ARM template - bad request failed when deploying a linked service - azure

I am trying to deploy a synapse instance via an ARM template and the deployment is successful via the Azure DevOps portal, but when I try to deploy the same template with an Azure Keyvault linked service I encounter the following error:
##[error]At least one resource deployment operation failed. Please list deployment
operations for details. Please see https://aka.ms/DeployOperations for usage details.
##[error]Details:
##[error]BadRequest:
After inspecting the activity logs from the Synapse instance I found out the following:
"resourceGroupName": "platform-test-group",
"resourceProviderName": {
"value": "Microsoft.Synapse",
"localizedValue": "Microsoft.Synapse"
},
"resourceType": {
"value": "Microsoft.Synapse/workspaces/linkedservices",
"localizedValue": "Microsoft.Synapse/workspaces/linkedservices"
},
"resourceId": "/subscriptions/xxxx-xxxx-xxxx-xxxx/resourcegroups/platform-test-group/providers/Microsoft.Synapse/workspaces/synapsedataapp/linkedservices/AzureKeyVault",
"status": {
"value": "Failed",
"localizedValue": "Failed"
},
"subStatus": {
"value": "NotFound",
"localizedValue": "Not Found (HTTP Status Code: 404)"
},
"submissionTimestamp": "2022-02-01T02:30:31.1471914Z",
"subscriptionId": "xxxx-xxxx-xxxx-xxxx",
"tenantId": "0f44c5d4-xxxx-xxxx-xxxxx",
"properties": {
"statusCode": "NotFound",
"serviceRequestId": null,
"statusMessage": "{\"error\":{\"code\":\"BadRequest\",\"message\":\"\"}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/xxxx-xxxx-xxxx-xxxx/resourcegroups/platform-test-group/providers/Microsoft.Synapse/workspaces/synapsedataapp/linkedservices/AzureKeyVault",
"message": "Microsoft.Synapse/workspaces/linkedservices/write",
"hierarchy": "xxxx-xxxx-xxxx-xxxx/Enterprise/Group/Group-Test/xxxx-xxxx-xxxx-xxxx"
},
"relatedEvents": []
}
As you can see, the 404 error appears when the template tries to deploy to the tenant id which is not found, however, when I deploy the keyvault via the synapse UI I encounter no error.
Below is the code snippet that I use in my ARM template to deploy the keyvault to the synapse instance:
{
"name": "[concat(variables('workspaceName'), '/AzureKeyVault')]",
"type": "Microsoft.Synapse/workspaces/linkedservices",
"apiVersion": "2021-06-01-preview",
"properties": {
"annotations": [],
"type": "AzureKeyVault",
"typeProperties": {
"baseUrl": "https://data-test-kv.vault.azure.net/"
}
},
"dependsOn": [
"[variables('workspaceName')]"
]
}
Am I missing some kind of permission or connection that I need to enable? Why am I able to deploy successfully through the UI but not through the ARM template? Any comment or suggestion is greatly valued, so please feel free to comment or improve this question.

I had to contact Microsoft support and their reply was the following:
ARM templates cannot be used to create a linked service. This is due to the fact that linked services are not ARM resources, for examples, synapse workspaces, storage account, virtual networks, etc. Instead, a linked service is classified as an artifact. To still complete the task at hand, you will need to use the Synapse REST API or PowerShell. Below is the link that provides guidance on how to use the API. https://learn.microsoft.com/en-us/powershell/module/az.synapse/set-azsynapselinkedservice?view=azps-7.1.0
This limitation in ARM is applied only to Synapse and they might fix this in the future.
Additional references:
https://feedback.azure.com/d365community/idea/05e41bf1-0925-ec11-b6e6-000d3a4f07b8
https://feedback.azure.com/d365community/idea/48f1bf78-2985-ec11-a81b-6045bd7956bb

In Synapse unlike ADF, linked-services are not part of arm-templates. They are called artifacts and it comprises: Note Books, Spark Definitions, Linked Services, Pipelines etc.
You can find the full article here: https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-use-ci-cd-integration-to-automate-the-deploy-of-a-synapse/ba-p/2248060
In short, first, deploy Synapse using arm templates. And then set up the linked services:
- task: Synapse workspace deployment#1
displayName: 'Setup:Synapse KeyVault Linked Service'
inputs:
TemplateFile: '$(Build.Repository.LocalPath)/TemplateForWorkspace.json'
ParametersFile: '$(Build.Repository.LocalPath)/TemplateParametersForWorkspace.json'
azureSubscription: '${{ parameters.environments.serviceConnectionId }}'
ResourceGroupName: '$(computeResourceGroupName)'
TargetWorkspaceName: '$(synapseWorkspaceName)'
DeleteArtifactsNotInTemplate: true
OverrideArmParameters: |
synapseLinkedServiceKV: $(synapseLinkedServiceKV)
workspaceName: $(synapseWorkspaceName)
Environment: 'prod'
TemplateForWorkspace.json:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
},
"synapseLinkedServiceKV": {
"type": "string"
}
},
"variables": {
"workspaceId": "[concat('Microsoft.Synapse/workspaces/', parameters('workspaceName'))]"
},
"resources": [
{
"name": "[concat(parameters('workspaceName'), '/' , parameters('synapseLinkedServiceKV'))]",
"type": "Microsoft.Synapse/workspaces/linkedServices",
"apiVersion": "2019-06-01-preview",
"properties": {
"type": "AzureKeyVault",
"typeProperties": {
"baseUrl": "[concat('https://', parameters('synapseLinkedServiceKV'), '.vault.azure.net/')]"
},
"annotations": [],
"description": "Linked Service to Azure KeyVault. KeyVault is used to primarily fetch secrets"
},
"dependsOn": []
}
]
}
TemplateParametersForWorkspace.json:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": ""
},
"synapseLinkedServiceKV": {
"value": ""
}
}
}
It deletes the existing artifacts and deploys the one above. You would first need to install the task extension on your Azure Devops for Synapse workspace deployment#1
Note above template was auto-generated. In synapse studio, goto Git Configuration and point it to your repo. It will submit the changes to the branch workspace_publish. You can copy and build on top of the specific artifact code.

Related

Re-deploy Azure Web App Service and Plan using ARM Templates

I'm new to Azure and newer to using ARM templates.
I've got an App Service and Service Plan supporting Windows OS that needs to be changed to Linux. From what I can tell, there is no direct modification to achieve this result, I'm going to need to delete and redeploy.
I was looking at steps for manual deletion and re-build, but I'm thinking that using ARM templates would likely be more effective. I'm researching using ARM templates but not getting much information about using them for removal/modify/replacement. I'd guess that I can download the existing ARM templates and re-deploy, but there have to be a handful of gotchas, but I don't know what to look for.
My expectation is that the ARM template would not be able to deploy the custom domain and its certificate ready to go. Also, the existing template has references to snapshots that would likely be gone after deletion, so I'd expect to have to remove those references from the template prior to re-deploy.
Any guidance I can get would be greatly appreciated!
Per
One of the workaround you can follow ;
I'm researching using ARM templates but not getting much information
about using them for removal/modify/replacement
AFAIK, There is no direct command to delete the resources through which are deployed to Azure using ARM.
Instead of that you can use Azure cli as suggested in this SO THREAD,
Because after deployment there is still you can see in the deployment logs your resource are there you can delete from the portal itself.
After remove the app service from portal you can redeploy the same with adding your modifications.
We have tried after deploy the application and then remove/delete from portal as mentioned above and then re-deploy the app service with linux environment and its work fine.
You can make it use of below template(e.g):-
template.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"type": "string",
"defaultValue": "AzureLinuxApp",
"metadata": {
"description": "Base name of the resource such as web app name and app service plan "
},
"minLength": 2
},
"sku": {
"type": "string",
"defaultValue": "S1",
"metadata": {
"description": "The SKU of App Service Plan "
}
},
"linuxFxVersion": {
"type": "string",
"defaultValue": "php|7.4",
"metadata": {
"description": "The Runtime stack of current web app"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
"appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2020-06-01",
"name": "[variables('appServicePlanName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]"
},
"kind": "linux",
"properties": {
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-06-01",
"name": "[variables('webAppPortalName')]",
"location": "[parameters('location')]",
"kind": "app",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
],
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"siteConfig": {
"linuxFxVersion": "[parameters('linuxFxVersion')]"
}
}
}
]
}
app.parameter.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"value": "mylinuxappp"
}
}
}
OUTPUT DETAILS FOR REFERENCE:-
To deploy webapp with custom domain and ssl certificate need to make sure that its already verified and also need to use existing keyvault for the SSL binding . Please find this arm template for more information.
Please refer the below links for get started with Azure App service using arm template with different scenarios(step by step guidance). It should be help more to understand .
MICROSOFT DOCUMENTATIONS| Azure Resource Manager templates for App Service & Quickstart: Create App Service app using an ARM template

Azure Logic App - Update Blob API Connection through powershell

I've searched online and browsed the available powershell cmdlets to try and find a solution for this problem but have been unsuccessful. Essentially, I have a few Data Factory pipelines that copy/archive incoming files and will use a web http post component that will invoke a Logic App that connects to a Blob container and will delete the incoming file. The issue I'm facing is that we have several automation runbooks that will rest Blob access keys every X days. When the Blob keys get reset the Logic App will fail whenever this happens because the connection is manually created in the designer itself and I can't specify a connection string that could pull from the Keyvault, as an example. Inside of the {Logic App > API Connections > Edit API Connection} we can manually update the connection string/key but obviously for an automated process we should be able to do this programmatically.
Is there a powershell cmdlet or other method I'm not seeing that would allow me to update/edit the API Connections that get created when using and Blob component inside a Logic App?
Any insights is appreciated!
Once you've rotated your key in the storage account, you can use an ARM template to update your connection API. In this ARM template, the connection api is created referencing the storage account internally so you don't have to provide the key:
azuredeploy.json file:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"azureBlobConnectionAPIName": {
"type": "string",
"metadata": {
"description": "The name of the connection api to access the azure blob storage."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "The Storage Account Name."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/connections",
"name": "[parameters('azureBlobConnectionAPIName')]",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"displayName": "[parameters('azureBlobConnectionAPIName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')),'2015-05-01-preview').key1]"
},
"api": {
"id": "[concat('subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
}
},
"dependsOn": []
}
]
}
azuredeploy.parameters.json file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"azureBlobConnectionAPIName": {
"value": "myblobConnectionApiName"
},
"storageAccountName": {
"value": "myStorageAccountName"
}
}
}
You can them execute the arm template like that:
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName <yourSubscriptionName>
New-AzureRmResourceGroupDeployment -Name "ExampleDeployment" -ResourceGroupName "MyResourceGroupName" `
-TemplateFile "D:\Azure\Templates\azuredeploy.json" `
-TemplateParameterFile "D:\Azure\Templates\azuredeploy.parameters.json"
to get started with ARM template and powerhsell, you cam have a look at this article:
Deploy resources with Resource Manager templates and Azure PowerShell

ARM template Office 365 connection for logic apps

I have a logic app that I am trying to automate through an ARM Template.
The logic app requires a connection to Office 365. Below I have the template for the connection generated from the automation pane of the Azure Portal.
When I run the script it fails - there is an authentication issue between the Azure subscription and the Office 365 subscription.
LinkedAuthorizationFailed
The client has permission to perform action 'Microsoft.Web/locations/managedApis/join/action' on scope ... however the current tenant 'curr-tenant-guid' is not authorized
to access linked subscription 'linked-sub-guid' ...
I wont be able to create this trust to automate the provisioning, but I would like to create the connection as placeholder so that the logic app can be deployed and I can go back to the portal to authorise the connection. Is this possible? Are there any other alternatives?
{
"comments": "Office 365 user for file monitoring",
"type": "Microsoft.Web/connections",
"name": "MyOffice365User",
"apiVersion": "2016-06-01",
"location": "northeurope",
"scale": null,
"properties": {
"displayName": "readuser#example.com",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/a6720ff8-f7cb-4bc8-a542-e7868767686/providers/Microsoft.Web/locations/northeurope/managedApis/', 'MyOffice365User')]"
}
},
"dependsOn": []
}
I found three post related to the same problem:
Deploying a logic app using ARM templates/powershell
Azure Logic Apps - ARM template to deploy filesystem API connection
How to set the connection string for a Service Bus Logic App action in an ARM template?
The problem is the same for all API Connection.
Connection parameters to access the specific service are stored on Azure and when you try to export the ARM Template there is nothing regarding these specific parameters (which make sens as Azure will not expose your secret, password...).
The trick is to query Azure Resource Management API to return the parameters needed for any connection in a Logic App.
Just follow the instructions on this article:
Deploying in the Logic Apps Preview Refresh
Use the below link to install logic app tool which can help to design workflow
https://marketplace.visualstudio.com/items?itemName=VinaySinghMSFT.AzureLogicAppsToolsforVisualStudio-18551
once done you can create office 365 connector and when you open ARM template you can see o365 component in the ARM template.
My template looks like :-
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[parameters('office365_1_Connection_Name')]",
"location": "[parameters('location')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/', 'office365')]"
},
"displayName": "[parameters('office36`enter code here`5_1_Connection_DisplayName')]"
}
}
and inside workflow
"triggers": {
"When_a_new_event_is_created_(V2)": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "#parameters('$connections')['office365']['connectionId']"
}
},
"method": "get",
"path": "/datasets/calendars/v2/tables/#{encodeURIComponent(encodeURIComponent('AAMkNbPwESLK3F8s5n1Q3BwAhXXXXXXXXXXXXXXXXXXXXXXXXXXX'))}/onnewitems"
},
"recurrence": {
"frequency": "Minute",
"interval": 1
},
"splitOn": "#triggerBody()?['value']"
}
}
================================================================
And the parameters for workflow
"parameters": {
"$connections": {
"value": {
"office365": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/', 'office365')]",
"connectionId": "[resourceId('Microsoft.Web/connections', parameters('office365_1_Connection_Name'))]",
"connectionName": "[parameters('office365_1_Connection_Name')]"
}
================================================================

Executing custom activity on Azure Data Factory Pipeline

I am creating simple pipeline in the data factory that should only run a custom activity. The deployment template for the pipeline looks like this:
{
"type": "pipelines",
"name": "MyCustomActivityPipeline",
"dependsOn": [
"DataFactoryName",
"AzureBatchLinkedService"
],
"apiVersion": "[variables('api-version')]",
"properties": {
"description": "Custom activity sample",
"activities": [
{
"type": "Custom",
"name": "MyCustomActivity",
"linkedServiceName": {
"referenceName": "AzureBatchLinkedService",
"type": "LinkedServiceReference"
},
"typeProperties": {
"command": "cmd /c echo hello world"
}
}
]
}
}
Additionally I have created all the resources needed- the batch account with pools and the storage account. All the resources are in the same resource group and subscription. I try to trigger the pipeline using console command
Invoke-AzureRmDataFactoryV2Pipeline -DataFactory "DataFactory" -PipelineName "PipelineName" -ResourceGroupName "ResourceGroupName"
I am getting this error:
Activity MyCustomActivity failed: Can not access user batch account, please check batch account setiings.
Has anyone ever experienced such an error from ADF execution of a pipeline? The weird part is that all the resources have access to each other and are within the same resource group and subscription.
Please check the settings for the storage linked service used by batch linked service. Make sure the connection string type is SecureString

Configure programmatic deployment for Azure Bing maps

I'm trying to add BingMaps to our resource template.
this is the template so far:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mapsName": {
"type": "string"
}
},
"variables": {
"location": "[resourceGroup().location]"
},
"resources": [
{
"apiVersion": "2015-07-02",
"type": "Microsoft.BingMaps/mapApis",
"name": "[parameters('mapsName')]",
"location": "westus",
"plan": {
"publisher": "bingmaps",
"product": "mapapis",
"name": "myMapsTest",
"promotionCode": null
},
"properties": {
"provisioningState": "Succeeded"
}
}
],
"outputs": {
}
}
It gives this error message:
New-AzureRmResourceGroupDeployment : 14:22:50 - Resource
Microsoft.BingMaps/mapApis 'myMapsName' failed with message 'User
failed validation to purchase resources. Error message: 'Legal terms
have not been accepted for this item on this subscription. To accept
legal terms, please go to the Azure portal
(http://go.microsoft.com/fwlink/?LinkId=534873) and configure
programmatic deployment for the Marketplace item or create it there
for the first time''
How can I configure programmatic deployment for Azure Bing maps?
The current workaround is: create the marketplace item once under the very same subscription you are going to use for the programmatic deployment. It worked me like charm.. (although I am not happy this interactive hocus pocus at all)
The supposed correct solution is not working yet (issue), but hopefully will. See below:
Seems to be an Azure Subscription issue - what type of subscription do you have (pay as you go, free, EA?).
What location did you try to deploy to?
Also - are you able to provision "Bing Maps API for Enterprise" offering for the marketplace?

Resources