How to manage Azure Api Management CA Certificates through ARM templates - azure

I'm trying to manage CA certificates in Azure APIM through ARM but everything I tried gave no positive result.
For visualization, this is what I'm talking about:
When I look at the schema Microsoft.ApiManagement/service, there's a section for certificates where I can set the storeName variable but without results.
For sanity, I tried to upload it though Powershell plus manually and both option worked but that CA Certificate got wiped from the APIM at each deployment of my ARM template even if I used the "Incremental" option.
First I tried to modify the APIM ARM template by adding that block to the "properties" section:
"certificates": [
{
"encodedCertificate": "[parameters('RootCertificateBase64Content')]",
"certificatePassword": "[parameters('RootCertificatePassword')]",
"storeName": "Root"
}]
Here's my first test snippet for complete traceability:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apimName": {
"type": "string",
"metadata": {
"description": "Name of the apimanagement"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"sku": {
"type": "string",
"allowedValues": [
"Developer",
"Standard",
"Premium"
],
"defaultValue": "Developer",
"metadata": {
"description": "The pricing tier of this API Management service"
}
},
"skuCapacity": {
"type": "string",
"allowedValues": [
"1",
"2"
],
"defaultValue": "1",
"metadata": {
"description": "The instance size of this API Management service."
}
},
"subnetResourceId": {
"type": "string",
"metadata": {
"description": ""
}
},
"RootCertificateBase64Content": {
"type": "string",
"metadata": {
"description": "The Root certificate content"
}
},
"RootCertificatePassword": {
"type": "string",
"metadata": {
"description": "The Root certificate password"
}
}
},
"variables": {
"publisherEmail": "whatever#heyho.com",
"publisherName": "Whatever Team",
"notificationSenderEmail": "whatever#heygo.com"
},
"resources": [
{
"apiVersion": "2019-12-01",
"name": "[parameters('apimName')]",
"type": "Microsoft.ApiManagement/service",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"notificationSenderEmail": "[variables('notificationSenderEmail')]",
"publisherEmail": "[variables('publisherEmail')]",
"publisherName": "[variables('publisherName')]",
"virtualNetworkConfiguration": {
"subnetResourceId": "[parameters('subnetResourceId')]"
},
"virtualNetworkType": "Internal",
"certificates": [
{
"encodedCertificate": "[parameters('RootCertificateBase64Content')]",
"certificatePassword": "[parameters('RootCertificatePassword')]",
"storeName": "Root"
}]
},
"identity": {
"type": "SystemAssigned"
}
}
],
"outputs": {
"apiManagementPrivateHostIp": {
"type": "string",
"value": "[reference(concat(resourceId('Microsoft.ApiManagement/service', parameters('apimName')))).privateIPAddresses[0]]"
}
}
}
Second alternative I tried was to use the Microsoft.ApiManagement/service/certificates schema. There is no option there to specify the StoreName so I assumed it wasn't the right schema but I tried anyway. All attempts generated a certificate in the built-in Certificates store instead of the CA Certificates store.
Here's my second attempt's snippet:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apimName": {
"type": "string",
"metadata": {
"description": "The parent APIM name"
}
},
"certificateName": {
"type": "string",
"metadata": {
"description": "The certificate name"
}
},
"CertificateBase64Content": {
"type": "string",
"metadata": {
"description": "The content of the certificate"
}
},
"CertificatePassword": {
"type": "string",
"metadata": {
"description": "The certificate password"
}
}
},
"resources": [
{
"name": "[concat(parameters('apimName'), '/Root/', parameters('certificateName'))]",
"type": "Microsoft.ApiManagement/service/certificates",
"apiVersion": "2019-01-01",
"properties": {
"data": "[parameters('CertificateBase64Content')]",
"password": "[parameters('CertificatePassword')]"
}
}
],
"outputs": {}
}
While looking at terraform documentation, it seems that it's possible to manage these certificates through the base schema and I confirmed that through the terraform azurerm provider source code (Unfortunately I cannot use Terraform and I MUST use ARM in that scenario).
Any clues on how to manage CA certificates in Azure APIM through ARM?

I assume you want to update CA certificate authority sections of already existing APIM? If yes then just provide all required properties for Microsoft.ApiManagement/service but for name use already existing APIM name that you want to update and choose the same resource group.
Thanks to this, it will just update existing APIM with properties you provided, instead of creating new APIM. The required properties are name, type, apiVersion, location, sku, properties. For properties you need to provide publisherEmail and publisherName, and of course certificates - this is what you want to update after all. So the absolute minimum for update will look like this:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":{
"base64EncodedCertificate":{
"defaultValue":"base64 encoded certificate",
"type":"String"
},
"certificatePassword":{
"defaultValue":"certificate password",
"type":"String"
}
},
"variables": {},
"resources": [
{
"name": "existing-apim-name",
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2021-01-01-preview",
"location": "West Europe",
"sku": {
"name": "Developer",
"capacity": 1
},
"properties": {
"publisherEmail": "publisher#gmail.com",
"publisherName": "Publisher Name",
"certificates": [
{
"encodedCertificate": "[parameters('base64EncodedCertificate')]",
"certificatePassword": "[parameters('certificatePassword')]",
"storeName": "Root"
}
]
}
}
]
}
Watch out. certificates array must contain all certificates that you want to have on this APIM. All existing CA certs that are not in this array will be deleted.

Related

Trying to set up diagnostic settings for an API arm template

I am new to ARM templates and I have the following issue:
I have an ARM template which creates an API Management service and I want this API Management service to use Log Analytics workspace in order to store it's logs there.
I have already created a log analytics workspace resource.
So, according to Microsoft documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-manager-diagnostic-settings
the only thing I need to do is to edit the API management ARM template and include a new resource:
"type": "Microsoft.Insights/diagnosticSettings"
but when I do that, I get the following error:
"Values must be one of the following values......" getting a long long list.
Am I doing something wrong here?
thank you for your time!
If we want to create a diagnostic setting for an Azure API Management resource, we can add a resource of type Microsoft.ApiManagement/service/providers/diagnosticSettings to the template.
For example
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"publisherEmail": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "The email address of the owner of the service"
},
"defaultValue": "test#gmail.com"
},
"publisherName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "The name of the owner of the service"
},
"defaultValue": "test",
},
"sku": {
"type": "string",
"defaultValue": "Developer",
"allowedValues": [
"Developer",
"Standard",
"Premium"
],
"metadata": {
"description": "The pricing tier of this API Management service"
}
},
"skuCount": {
"type": "string",
"defaultValue": "1",
"allowedValues": [
"1",
"2"
],
"metadata": {
"description": "The instance size of this API Management service."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"apiManagementServiceName": "[concat('myapiservice', uniqueString(resourceGroup().id))]"
},
"resources": [{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2019-12-01",
"name": "[variables('apiManagementServiceName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]",
"capacity": "[parameters('skuCount')]"
},
"properties": {
"publisherEmail": "[parameters('publisherEmail')]",
"publisherName": "[parameters('publisherName')]"
}
}, {
"type": "Microsoft.ApiManagement/service/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(variables('apiManagementServiceName'), '/Microsoft.Insights/', 'mytest')]",
"dependsOn": ["[resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName'))]"],
"properties": {
"logs": [{
"category": "GatewayLogs",
"enabled": true,
}
],
"metrics": [{
"enabled": true,
"category": "AllMetrics"
}
],
"workspaceId": "<the resource id of workspace>",
}
}
]
}

Assign Roles via ARM Template to cosmos db

I'm trying to assign the role to 'Cosmos Db account' by using following template.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"defaultValue": "gb9e32f1-678f-4552-ae0a-0000f765aaaa",
"metadata": {
"description": ""
}
},
"CosmosDbAccountName": {
"type": "string",
"defaultValue": "cosmosdbaccount",
"metadata": {
"description": "Cosmos Db Account name"
}
},
"RoleType": {
"defaultValue" : "Contributor",
"type": "string",
"metadata": {
"description": "Built-in role to assign"
},
"allowedValues" : [
"Contributor"
]
}
},
"variables": {
"Scope": "[concat(parameters('CosmosDbAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
},
"resources": [
{
"type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
"name": "[variables('Scope')]",
"apiVersion":"2020-04-01-preview",
"properties": {
"RoleDefinitionId":"/subscriptions/[subscription().subscriptionId]/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "[parameters('principalId')]"
}
}
]
}
I am currently getting error as
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n "error": {\r\n "code": "RoleAssignmentUpdateNotPermitted",\r\n "message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."\r\n }\r\n}"}]}
I think there is existing role assignment with the same name that you are trying to create through this template and it ends up giving the error for "RoleAssignmentUpdateNotPermitted".
Few changes to your template can solve your problem like generating a unique GUID and then concat it with cosmos DB account name, Please try the below updated template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"defaultValue": "gb9e32f1-678f-4552-ae0a-0000f765aaaa",
"metadata": {
"description": ""
}
},
"CosmosDbAccountName": {
"type": "string",
"defaultValue": "cosmosdbaccount",
"metadata": {
"description": "Cosmos Db Account name"
}
},
"RoleType": {
"defaultValue" : "Contributor",
"type": "string",
"metadata": {
"description": "Built-in role to assign"
},
"allowedValues" : [
"Contributor"
]
},
"guid": {
"defaultValue": "[newGuid()]",
"type": "String"
}
},
"variables": {
"Scope": "[concat(parameters('CosmosDbAccountName'),'/Microsoft.Authorization/', parameters('guid'))]"
},
"resources": [
{
"type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
"name": "[variables('Scope')]",
"apiVersion":"2020-04-01-preview",
"properties": {
"RoleDefinitionId":"/subscriptions/[subscription().subscriptionId]/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "[parameters('principalId')]"
}
}
]
}

How to add AzureFunction as Event Subscription Endpoint in ARM Template?

I have written an ARM template to create an event subscription on an existing storage account, where I need to listen to a particular blob container's blob.created and blob.deleted events, and send them to an Azure eventgrid trigger function app.
The functionapp is already deployed in Azure https://myfunctionapp.azurewebsites.net, and I am having a hard time trying to create the event subscription through the ARM template. Please note that I have used API version 2020-01-01-preview in order to have AzureFunction as the endpoint. The template is as follows:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appName": {
"type": "string",
"metadata": {
"description": "Name of the function app"
}
},
"functionName": {
"type": "string",
"defaultValue": "MyFunction",
"metadata": {
"description": "Name of the function"
}
},
"eventSubName": {
"type": "string",
"defaultValue": "myfunctionappsub",
"metadata": {
"description": "The name of the event subscription to create."
}
},
"storageName": {
"type": "string",
"metadata": {
"description": "Storage account name"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Storage account location"
}
},
"containerNamefilter": {
"type": "string",
"defaultValue": "-inputblob",
"metadata": {
"description": "Container name filter"
}
}
},
"variables": {
"functionAppName": "[resourceId('Microsoft.Web/sites/functions/', parameters('appName'), parameters('functionName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/eventSubscriptions",
"name": "[concat(parameters('storageName'), '/Microsoft.EventGrid/', parameters('eventSubName'))]",
"apiVersion": "2020-01-01-preview",
"dependsOn": [
"[parameters('storageName')]"
],
"properties": {
"destination": {
"endpointType": "AzureFunction",
"properties": {
"resourceId": "[variables('functionAppName')]"
}
},
"filter": {
"subjectBeginsWith": "",
"subjectEndsWith": "",
"isSubjectCaseSensitive": false,
"includedEventTypes": [
"Microsoft.Storage.BlobCreated",
"Microsoft.Storage.BlobDeleted"
],
"advancedFilters": [
{
"key": "subject",
"operatorType": "StringContains",
"value": "[parameters('containerfilter')]"
}
]
}
}
}
]
}
This is the error I get when I try to run it on the pipeline:
2020-04-15T11:09:11.5347864Z Starting template validation.
2020-04-15T11:09:11.5368215Z Deployment name is azuredeploy-xxxxxxx-xxxxxx-xxxx
2020-04-15T11:09:13.1700166Z Template deployment validation was completed successfully.
2020-04-15T11:09:13.1700897Z Starting Deployment.
2020-04-15T11:09:13.1703528Z Deployment name is azuredeploy-xxxxxxx-xxxxxx-xxxx
2020-04-15T11:10:02.5842880Z There were errors in your deployment. Error code: DeploymentFailed.
2020-04-15T11:10:02.5893091Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2020-04-15T11:10:02.5910677Z ##[error]Details:
2020-04-15T11:10:02.5915877Z ##[error]Conflict: {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "Internal error",
"message": "The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report 72c636d4-6d09-4c50-8886-7153ddf2a4ee:4/15/2020 11:09:50 AM (UTC) to our forums for assistance or raise a support ticket ."
}
]
}
}
2020-04-15T11:10:02.5918976Z ##[error]Task failed while creating or updating the template deployment.
2020-04-15T11:10:02.5953000Z ##[section]Finishing: Create or update eventsubscription in RG
Am I doing anything wrong here? I'm very new to ARM templates.
If you want to create event grid subscription for the existing storage account, please refer to the following template
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionGroup": {
"type": "string",
"defaultValue" : "jimtest",
"metadata": {
"description": "he group name of function app"
}
},
"appName": {
"type": "string",
"defaultValue" : "testfunjs",
"metadata": {
"description": "Name of the function app"
}
},
"functionName": {
"type": "string",
"defaultValue": "EventGridTrigger1",
"metadata": {
"description": "Name of the function"
}
},
"eventSubName": {
"type": "string",
"defaultValue": "myfunctionappsub",
"metadata": {
"description": "The name of the event subscription to create."
}
},
"storageName": {
"type": "string",
"defaultValue" : "andyprivate",
"metadata": {
"description": "Storage account name"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Storage account location"
}
},
"containerNamefilter": {
"type": "string",
"defaultValue": "test",
"metadata": {
"description": "Container name filter"
}
}
},
"variables": {
"functionId" :"[resourceId(parameters('functionGroup'),'Microsoft.Web/sites/functions/', parameters('appName'), parameters('functionName'))]",
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/eventSubscriptions",
"name": "[concat(parameters('storageName'), '/Microsoft.EventGrid/', parameters('eventSubName'))]",
"apiVersion": "2020-01-01-preview",
"properties": {
"destination": {
"endpointType": "AzureFunction",
"properties": {
"resourceId": "[variables('functionId')]"
}
},
"filter": {
"subjectBeginsWith": "",
"subjectEndsWith": "",
"isSubjectCaseSensitive": false,
"includedEventTypes": [
"Microsoft.Storage.BlobCreated",
"Microsoft.Storage.BlobDeleted"
],
"advancedFilters": [
{
"key": "subject",
"operatorType": "StringContains",
"value": "[parameters('containerNamefilter')]"
}
]
}
}
}
]
}

Applying cert to ASE ILB via ARM template fails

I am using an ARM template to deploy an ILB ASE which works fine but I am now trying to put a self-signed certificate on the ILB ASE as part of that deployment and it keeps failing with the error The specified network password is not correct.
I am actually applying the ARM template via Terraform. I store the certificate and the password in Key Vault. I pull the certificate from Key Vault using the PowerShell line below and then pass it into Terraform as a variable. This is the cert in Base64 encoded format:
$aseCertBase64 = (Get-AzureKeyVaultSecret -VaultName $kvName -Name $kvASECertName).SecretValueText
I first tried obtaining the Cert password using a Terraform data resource but that deployment failed with the The specified network password is not correct error. In an attempt to troubleshoot the password issue, I put the clear text password into the ARM template directly and re-ran the deployment. The deployment failed again with the same error so now I am not sure what it is looking for.
I validated that the password was correct by pulling the cert and password from Key Vault with PowerShell, converting the cert and then importing it into my local store successfully.
Below is the ARM Template I am using:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ilbase_name": {
"type": "string",
"metadata": {
"description": "The name of the ILBASE"
}
},
"ilbase_domain_name": {
"type": "string",
"metadata": {
"description": "The prviate domain name inside ILBASE"
}
},
"ilbase_subnet_name": {
"type": "string",
"metadata": {
"description": "The name of the subnet assigned to the ILBASE"
}
},
"ilbase_rglocation": {
"defaultValue": "East US",
"type": "string",
"metadata": {
"description": "The region where the ILBASE will be deployed"
}
},
"vnet_name": {
"type": "string",
"metadata": {
"description": "The name of the vnet the ILBASE subnet is part of"
}
},
"vnet_rg": {
"type": "string",
"metadata": {
"description": "The name of the resource group the ILBASE vnet is in"
}
},
"vnet_id": {
"type": "string",
"metadata": {
"description": "The resource id of the ILBASE vnet"
}
},
"aseCert": {
"type": "string",
"metadata": {
"description": "The Base64 encoded string containing the cert to be applied to the ILBASE"
}
},
"aseCertPwd": {
"defaultValue": "XNKVTzCell637BNl",
"type": "string",
"metadata": {
"description": "The password for the ILBASE certificate"
}
},
"aseCertName": {
"defaultValue": "aseCert",
"type": "string",
"metadata": {
"description": "The password for the ILBASE certificate"
}
}
},
"resources": [
{
"apiVersion": "2015-08-01",
"type": "Microsoft.Web/certificates",
"name": "[parameters('aseCertName')]",
"location": "[parameters('ilbase_rglocation')]",
"properties": {
"pfxBlob": "[parameters('aseCert')]",
"password": "[parameters('aseCertPwd')]",
"hostingEnvironmentProfile": {
"id": "[resourceId('Microsoft.Web/hostingEnvironments',parameters('ilbase_name'))]"
}
},
"dependsOn": [
"[concat('Microsoft.Web/hostingEnvironments/',parameters('ilbase_name'))]"
]
},
{
"apiVersion": "2018-02-01",
"type": "Microsoft.Web/hostingEnvironments",
"name": "[parameters('ilbase_name')]",
"kind": "ASEV2",
"location": "[parameters('ilbase_rglocation')]",
"properties": {
"name": "[parameters('ilbase_name')]",
"location": "[parameters('ilbase_rglocation')]",
"vnetName": "[parameters('vnet_name')]",
"vnetResourceGroup": "[parameters('vnet_rg')]",
"vnetSubnetName": "[parameters('ilbase_subnet_name')]",
"virtualNetwork": {
"Id": "[parameters('vnet_id')]",
"Subnet": "[parameters('ilbase_subnet_name')]"
},
"dnsSuffix": "[parameters('ilbase_domain_name')]",
"internalLoadBalancingMode": "Web, Publishing",
"multiSize": "Medium",
"multiRoleCount": 2,
"ipsslAddressCount": 0,
"networkAccessControlList": [],
"frontEndScaleFactor": 15,
"suspended": false
}
}
]
}
Consider looking at calling the thumbPrint parameter for the cert. I believe that's required based on the default ARM template Microsoft have on GitHub here. Some further reference here at learn.microsoft.com.

Cannot change agent VM count

I have an ACS Kubernetes cluster that was created with an agent count of 1. I went to the portal to increase the agent count to 2 and received a generic error saying the provisioning of resource(s) for container service failed.
Looking at the activity logs, there is a bit more information.
Write ContainerServices - PreconditionFailed - Provisioning of resource(s) for container service 'xxxxxxx' in
resource group 'xxxxxxxx' failed.
Validate - InvalidTemplate - Deployment template validation failed: 'The resource 'Microsoft.Network/networkSecurityGroups/k8s-master-3E4D5818-nsg' is not defined in the template. Please see https://aka.ms/arm-template for usage details.'.
Trying to change it via the Azure CLI 2.0 also returns the same error.
Update: The cluster was stood up using an ARM template with a single container service resource based on the sample in the quickstart templates repo.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dnsNamePrefix": {
"type": "string",
"metadata": {
"description": "Sets the Domain name prefix for the cluster. The concatenation of the domain name and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address."
}
},
"agentCount": {
"type": "int",
"defaultValue": 1,
"metadata": {
"description": "The number of agents for the cluster. This value can be from 1 to 100 (note, for Kubernetes clusters you will also get 1 or 2 public agents in addition to these seleted masters)"
},
"minValue":1,
"maxValue":100
},
"agentVMSize": {
"type": "string",
"defaultValue": "Standard_D2_v2",
"allowedValues": [
"Standard_A0", "Standard_A1", "Standard_A2", "Standard_A3", "Standard_A4", "Standard_A5",
"Standard_A6", "Standard_A7", "Standard_A8", "Standard_A9", "Standard_A10", "Standard_A11",
"Standard_D1", "Standard_D2", "Standard_D3", "Standard_D4",
"Standard_D11", "Standard_D12", "Standard_D13", "Standard_D14",
"Standard_D1_v2", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2",
"Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2",
"Standard_G1", "Standard_G2", "Standard_G3", "Standard_G4", "Standard_G5",
"Standard_DS1", "Standard_DS2", "Standard_DS3", "Standard_DS4",
"Standard_DS11", "Standard_DS12", "Standard_DS13", "Standard_DS14",
"Standard_GS1", "Standard_GS2", "Standard_GS3", "Standard_GS4", "Standard_GS5"
],
"metadata": {
"description": "The size of the Virtual Machine."
}
},
"linuxAdminUsername": {
"type": "string",
"defaultValue": "azureuser",
"metadata": {
"description": "User name for the Linux Virtual Machines."
}
},
"orchestratorType": {
"type": "string",
"defaultValue": "Kubernetes",
"allowedValues": [
"Kubernetes",
"DCOS",
"Swarm"
],
"metadata": {
"description": "The type of orchestrator used to manage the applications on the cluster."
}
},
"masterCount": {
"type": "int",
"defaultValue": 1,
"allowedValues": [
1
],
"metadata": {
"description": "The number of Kubernetes masters for the cluster."
}
},
"sshRSAPublicKey": {
"type": "string",
"metadata": {
"description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser#linuxvm'"
}
},
"servicePrincipalClientId": {
"metadata": {
"description": "Client ID (used by cloudprovider)"
},
"type": "securestring",
"defaultValue": "n/a"
},
"servicePrincipalClientSecret": {
"metadata": {
"description": "The Service Principal Client Secret."
},
"type": "securestring",
"defaultValue": "n/a"
}
},
"variables": {
"adminUsername":"[parameters('linuxAdminUsername')]",
"agentCount":"[parameters('agentCount')]",
"agentsEndpointDNSNamePrefix":"[concat(parameters('dnsNamePrefix'),'agents')]",
"agentVMSize":"[parameters('agentVMSize')]",
"masterCount":"[parameters('masterCount')]",
"mastersEndpointDNSNamePrefix":"[concat(parameters('dnsNamePrefix'),'mgmt')]",
"orchestratorType":"[parameters('orchestratorType')]",
"sshRSAPublicKey":"[parameters('sshRSAPublicKey')]",
"servicePrincipalClientId": "[parameters('servicePrincipalClientId')]",
"servicePrincipalClientSecret": "[parameters('servicePrincipalClientSecret')]",
"useServicePrincipalDictionary": {
"DCOS": 0,
"Swarm": 0,
"Kubernetes": 1
},
"useServicePrincipal": "[variables('useServicePrincipalDictionary')[variables('orchestratorType')]]",
"servicePrincipalFields": [
null,
{
"ClientId": "[parameters('servicePrincipalClientId')]",
"Secret": "[parameters('servicePrincipalClientSecret')]"
}
]
},
"resources": [
{
"apiVersion": "2016-09-30",
"type": "Microsoft.ContainerService/containerServices",
"location": "[resourceGroup().location]",
"name":"[resourceGroup().name]",
"properties": {
"orchestratorProfile": {
"orchestratorType": "[variables('orchestratorType')]"
},
"masterProfile": {
"count": "[variables('masterCount')]",
"dnsPrefix": "[variables('mastersEndpointDNSNamePrefix')]"
},
"agentPoolProfiles": [
{
"name": "agentpools",
"count": "[variables('agentCount')]",
"vmSize": "[variables('agentVMSize')]",
"dnsPrefix": "[variables('agentsEndpointDNSNamePrefix')]"
}
],
"linuxProfile": {
"adminUsername": "[variables('adminUsername')]",
"ssh": {
"publicKeys": [
{
"keyData": "[variables('sshRSAPublicKey')]"
}
]
}
},
"servicePrincipalProfile": "[variables('servicePrincipalFields')[variables('useServicePrincipal')]]"
}
}
],
"outputs": {
"masterFQDN": {
"type": "string",
"value": "[reference(concat('Microsoft.ContainerService/containerServices/', resourceGroup().name)).masterProfile.fqdn]"
},
"sshMaster0": {
"type": "string",
"value": "[concat('ssh ', variables('adminUsername'), '#', reference(concat('Microsoft.ContainerService/containerServices/', resourceGroup().name)).masterProfile.fqdn, ' -A -p 22')]"
},
"agentFQDN": {
"type": "string",
"value": "[reference(concat('Microsoft.ContainerService/containerServices/', resourceGroup().name)).agentPoolProfiles[0].fqdn]"
}
}
}
This is a known service issue for old clusters. A fix is currently rolling out and is being tracked in this github issue, https://github.com/Azure/ACS/issues/16
Jack (a dev on the ACS team)
I had test in my lab with this template, but I can't reproduce your error.
please try to use azure resource explorer to edit the count of agent pool:

Resources