I am working with ARM Templates in a Visual Studio project and each time I use a function, I got an error of Unrecognized function name 'xxxxx'
Example Code:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":
{
...
"sasExpirationPeriod":
{
"type": "string",
"defaultValue": "[dateTimeToEpoch(dateTimeAdd(utcNow(), 'P1Y'))]",
"metadata":
{
"description": "The SAS expiration period, DD.HH:MM:SS."
}
},
...
},
"variables":
{
"name": "[concat('<resource name>', utcNow('yyyyMMddhhmmssZ'))]", --> This one doesn't throw an error
"expiration": "[dateTimeToEpoch(dateTimeAdd(utcNow(), 'P1Y'))]",
"notBefore": "[dateTimeToEpoch(utcNow())]",
},
"resources":
[
],
"outputs":
{
}
}
As I am preparing several ARM templates to deploy several resources, this error appears a lot and don't let me see the actual errors which I should be focus one
Do you know how I can fix it? Is there any workarround or a way to specify VS to ignore specific errors?
Related
I've set up the problem in the these two files. The template is simply POSTing the parameter with a fake url to check the value.
read_secret_params.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ftpPrivateKey": {
"reference": {
"keyVault": {
"id": "/subscriptions/dummyid/resourceGroups/dummyrg/providers/Microsoft.KeyVault/vaults/myvault"
},
"secretName": "mysecret"
}
}
}
}
read_secret_template.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ftpPrivateKey": {
"type": "securestring"
}
},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "read-secret",
"location": "East US",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Week",
"interval": 1
},
"type": "Recurrence"
}
},
"actions": {
"HTTP": {
"inputs": {
"body": "[parameters('ftpPrivateKey')]",
"method": "POST",
"uri": "https://dummysite.com"
},
"runAfter": {},
"type": "Http"
}
},
"outputs": {}
},
"parameters": {}
}
}
]
}
The first issue is, when I try to deploy via the portal, no value comes thru for the parameter so it can't create it due to the validation error "Validation failed. Required information is missing or not valid.". Is this because it's not able to read the secret, permissions thing? NOTE: the key vault is also created by myself so I am the owner.
I can get around the validation error and successfully deploy by adding a default value as follows:-
"parameters": {
"ftpPrivateKey": {
"type": "securestring",
"defaultValue": "privateKeyDefault"
}
},
But when I run the logic app, it's using the default value in the POST command so it seems like it's not pulling the secret out of the key vault.
So in summary I have 2 questions:-
Has this test proved that the logic app is not reading the secret OR might it have successfully read the secret but is for some reason displaying the default value in the POST command?
If it is not reading the secret, can anyone suggest a cause + fix?
If I deploy using the Azure CLI then it works i.e. gets the secret from Azure Key Vault. If deployed in the portal then it always uses the default value.
I have managed to release secrets to my Azure key vault via CI/CD from DevOps using my arm templates. The initial release went fine and added my new non existing secrets to my key vault resource. Though men trying to update the value of the secret in my ARM template and then pushing it to my GIT-repo to in turn release it as to update my secret in azure it fails giving me:
At least one resource deployment operation failed. Please list deployment operations for
details. Please see https://aka.ms/DeployOperations for usage details.
Details:
BadRequest:
Check out the troubleshooting guide to see if your issue is addressed:
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
Task failed while creating or updating the template deployment.
My template looks like this:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"value": "test-kv-devopstest01-d"
},
"TestCedential_1": {
"value": "TestCedentialSecretValue1"
},
"TestCedentialName_1": {
"value": "TestCedentialSecretName1_SecondVersion"
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"type": "string"
},
"TestCedential_1": {
"type": "secureString"
},
"TestCedentialName_1": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('TestCedential_1')]"
}
}
],
"outputs": {}
}
I've also tried granting permissions for the pipelines in access control in the key vault resource in azure.
Am i missing something maybe?
I tested the same code in my environment and it resulted in same error :
The issue is with the below :
"TestCedentialName_1": {
"value": "TestCedentialSecretName1_SecondVersion"
}
In Key vault secret '_' (underscore) is not allowed in name. The allowed values are alphanumeric characters and dashes.
Changing underscore to dash fixes the issue :
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"type": "string",
"defaultValue" :"test-kv-ansuman-d"
},
"TestCedential_1": {
"type": "secureString",
"defaultValue":"TestCedentialSecretValue1"
},
"TestCedentialName_1": {
"type": "string",
"defaultValue": "TestCedentialSecretName1-SecondVersion"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('TestCedential_1')]"
}
}
],
"outputs": {}
}
Output:
Using ARM templates I am trying to set "slotSetting: true" in my app service config - this seems to have been a options (see link below) in previous versions of the ARM template but I am not able to find how to do it with the latest version.
Link to how this was solved previously: How to use sticky staging slots in Azure Arm Templates
I solved it by using a nested template with the older API to lock the settings but please add the correct solution if you have it!
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appServiceName": {
"type": "string"
},
"appSettingsToLock": {
"type": "array"
},
"conncetionStringsToLock": {
"type": "array"
}
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "[concat(parameters('appServiceName'),'/slotconfignames')]",
"type": "Microsoft.Web/sites/config",
"properties": {
"connectionStringNames": "[parameters('conncetionStringsToLock')]",
"appSettingNames": "[parameters('appSettingsToLock')]"
}
}
]
}
I am trying to use in built allowed locations Azure policy.
Below my ARM template definition
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "Array"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Test",
"apiVersion": "2018-03-01",
"properties": {
"displayName": "Test allowed locations",
"policyType": "BuiltIn",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('listOfAllowedLocations')]"
}
},
"then": {
"effect": "Deny"
}
}
}
}],
"outputs": {}
}
I am getting below error when I try to deploy this using Visual Studio deploy option
{
"error": {
"code": "InvalidPolicyUri",
"message": "The policy request scope '/subscriptions/xxx/resourcegroups/Test' should be '/', '/subscriptions/id' or '/providers/Microsoft.Management/managementGroups/id'."
}
}
I really appreciate if someone can guide me the right way for deploying policies using Visual Studio. This template will go into DevOps release pipeline later once it is successful in VS deploy testing.
I figured it out. By default visual studio uses resource group deployment, that is the reason this is not working. We need to use New-AzureRmDeployment instead of New-AzureRmResourceGroupDeployment.
I am building an Web Application and deploy it into Azure using ARM Templates. I am creating and deploying them without any problem. I am trying to access contentVersion in output session. But, I am receiving an message
Unable to evaluate template outputs
I tried it in following ways:
"outputs": {
"Contentoutput": {
"type": "string",
"value": "[reference('contentVersion')]" //First case
"value": "[reference('contentVersion').value]" //Second case
"value": "['contentVersion']" //Third case
"value": "[contains('contentVersion','contentVersion')]" //Fourth case
}
}
How to access the contentVersion in output session?
A better way of outputting the content version would be to use the deployment function (see documentation).
Your workaround solution would then translate to:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [],
"outputs": {
"contentVersion": {
"type": "string",
"value": "[deployment().properties.template.contentVersion]"
}
}
}
I also can't find a way to get it in the outputs. According to the azure official document, we could know that contentVersion could the value you supplied.
contentVersion: Version of the template (such as 1.0.0.0). You can provide any value for this element. When deploying resources using the template, this value can be used to make sure that the right template is being used.
So my workaround is that you could define it as a parameter then you could get it from outputs. The following is the demo code. You also could give your idea to Azure team
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"contentVersion": {
"type": "string",
"defaultValue": "1.0.0.0",
"metadata": {
"description": "contentVersion"
}
}
},
"variables": {
},
"resources": [
],
"outputs": {
"contentVersion": {
"type": "string",
"value": "[parameters('contentVersion')]"
}
}
}