New-AzResourceGroupDeployment : 11:50:41 PM - Error: Code=ApplicationGatewaySslCertificateDataMustBeSpecified; Message=Data must be specified for Certificate
Getting above error, even after specifying data in sslCertificates and authenticationCertificates arrays in ARM templates.
Related
When running a bicep resource of type Microsoft.Resources/deploymentScripts
that runs a script that needs access to a keyvault which only allows selected networks how can we make the following script work?
resource exampleScript 'Microsoft.Resources/deploymentScripts#2020-10-01' = {
name: 'KeyVaultSecretFromProduct'
location: resourceGroup().location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'/subscriptions/${subscription().subscriptionId}/resourcegroups/${managedIdentity.scope}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${managedIdentity.name}': {}
}
}
properties: {
arguments: '-ResourceGroupName \\"${keyVaultSecretFromProduct.scope}\\" -SubscriptionKey \\"${subscriptionKey}\\" -KeyVault \\"${keyVaultSecretFromProduct.keyVault}\\"'
azPowerShellVersion: '3.0'
scriptContent: loadTextContent('../../membership-optimization/create-secret-for-product-key.ps1')
retentionInterval: 'P1D'
}
}
After running it fails with the error:
New-AzResourceGroupDeployment: 15:37:50 - The deployment 'test_keyvault' failed with error(s). Showing 1 out of 1 error(s).
Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details. (Code: DeploymentFailed)
- {
"status": "failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'failed'.",
"details": [
{
"code": "DeploymentScriptError",
"message": "The provided script failed with the following error:\r\nMicrosoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'\n at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.SetSecret(String vaultName, String secretName, SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes)\n at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret.ExecuteCmdlet()\n at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)\n at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)\n at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)\n at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()\r\nat <ScriptBlock>, /mnt/azscripts/azscriptinput/userscript.ps1: line 46\r\nat <ScriptBlock>, <No file>: line 1\r\nat <ScriptBlock>, /mnt/azscripts/azscriptinput/DeploymentScript.ps1: line 264. Please refer to https://aka.ms/DeploymentScriptsTroubleshoot for more deployment script information."
}
]
}
} (Code:Conflict)
CorrelationId: xxxxxxxxxxxxxxxxxxxx
A Vnet with some subnets used for app services were configured so that those app services can have access to key vault secrets.
Is there a way to solve this problem? Any workaround? Maybe a command that we can run that allows us to connect to the vnet?
A work-around could be to change the VNET settings on the vault, then run the script, and then re-set the VNET settings to its original state. It kinda sucks but it is the only thing I got working for me when handling this situation (though in my case It was a Powershell script).
Or, you could run the script on a VM, that is in a authorised subnet.
The node module #microsoft/azure-data-factory-utilities systematically fails to validate Data Factories.
Here is the command line is use: npm run start validate ../etl-dataplatform subscriptions/xxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxx/resourceGroups/DataPlatform-STAG/providers/Microsoft.DataFactory/factories/etl-dataplatform-stag
Error logs:
ERROR === CmdApiApp: Failed to run resource validation. Error: {"stack":"TypeError: Cannot read property 'concept' of undefined\n at Function.<anonymous> (/Users/gt/Local/azure-datafactory-deploy/downloads/main.js:1271:27040)\n at /Users/gt/Local/azure-datafactory-deploy/downloads/main.js:16:2243\n at Object.next (/Users/gt/Local/azure-datafactory-deploy/downloads/main.js:16:2348)\n at o (/Users/gt/Local/azure-datafactory-deploy/downloads/main.js:16:1087)","message":"Cannot read property 'concept' of undefined"}
=====ERROR=====
Error: Command failed: node /Users/gt/Local/azure-datafactory-deploy/downloads/main.js validate ../etl-dataplatform subscriptions/xxxxx-xxxxxx-xxxx/resourceGroups/DataPlatform-STAG/providers/Microsoft.DataFactory/factories/etl-dataplatform-stag
Execution finished....
However, when I click on the "validate" button in the Azure Data Factory interface, the validation is successful.
This error is due to the ADF resource ID being incorrect. You seem to be missing a / at the beginning of your resource ID, before 'subscriptions'.
The correct command would be npm run start validate ../etl-dataplatform /subscriptions/xxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxx/resourceGroups/DataPlatform-STAG/providers/Microsoft.DataFactory/factories/etl-dataplatform-stag
I'm attempting to deploy to my Virtual machine scale set using the custom script extension as below.
az vmss extension set --debug --name 'CustomScriptExtension' `
--resource-group 'my-rg' `
--publisher 'Microsoft.Compute' `
--version '1.9.5' `
--vmss-name 'myvmss' `
--settings '{\"commandToExecute\": \"powershell.exe ./download-package.ps1\", \"fileUris\": [\"https://[REDACTED].blob.core.windows.net/upload/download-package.ps1\"]}' `
--protected-settings '{\"managedIdentity\": {\"objectId\": \"[REDACTED]\"}}'
When running I get the following error:
cli.azure.cli.core.azclierror : Deployment failed. Correlation ID: 73f4d16b-afe0-4373-8773-1d7dd7d26940. VM has reported a failure when processing extension 'CustomScriptExtension'. Error message: "Failed to download all specified files. Exiting. Error Message: Exception of type 'Microsoft.WindowsAzure.GuestAgent.Plugins.CustomScriptHandler.Downloader.MsiNotFoundException' was thrown."
More information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot
Deployment failed. Correlation ID: 73f4d16b-afe0-4373-8773-1d7dd7d26940. VM has reported a failure when processing extension 'CustomScriptExtension'. Error message: "Failed to download all specified files. Exiting. Error Message: Exception of type 'Microsoft.WindowsAzure.GuestAgent.Plugins.CustomScriptHandler.Downloader.MsiNotFoundException' was thrown."
The file to be downloaded requires authentication so I have given the scale set a system assigned identity and granted it the Storage Blob Data Reader role on the storage account hosting the powershell file.
The custom extension logs on the VM suggest that it was unable to get the identity of the vm:
[7108+00000001] [11/20/2020 09:12:28.79] [INFO] Handler successfully enabled
[7108+00000001] [11/20/2020 09:12:28.80] [INFO] Loading configuration for sequence number 1
[7108+00000001] [11/20/2020 09:12:28.84] [INFO] HandlerSettings = ProtectedSettingsCertThumbprint: [REDACTED], ProtectedSettings: {[REDACTED]}, PublicSettings: {FileUris: [https://[REDACTED].blob.core.windows.net/upload/download-package.ps1], CommandToExecute: powershell.exe ./download-package.ps1}
[7108+00000001] [11/20/2020 09:12:29.26] [INFO] Downloading files specified in configuration...
[7108+00000001] [11/20/2020 09:12:30.90] [INFO] Attempting to get MSI from IMDS
[7108+00000001] [11/20/2020 09:12:31.04] [WARN] WebClient: non retryable error occurred System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadString(Uri address)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClient.<>c__DisplayClass3_0.<DownloadStringWithRetries>b__0()
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClientWithRetryAbstract.ActionWithRetries(Action action)
[7108+00000001] [11/20/2020 09:12:31.14] [ERROR] Unknown exception occurred while attempting to get MSI token System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadString(Uri address)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClient.<>c__DisplayClass3_0.<DownloadStringWithRetries>b__0()
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClientWithRetryAbstract.ActionWithRetries(Action action)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClient.DownloadStringWithRetries(Uri address)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.MsiProvider.GetMsiHelper(NameValueCollection queries)
[7108+00000001] [11/20/2020 09:12:31.14] [INFO] Msi was not obtained
I can retrieve the identity token from the metadata endpoint via Invoke-WebRequest -Method Get -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' so that appears to be set up correctly.
Any advice on what the problem could be or how to further diagnose this issue would be greatly appreciated.
Here are the few fixes you can try
The object ID of the managed identity might be incorrect.
Please also move commandToExecute and FileUris into protected settings with managed identities.
If want to use system assigned managed identity, you don't need to pass a clientId or objectID, more info here https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows#property-managedidentity
edit: please explicitly pass an empty json object as settings when you add commandToExecute and fileUris to protected settings. Extensions would fail otherwise due to duplicated settings.
I want to create 2 instance (an instance Zone A, and an instance Zone B), Private IP, SLB (Public IP), the VServer is both instance (for SLB), Frontend and Backend Port are HTTP. Regarding my terraform scripts are here: https://github.com/gablooge/alibaba-terraform-challenge
But I have a problem when applying my scripts. It turned out like this when creating the instance and SLB on applying my terraform scripts. Here are the error messages:
Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_instance.go:423: Resource alicloud_instance RunInstances Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDK.ServerError
ErrorCode: Forbidden.RiskControl
Recommend:
RequestId: 09B3E699-BC3E-457B-B266-54AC66325BE7
Message: This operation is forbidden by Aliyun RiskControl system.
on main.tf line 1, in resource "alicloud_instance" "instance_a":
1: resource "alicloud_instance" "instance_a" {
Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_instance.go:423: Resource alicloud_instance RunInstances Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDK.ServerError
ErrorCode: Forbidden.RiskControl
Recommend:
RequestId: 5520BCA6-6A03-4E3A-A87E-1794AC38AB11
Message: This operation is forbidden by Aliyun RiskControl system.
on main.tf line 15, in resource "alicloud_instance" "instance_b":
15: resource "alicloud_instance" "instance_b" {
Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_slb.go:244: Resource alicloud_slb CreateLoadBalancer Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDK.ServerError
ErrorCode: RISK.RISK_CONTROL_REJECTION
Recommend:
RequestId: D677A5EB-F3A7-48A2-98D1-91988BAF6B53
Message: The Account is rejected by risk control system.
on main.tf line 30, in resource "alicloud_slb" "default":
30: resource "alicloud_slb" "default" {
Alibaba Cloud Terraform Apply - ErrorCode: RISK.RISK_CONTROL_REJECTION & ErrorCode: Forbidden.RiskControl
Anybody know how to resolve this problem?
This looks like access related issue. You might want to check with raise a ticket with Alibaba Cloud support team to confirm all the required access is enabled.
When I repeat steps from here:
https://learn.microsoft.com/en-us/cli/azure/sql/db?view=azure-cli-latest#az-sql-db-export
StorageAccessKey works fine.
SharedAccessKey is failing with:
Operation failed with status: 'Bad Request'. Details: There was an
error that occurred during this operation : 'Error
encountered during the service operation. ; Exception
Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unexpected
exception encountered while retrieving metadata for blob
'https://satest.blob.core.windows.net/backup/mydb-2019-5-13-10-1.bacpac'.;
Inner exception Microsoft.WindowsAzure.Storage.StorageException:The
remote server returned an error: (403) Forbidden.; Inner exception
System.Net.WebException:The remote server returned an error: (403)
Forbidden.; '
What am I missing?
Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unexpected
exception encountered while retrieving metadata for blob
From the error message, it looks like you need read permission as well in your Shared Access Signature (SAS). Please regenerate SAS with both read and write permission.
az storage blob generate-sas --account-name myAccountName -c myContainer -n myBacpac.bacpac \ --permissions rw --expiry 2020-01-01T00:00:00Z