I am trying to deploy my ARM template to the QA environment and I have a secret that is being referenced in a keyvault (see below):
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "myworksapce"
},
"QA_password": {
"reference": {
"keyVault": {
"id": "/subscriptions/xxx/resourceGroups/mytest-qa-group/providers/Microsoft.KeyVault/vaults/mytest-qa-kv"
},
"secretName": "pipeline"
}
}
}
}
However, when I do the deployment I encounter the following error:
{"error":{"code":"AuthenticationFailed","message":"Authentication failed. The 'Authorization' header is missing."}}
Can anyone point me in the right direction for getting my secret in the keyvault and use it in the template?
I have tried to reproduce the issue by deploying a keyvault with a secret using Azure portal and used that secret as a password for the VM which will be deployed by using the ARM template.
While creating the keyvault, we should enable the ARM template deployment and also enable the access policies in the Access policy to access the secret from the ARM template and deployed successfully as shown in the below screenshot:
Then created a project in Visual Studio and added the above created keyvault secret by clicking on edit parameters--> add the keyvault and save it, then you will see the keyvault has been referenced successfully as shown in below images:
To confirm whether our keyvault is successfully linked to our template, you can open the windowsVMSSparameters.json file and check the secret name same as created in the keyvault as shown in the below screenshot:
windowsVMSSparameters.json:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmssName": {
"value": "rkvmss"
},
"instanceCount": {
"value": 2
},
"adminUsername": {
"value": "rajkumarun"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/*****-***-*****/resourceGroups/********-Mindtree/providers/Microsoft.KeyVault/vaults/Rktestkeyvault1"
},
"secretName": "rksecretkv"
}
}
}
Related
I create a Diagnostic Settings for a KeyVault resource in Azure portal. DS properties are Metrics = AllMetrics and Destination is a predefined Log Analytics Workspace.
When I do an export (Automation - Export Template) from Portal, nothing from the diagnostic setting is included in the generated ARM json. I've noticed the same behavior when resource is an App Service.
Is this by design? A bug? Any other way to get the ARM json for the diagnostic setting I've defined?
I tried the same in my environment and seems we cannot export the diagnostics settings for any service like key vault, app service , storage account etc when we try to export the template for automation . But there are some sample Diagnostics settings Templates for few resources provided in Microsoft Documentation.
So , as per your settings it will something like below which I have tested by deploying :
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"settingName": {
"type": "String",
"defaultValue": "testdsansuman"
},
"vaultName": {
"type": "String",
"defaultValue": "ansumantestkv1234"
},
"workspaceName": {
"type": "String",
"defaultValue": "ansumantestlog"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('vaultName'), '/Microsoft.Insights/', parameters('settingName'))]",
"dependsOn": [],
"properties": {
"workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('WorkspaceName'))]",
"metrics": [
{
"category": "AllMetrics",
"enabled": true
}
]
}
}
]
}
Output:
Can we retrieve the connection string for an Application Insights instance in an Azure Resource Group template ?
I can retrieve instrumentation key by below code but when I try to get connectionString with same or Listkey than it's giving error.
"outputs": {
"MyAppInsightsInstrumentationKey": {
"value": "[reference(resourceId('Microsoft.Insights/components', variables('myAppInsightsInstanceName')), '2014-04-01').connectionString]",
"type": "string"
}
}
Error :
{"error":{"code":"InvalidTemplate","message":"Deployment template validation failed: 'The template variable 'myAppInsightsInstanceName' is not found. Please see https://aka.ms/arm-template/#variables for usage details.'.","additionalInfo":[{"type":"TemplateViolation","info":{"lineNumber":95,"linePosition":40,"path":"properties.template.outputs.MyAppInsightsInstrumentationKey"}}]}}
As commented by #ZakiMa, you need to use a newer API version.
Something like that should work:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"MyAppInsightsInstanceName": "<My App Insights Instance Name>"
},
"outputs": {
"MyAppInsightsConnectionString": {
"value": "[reference(resourceId('Microsoft.Insights/components', variables('MyAppInsightsInstanceName')), '2020-02-02').ConnectionString]",
"type": "string"
}
},
"resources": []
}
Please help me understand what is wrong with my Azure ARM template here, Which is very basic, takes some input arguments and prints out resourceId.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualNetworkName": {
"type": "string"
},
"virtualNetworkResourceGroupName": {
"type": "string"
},
"subnetName": {
"type": "string"
},
"location": {
"type": "string",
"metadata": {
"description": "Location to Deploy Azure Resources"
}
}
},
"resources": [],
"outputs": {
"subnetRef": {
"type": "string",
"value": "[resourceId(parameters('virtualNetworkResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
}
}
}
Providing the required parameters, it fails with the following Error Message.
Parameter File
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualNetworkName": {
"value": "core-services-vnet"
},
"virtualNetworkResourceGroupName": {
"value": "core-networking-rg"
},
"subnetName": {
"value": "private"
},
"location": {
"value": "westus"
}
}
}
$ az deployment create -n core-deploy --template-file azuredeploy.json --parameters #params.json --location westus
Deployment failed. Correlation ID: b97a7544-2814-40c0-88c9-fbaaea2bf645. The template output 'subnetRef' is not valid: The provided value 'core-networking-rg' is not valid subscription identifier. Please see https://aka.ms/arm-template-expressions/#resourceid for usage details.
What Am I missing here ?
Thanks, Nag
The problem is the deployment scope. You can target your deployment to either an Azure subscription or a resource group within a subscription.
In your template, the $schema https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json# is used for resource group deployments, while the commands az deployment create you use is for subscription-level deployments. The schema https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json# for subscription-level deployments is different than the schema for resource group deployments. You could get references from creating resource groups and resources at the subscription level.
In this case, you can use the commands az group deployment create -n core-deploy --template-file azuredeploy.json --parameters #params.json --location westus instead of az deployment create xxx to fix this issue.
Is there a way to access the linked template on a private blob storage using 'listkeys'. That way I don't need to generate a SAS token each time I deploy. Something along the lines of:
"Concat('DefaultEndpointsProtocol=https;AccountName=',variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts', variables('StorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value)]"
To go in:
"parameters": {
"sasToken": { "type": "securestring" }
},
"resources": [
{
"apiVersion": "2017-05-10",
"name": "linkedTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "incremental",
"templateLink": {
"uri": "[concat('https://storagecontosotemplates.blob.core.windows.net/templates/helloworld.json', parameters('sasToken'))]",
"contentVersion": "1.0.0.0"
}
}
}
],
MS document doesn't mention it, but it would be easy to deploy without having to generate a token.
In response to Tom as to why I can't use the keyVault, because it still requires it to be input. Here is the code for the token which needs to be inside parameters:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"value": "cmdbAdmin"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/c8727b53-932a-4f48-9fa1-00765c554992/resourceGroups/AnsibleTest1/providers/Microsoft.KeyVault/vaults/ansibletest"
},
"secretName": "adminPassword"
}
},
...and it appears like this in Azure templates. As you can see, you will still need to put in some credentials :(
it would be easy to deploy without having to generate a token
"Concat('DefaultEndpointsProtocol=https;AccountName=',variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts', variables('StorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value)]"
The code you mentioned that is get the conection string from the storage account. Azure storage supplies the primary and secondary keys, so we could use the list key API to get the account keys.
But for SAS token we need to generate it, we need to supply start time ,expiry Time, access permission etc. Based on my experience, there is no the same way as listkey to generated sas token.
That way I don't need to generate a SAS token each time I deplo
But we could store the SAS token in Key Vault, then we could get the value dynamically in the ARM template. Detail info we could refer to this blog.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sasToken": {
"reference": {
"keyVault": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resource group name}/providers/Microsoft.KeyVault/vaults/MyUniqueKeyVaultName"
},
"secretName": "secretName"
}
}
}
}
We have successfully configured a On Premise data gateway on an Azure VM, using this gateway as trigger in a logic app works. All this is done manually.
Is there a way to achieve this with ARM? Is there a sample ARM template available for this?
If you want to create on-premise data gateway with ARM template. Please have a try to use the following ARM template, it works correctly on my side.
Deploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"gatewayApiVersion": {
"type": "String"
},
"gatewayName": {
"type": "String"
},
"gatewayLocation": {
"type": "String"
},
"gatewayInstallationId": {
"type": "String"
}
},
"resources": [
{
"type": "Microsoft.Web/connectionGateways",
"name": "[parameters('gatewayName')]",
"apiVersion": "[parameters('gatewayApiVersion')]",
"location": "[parameters('gatewayLocation')]",
"properties": {
"connectionGatewayInstallation": {
"Id": "[parameters('gatewayInstallationId')]"
}
}
}
]
}
Parameters.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"gatewayApiVersion": {
"value": "2015-08-01-preview"
},
"gatewayName": {
"value": "gatewayName"
},
"gatewayLocation": {
"value": "location"
},
"gatewayInstallationId": {
"value": "/subscriptions/{subscriotionId}/providers/Microsoft.Web/locations/{location}/connectionGatewayInstallations/xxxxxxxxxx"
}
}
}
Before that we need to Install the on-premises data gateway manually on the machine, more details about how install on-premises data gateway please refer to the azure document.
For gatewayLocation value, please make sure that the same with on-premises
data gateway.
For gatewayInstallationId value, if we try to create it from azure we could get value from the portal.
Test result: