').primaryMasterKey]",
"type": "Custom"
},
{
"name": "TestConnectionString",
"connectionString": "dummystring:pleaseignore;",
"type": "Custom"
}
]
}

Resources