ARM Template: Firewall rule is not being created for database server - azure

I'm deploying an Azure database server with a ARM template which includes a firewall rule to allow all IP addresses. The deployment finishes without errors, however, the firewall rule doesn't seem to be created when I check the Portal.
"resources": {
"name": "mydbserver",
"type": "Microsoft.Sql/servers",
"apiVersion": "2014-04-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "mydbserver"
},
"properties": {
"administratorLogin": "[parameters('dbserverUsername')]",
"administratorLoginPassword": "[parameters('dbserverPassword')]"
},
"resources": [
{
"type": "firewallRules",
"apiVersion": "2014-04-01",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'mydbserver')]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "0.0.0.0"
}
}
]
},
Azure portal

Adding this rule (AllowAllWindowsAzureIps) manually in the portal resulted in an error stating "This rule name is already in use for 'Allow Azure services and resources to access this server' setting.".
So, it is clear that the rule name is reserved for the below outlined setting. Everything was working as intended after all.

Related

Add slots using ARM templates

I would like to create same named slots on two different environments. The difference is that on Integration I want to have autoswap enabled. I tried doing this using condition like below but this does not pass validation because I have two resources with same name.
"resources": [
{
"condition": "[equals(parameters('env'), 'Integration')]",
"apiVersion": "2018-11-01",
"name": "staging", <----------------- HERE
"type": "slots",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[variables('webApiWebSiteName')]"
],
"properties": {
"siteConfig": {
"autoSwapSlotName": "production" <----------------- only difference
}
}
},
{
"condition": "[equals(parameters('env'), 'Production')]",
"apiVersion": "2018-11-01",
"name": "staging", <----------------- HERE
"type": "slots",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[variables('webApiWebSiteName')]"
],
"properties": {
}
}
]
You could only created a web app with a name that's unique across all of Azure, because it would generate an endpoint to your website.
About slots, you could also check the table in the link. They could hold the same name between different sites( app services), but could not hold the same name under one site. Not sure about the environment you said, if it means the develop and staging environment, the two slots are still under one app service.

Nested ARM template and dependsOn in another Resource Group

I am trying to create a Function App with VNET Integration in ARM. I have made all that work just fine in one main template.
Now I have a new requirement where the VNET needs to be in another RG and thus seperate from the Func App RG, but the Func App still needs to have VNET integration to the VNET in the other RG.
I'm struggling how to define the ARM template, so that I deploy the Func App in one RG and VNET in another. The hard part is how to define this so that the Func App integrates into a VNET in another RG in the same ARM template using nested template.
Here is my ARM template:
"resources": [{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "nestedTemplate",
"resourceGroup": "[parameters('VNETPeered_RG_Name')]",
"subscriptionId": "0a2009c0-e2ae-4991-aa0e-5c34c141e4cb",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [{
"comments": "Virtual Network for VNET integration feature in the Premium Plan for the Function App",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"name": "[variables('virtual_network_name')]",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('vnetAddressPrefix')]"
]
},
"subnets": [{
"name": "[variables('subnet_name')]",
"properties": {
"addressPrefix": "[parameters('subnet1Prefix')]",
"serviceEndpoints": [{
"service": "Microsoft.Storage",
"locations": [
"[resourceGroup().location]"
]
}
}
}]
}
}]
}
}
},
{
"comments": "Function App to host the functions themselves. Integrates into a VNET and makes use of Azure DNS Private Zones.",
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"name": "[variables('function_app_name')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"nestedTemplate",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storage_account_name'))]",
"[resourceId('Microsoft.Web/serverfarms', variables('app_service_plan_name'))]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('app_service_plan_name'))]",
"siteConfig": {
"appSettings": [{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(variables('application_insights_resourceId'), '2018-05-01-preview').InstrumentationKey]"
}]
},
"clientAffinityEnabled": true
},
"resources": [{
"type": "networkConfig",
"apiVersion": "2019-08-01",
"name": "virtualNetwork",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('function_app_name'))]"
],
"properties": {
"subnetResourceId": "[reference(resourceId('RG-FunctionsGroup','Microsoft.Network/virtualNetworks/subnets', 'vn-MY-VNET', 'sn-MY-SUBNET'),'2020-05-01')]",
"isSwift": true
}
}]
]
}
On this I get the following error when I try to deploy it with az deployment group command from az cli:
Deployment failed. Correlation ID: 39b0173b-8a51-42c5-a796-1d3427556194. {
"error": {
"code": "InternalServerError",
"message": "There was an unexpected InternalServerError. Please try again later. x-ms-correlation-request-id: 844e9f35-2e9c-411a-817d-9045511558cb"
}
}
reference() will work but TLDR; it's a little heavyweight
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#resourceid
is all you need in this case. To "reference" any resource in ARM you'll use the resourceId - there are a handful of functions to help but it really helps if you understand the basics of the resourceId, which is summarized here:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#return-value-6
When you want a resourceId to a resource in the same deployment (which is not the same as the same template) you can use the shorthand version
resourceId({namespace/resourceType}, {resourceName})
If it's in a different RG, you need to add the RG param, and if it's in a different sub you need to add that too. I can't tell for certain with your snippet, but it looks like all you need in your case is this (assuming the vnet and fn app are in the same subscription):
"subnetResourceId": "[resourceId(parameters('VNETPeered_RG_Name'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtual_network_name'), variables('subnet_name'))]"
That help?
Your problem is in this part of code:
"properties": {
"subnetResourceId": "[reference(resourceId('RG-FunctionsGroup','Microsoft.Network/virtualNetworks/subnets', 'vn-MY-VNET', 'sn-MY-SUBNET'),'2020-05-01')]",
"isSwift": true
}
You are pointing the subnet with the wrong resource group. Change the resource group where the vnet and the subnet is deployed.
"properties": {
"subnetResourceId": "[reference(resourceId(parameters('VNETPeered_RG_Name'),'Microsoft.Network/virtualNetworks/subnets', variables('virtual_network_name'), variables('subnet_name')),'2020-05-01')]",
"isSwift": true
}

How to configure an App Service Managed Certificate for an Azure Function in an Azure Resource Manager Template?

I have an ARM template in which I am configuring a Function App.
Here is a sample of my ARM template that deals with the Function App:
{
"apiVersion": "2015-08-01",
"type": "Microsoft.Web/sites",
"name": "MyAzureFunctionName",
"location": "[resourceGroup().location]",
"kind": "functionapp",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('nameWithDashes'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]"
],
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'MyAzureFunctionName')]",
"httpsOnly": true,
"siteConfig": {
"appSettings": [
{
...
}]
}
}
}
I have successfully configured a custom domain 'mydomain.ca' in my Function App using the following configuration:
{
"apiVersion": "2020-06-01",
"type": "Microsoft.Web/sites/hostNameBindings",
"name": "[concat('MyFunctionApp', '/', 'mydomain.ca')]",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('nameWithDashes'))]"
]
}
The next step in securing my Function App is to bind the custom domain to an SSL certificate. I am trying to find a way to use the App Service Managed Certificate so that Azure will create and manage the certificate itself (See the option Create App Service Managed Certificate below).
Question
How can I configure an App Service Managed Certificate for the custom domain of my Function App in an Azure Resource Manager Template?
The comment Alex made helped a lot ; it had all the important pieces. However I was not able to make it work using the linked template.
Instead of using a linked template, I fell back to using a nested template and it worked immediately.
{
"apiVersion": "2020-06-01",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('siteName'))]",
"[resourceId('Microsoft.Web/certificates', variables('certificateName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"apiVersion": "2019-08-01",
"type": "Microsoft.Web/sites/hostnameBindings",
"name": "[variables('hostNameBindingsName')]",
"location": "[resourceGroup().location)]",
"properties": {
"sslState": "SniEnabled",
"thumbprint": "[reference(resourceId('Microsoft.Web/certificates', variables('certificateName'))).Thumbprint]"
}
}]
}
}
}

ARM nested template ‘Invalid Template could not find template resource’

I'm deploying arm template to create an SSL certificate to existing traffic managers and to bind the certificates to the app services.
Since the app services in one resource group and the traffic manager and certificate in a different resource group - I use nested template.
i got an error with my certificate SSL:
Deployment template validation failed: 'The template reference
'blabla-ssl1' is not valid: could not find template resource or
resource copy with this name
"comments": "Get the Traffic Manager SSL cert that will be binded to the app",
"copy": {
"name": "loop",
"count": "[length(variables('locations'))]"
},
"type": "Microsoft.Web/certificates",
"name": "[concat(variables('tmsslcert')['secretname'], copyIndex())]",
"apiVersion": "2016-03-01",
"location": "[variables('locations')[copyIndex()]]",
"dependsOn": [
"[variables('TMName')]"
],
"properties": {
"keyVaultId": "[variables('tmsslcert')['KeyVaultId']]",
"secretname": "[variables('tmsslcert')['secretname']]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"resourceGroup": "[variables('webappResourceGroup')]",
"name": "[concat('AddTMSSLCert_',variables('locations')[copyIndex()],'_nestedTemplate')]",
"copy": {
"name": "endpointloop",
"count": "[length(variables('locations'))]"
},
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"comments": "app hostname binding of TM CNAME",
"type": "Microsoft.Web/sites/hostNameBindings",
"name": "[concat(variables('webappDNSNamePrefix'), '-', variables('locations')[copyIndex()], '/', variables('tmcname'))]",
"apiVersion": "2016-08-01",
"location": "[variables('locations')[copyIndex()]]",
"scale": null,
"properties": {
"siteName": "variables('webappDNSNamePrefix'), '-', variables('locations')[copyIndex()]",
"sslState": "SniEnabled",
"thumbprint": "[reference(resourceId(variables('webappResourceGroup'),'Microsoft.Web/certificates', concat(variables('tmsslcert')['secretname'], copyIndex())),'2016-03-01').Thumbprint]"
},
"dependsOn": [
"[concat(variables('tmsslcert')['secretname'], copyIndex())]",
//"[concat('Microsoft.Web/certificates/', variables('tmsslcert')['secretname'], copyIndex())]"
]
}
]
}
}
}
its impossible to tell where the error is exactly (given the data you provided), but this means either your references or dependsOn are trying to reach the resource that's either not created or in a different resource group. One thing that looks specifically wrong is this:
"dependsOn": [
"[concat(variables('tmsslcert')['secretname'], copyIndex())]",
//"[concat('Microsoft.Web/certificates/', variables('tmsslcert')['secretname'], copyIndex())]"
]
this would not work, because it will work in the context of the nested deployment, so in a different resource group

Create Azure web app slot from ARM template without copying original web app configuration

I am trying to create web app slots through ARM template.
I was able to create those but it looks like the default behavior is to create the them as a copy of the current web app state. This result in my slot inheriting app settings, connection strings, virtual directories, ....
Here a reproduction sample which demonstrate the behavior https://github.com/ggirard07/ARMSlotWebConfig.
I want my slot clean and fresh instead, which is the azure portal default behavior. The portal is able to allow a user to select the behavior by specifying the "configSource": "", value it posts when creating the slot.
Is there anyway to achieve the same from inside an ARM template?
To prevent the copying of settings from the production app, just add an empty siteConfig object in the slot properties. e.g.
{
"apiVersion": "2015-08-01",
"type": "slots",
"name": "maintenance",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites/', variables('webSiteName'))]"
],
"properties": {
"siteConfig": { }
}
}
I sent a PR to illustrate on your repo.
Is there anyway to achieve the same from inside an ARM template?
If I use the template you mentioned, I also can reproduce it on my side. I also can't find a way to select the behavior by specifying the "configSource": "" directly, You could give feedback to Azure team.
I work it out with overriding the config during deploy slot. It works correctly on my side. You could use the following code to replace the creating WebApp slot code in your tempalte.
{
"apiVersion": "2015-08-01",
"name": "maintenance",
"type": "slots",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('webSiteName'))]"
],
"properties": {
},
"resources": [
{
"apiVersion": "2015-08-01",
"type": "config",
"name": "connectionstrings",
"location": "East US",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites/Slots', variables('webSiteName'), 'maintenance')]"
],
"properties": {}
},
{
"apiVersion": "2015-08-01",
"type": "config",
"name": "web",
"tags": {
"displayName": "Website configuration"
},
"dependsOn": [
"[resourceId('Microsoft.Web/Sites/Slots', variables('webSiteName'),'maintenance')]"
],
"properties": {
"virtualApplications": [
{
"virtualPath": "/",
"physicalPath": "site\\wwwroot",
"preloadEnabled": true,
"virtualDirectories": null
}
]
}
}
]
}

Resources