Azure resource manager template deployments - deletes the existing resources - azure

When trying to add additional routes to route table in Azure using ARM template, the existing routes are getting removed/deleted. The same behavior is observed when adding new service endpoints for a subnet, post deployment the Route table and NSG are disassociated and the existing serviceend point association is removed.
Should all the resources be explicitly reference in ARM template to avoid this behavior. Is there a way this can achieve without listing/referring all the resources associated.
Below template format ----
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": { },
"functions": [],
"variables": {
"testroutetable1": "rtable1",
"testroutetable2": "rtable2",
"Subnet1": "subnet1",
"Subnet2": "subnet2",
"testvnet": "vnet1"
},
"resources": [
{
"name": "[concat(variables('testvnet'),'/',variables('Subnet1'))]",
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2018-10-01",
"location": "East US",
"properties": {
"addressPrefix": "10.0.0.0/24",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables',variables('testroutetable1'))]"
}
}
},
{
"name": "[variables('testroutetable1')]",
"type": "Microsoft.Network/routeTables",
"location": "West Europe",
"apiVersion": "2019-11-01",
"properties": {
"routes": [
{
"name": "rtable1-to-xxx01",
"properties": {
"addressPrefix": "xxxxx",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "xxxxx"
}
},
{
"name": "rtable1-to-xxx02",
"properties": {
"addressPrefix": "xxxxx",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "xxxx"
}
}
]
}
},
{
"name": "[concat(variables('testvnet'),'/',variables('Subnet2'))]",
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2018-10-01",
"location": "West Europe",
"properties": {
"addressPrefix": "10.0.2.0/24",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables',variables('testroutetable2'))]"
}
}
},
{
"name": "[variables('testroutetable2')]",
"type": "Microsoft.Network/routeTables",
"location": "east us",
"apiVersion": "2019-11-01",
"properties": {
"routes": [
{
"name": "rtable2-to-yyy01",
"properties": {
"addressPrefix": "xxxxxx",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "xxxxx"
}
},
{
"name": "rtable2-to-yyy02",
"properties": {
"addressPrefix": "xxxxx",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "xxxxxx"
}
}
]
}
}
],
"outputs": {}
}

If the object's property is of type array then you must provide all of its target value. This applies to security rules on the NSG, routes on the route table, etc.

This is covered by this github issue. For certain resources within a virtual network, if you declare them as either child resources of the virtual network, or as independent resources, when the ARM template is deployed, any existing resources are deleted and then the resources are created again.
However, the ARM template for virtual networks also supports deploying these resources as properties. When deploying using this method, any existing resources will not be deleted on each deployment.
Unfortunately this is a long running issue and shows no sign of being resolved in the near future.

You can add/delete a route in an existent route-table without having to reference the other routes. Simply add the route-table name to the route path like in this example:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/routeTables/routes",
"apiVersion": "2019-06-01",
"name": "RouteTableName/RouteName",
"properties": {
"addressPrefix": "10.0.0.0/8",
"nextHopType": "VnetLocal"
}
}
]
}

Related

How can I set dependencies on child resources in nested ARM template?

I am trying to use nested templates to deploy a resource group and multiple resources within it on subscription level.
Microsoft documentation has an example of deploying resource group and storage account that I'm trying to follow. I am trying to create another inner level of dependency between a Storage Account resource and a Container resource. That is, the container should only be deployed after the deployment of the storage account is finished. Here is simplified version of my template:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"type": "string"
},
"rgLocation": {
"type": "string"
},
"storagePrefix": {
"type": "string",
"maxLength": 11
},
"containerName": {
"type": "string"
}
},
"variables": {
"storageName": "[concat(parameters('storagePrefix'), uniqueString(subscription().id, parameters('rgName')))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('rgName')]",
"location": "[parameters('rgLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "storageDeployment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[variables('storageName')]",
"location": "[parameters('rgLocation')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2"
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-06-01",
"name": "[format('{0}/default/{1}', variables('storageName'), parameters('containerName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]"
]
}
],
"outputs": {}
}
}
}
],
"outputs": {}
}
When I try to deploy this template using PowerShell script New-AzSubscriptionDeployment, I get the following error:
| InvalidTemplate - Long running operation failed with status 'Failed'. Additional Info:'Deployment template validation failed: 'The resource 'Microsoft.Storage/storageAccounts/myStorageAccount' is not defined in the template. Please see https://aka.ms/arm-template for usage details.'.'
I kind of know it has to do with the dependsOn part of the container resource. But how can I resolve this problem?
EDIT: The selected answer solves the problem with dependencies, however the issue still persists in cases where a value needs to be called using concat or listKeys expressions. Here's an example where setting the value for AzureWebJobsStorage throws an error in a nested template:
{
"type": "Microsoft.Web/sites",
[ ... ]
"dependsOn": [
"[variables('hostingPlanName')]",
"[variables('functionAppStorageAccountName')]"
],
"properties": {
"serverFarmId": "[variables('hostingPlanName')]",
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('functionAppstorageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('functionAppstorageAccountName')), '2021-04-01').keys[0].value)]"
}
[ ... ]
]
}
The value for AzureWebJobsStorage causes the deployment to fail with the following error:
`Status Message: The Resource 'Microsoft.Storage/storageAccounts/stfuncaedotestfeb16g' under resource group '<null>' was not found. For more details
| please go to https://aka.ms/ARMResourceNotFoundFix (Code:ResourceNotFound) CorrelationId: 55942377-6d0f-40ec-9733-33b9c3ea13de
I tried being more verbose by using resource group name (and then subscription ID), but that didn't solve the problem.
You should be able to use:
"dependsOn": [
"[variables('storageName')]"
]
Note that will only work if there is no other resource in the template with the same name - otherwise you have to manually construct the full resourceId, like:
[format('{0}/resourceGroups/{1}/providers/Microsoft.Storage/storageAccounts/{2}', subscription().id, parameters('rgName'), variables('storageName'))]
The latter form will always work, just a bit more verbose.
A bit more detail is that the resourceId function doesn't work as you would expect at subscription scope.

Can't reference principalId of user assigned identity for key vault in same arm template

I'm having trouble referencing a user assigned identity that I create alongside a KeyVault instance within the same template. I've searched through documentation on how to reference managed identities in general and I believe it looks like the following:
reference(resourceId('resource-type', 'resource-name'), 'api-version', 'Full)).identity.principalId
However, this doesn't work for me and I'm not sure if it has something to do with deploying my templates at the subscription scope. I'm currently using linkedTemplates so that I can organize my code better and have a main template like the following:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {},
"resources": [
{
"apiVersion": "2020-06-01",
"location": "[variables('location')]",
"name": "key-vault-test”,
"properties": {
"mode": "Incremental",
"parameters": { },
"templateLink": {
"relativePath": “vault.json"
}
},
"type": "Microsoft.Resources/deployments"
}
],
}
Next, vault.json is as follows:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
…
},
"resources": [
{
"apiVersion": "2018-05-01",
"location": “[…..]”,
"name": "key-vault",
"type": "Microsoft.Resources/resourceGroups"
},
{
"apiVersion": "2020-06-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', 'key-vault')]"
],
"name": “user-assigned-identity-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-11-30",
"location": “[…]”,
"name": “myIdentity”,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
},
{
"apiVersion": "2020-06-01",
"name": "key-vault-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-02-14",
"location": “[…]”,
"name": "[concat('key-vault-', uniqueString(subscription().id))]",
"properties": {
"accessPolicies": [
{
"objectId": "[reference(variables('keyVaultIdentityId'), '2018-11-30', 'Full').identity.principalId]",
"permissions": {
"secrets": [
"get",
"list"
]
},
"tenantId": "[subscription().tenantId]"
}
],
"enableSoftDelete": true,
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]"
},
"type": "Microsoft.KeyVault/vaults"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
}
],
"variables": {
"keyVaultIdentityId": "/subscriptions/…/resourceGroups/key-vault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity”
}
}
When I deploy the main template, the reference function that I've crafted returns me the deployment of the keyVault and not the managed identity at all.
'The language expression property 'identity' doesn't exist, available properties are 'apiVersion, location, tags, properties, deploymentResourceLineInfo, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, condition, isConditionTrue, isTemplateResource, isAction, provisioningOperation
I'm not sure if I'm doing something wrong or if there's a better way to do this. In summary, I'm attempting to create a user assigned identity and create a key vault with access policies for that identity in the same template.
If you want to get the principalId of the user assigned identity, you need to use the following expression. For more details, please refer to here
[reference(resourceId('<subscriptionId>','<resourceGroupName>','Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]
for example
my template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"defaultValue": "mytest",
"type": "String"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
}
],
"outputs": {
"principalId": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]",
"type": "string"
}
}
}
I got the same error but I had forgotten to assign a managed identity to my resource in the ARM template like:
"identity": {
"type": "SystemAssigned"
},
Example:
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[variables('uniqueResourceNameBase')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": { ... }
}
After doing this I could use .identity.principalId.
Source:
https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/
You can also manually set it in Azure Portal under your service -> Identity.
A system assigned managed identity is restricted to one per resource
and is tied to the lifecycle of this resource. You can grant
permissions to the managed identity by using Azure role-based access
control (Azure RBAC). The managed identity is authenticated with Azure
AD, so you don’t have to store any credentials in code. Learn more
about Managed identities.

How to use copyIndex in a nested template resource?

Big picture: I want to use the ARM template to create multiple topics on a service bus.
Known fact: The app service that deploys the template is in a different resource group than the service bus.
Pain point: I'm using a nested template because I'm trying to create resources (topics) that are external to the targeted resource group. Within this nested template, I'm not sure how to get copy to work correctly.
From this MS doc , I believe my syntax is correct.
This is how my parameters are listed:
"sharedResourcesResourceGroupName": {
"type": "string",
"defaultValue": "sharedResourceGroupName",
"metadata": {
"description": "Resource Group in which platform shared resources live"
}
},
"serviceBusNamespaceName": {
"type": "string",
"defaultValue": "serviceBusName",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"topics": {
"type": "array",
"metadata": {
"description": "List of topics"
},
"defaultValue": [
"topic1",
"topic2"
]
}
This is my resource object for creating the topics with the copyIndex() method:
{
"apiVersion": "2018-05-01",
"type": "Microsoft.Resources/deployments",
"name": "[concat(parameters('serviceBusNamespaceName'))]",
"resourceGroup": "[parameters('sharedResourcesResourceGroupName')]",
"properties": {
"mode": "Incremental",
"template":{
"$schema": "2018-05-01",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.ServiceBus/namespaces/topics",
"name": "[concat(parameters('serviceBusNamespaceName'), '/', parameters('topics')[copyIndex()])]",
"apiVersion": "2017-04-01",
"location": "[resourceGroup().location]",
"properties": {},
"copy": {
"name": "topics",
"count": "[length(parameters('topics'))]"
},
"dependsOn": [
"[parameters('serviceBusNamespaceName')]"
]
}
]
}
}
}
I am testing the arm template deployment using the Azure Powershell with these commands:
Connect-AzAccount
Set-AZContext -SubscriptionName subscriptionWhereTheAppServiceLives
New-AzResourceGroupDeployment -ResourceGroupName resourceGroupWhereAppServiceLives -TemplateFile <path to template file>\azuredeploy.json -TemplateParameterFile <path to parameters file>\azuredeploy.parameters.json
The error I'm getting from the Azure powershell console is:
The template function 'copyIndex' is not expected at this location. The function can only be used in a resource with copy specified.
If I remove the "copy" object and replace "name" with something like "[concat(parameters('serviceBusNamespaceName'), '/topicName')]", then the template is able to create ONE topic in the right service bus. But I'm looking to create multiple topics.
Any insight would be greatly appreciated!
I think you can do this:
{
"apiVersion": "2018-05-01",
"type": "Microsoft.Resources/deployments",
"name": "[concat(parameters('serviceBusNamespaceName'), copyIndex())]",
"resourceGroup": "[parameters('sharedResourcesResourceGroupName')]",
"copy": {
"name": "topics",
"count": "[length(parameters('topics'))]"
},
"dependsOn": [
"[parameters('serviceBusNamespaceName')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "2018-05-01",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ServiceBus/namespaces/topics",
"name": "[concat(parameters('serviceBusNamespaceName'), '/', parameters('topics')[copyIndex()])]",
"apiVersion": "2017-04-01",
"location": "[resourceGroup().location]",
"properties": {}
}
]
}
}
}

How to apply a NSG to an existing subnet using ARM Template

I am creating new NSG with ARM template and updating the subnets at the same ARM template. I would like to be able to get subnets addressprefix with "reference" but when doing so I always get the circular dependency detected. Is there any way around it? My subnet arm template section looks like this:
{
"name": "[parameters('subnetName')]",
"properties": {
"addressPrefix": "[reference(resourceId(variables('ResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]"
}
}
},
Here is a link on how to apply a NSG to an existing subnet:
Apply a NSG to an existing subnet
This template uses a link template to workaround the circular reference but you can also use a nested template to do the same in the same ARM template (see Using linked and nested templates when deploying Azure resources)
Here is an ARM template that do the same using a nested template:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.1",
"parameters": {
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "The name of the existing VNet"
}
},
"subnetName": {
"type": "string",
"defaultValue": "default",
"metadata": {
"description": "The name of the existing subnet."
}
},
"nsgName": {
"type": "string",
"metadata": {
"description": "The name of the new nsg."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('nsgName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2018-03-01",
"properties": {
}
},
{
"apiVersion": "2017-08-01",
"name": "apply-nsg-to-subnet",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[resourceGroup().name]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-03-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('virtualNetworkName'), '/', parameters('subnetName'))]",
"location": "[resourceGroup().location]",
"properties": {
"addressPrefix": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
}
}
}
]
}
}
}
],
"outputs": {}
}

Reference an existing Azure Automation Account in a different Resource Group

I need to use an existing Azure Automation Account in ARM Templates to create a new compilation job. I know how to do this when the Automation Account is in the same Resource Group where I'm deploying, but I can't figure it out when it's an existing Automation Account in a different Resource Group.
for example:
Parent Template (Resource)
{
"name": "dscCompile",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2016-09-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'newGuid')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('templates').dsc]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"compile-settings": {
"value": {
"configurationData": "[concat('{\"AllNodes\": [{\"NodeName\":\"*\",\"PSDscAllowPlainTextPassword\":true,\"RetryIntervalSec\":30,\"RetryCount\":20},{\"Nodename\":\"localhost\",\"domainName\":\"', parameters('extn-settings').domain, '\",\"adminCreds\":\"', parameters('adminPassword'), '\",\"Role\":\"DC\"}]}')]",
"configurationName": "createPDC",
"location": "Australia Southeast",
"name": "[reference('newGuid').outputs.guid.value)]"
}
},
"tag-values": {
"value": "[parameters('tag-values')]"
}
}
}
Child Template
$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"compile-settings": {
"type": "object",
"metadata": {
"description": "These are settings for a DSC Compile"
}
},
"tag-values": {
"type": "object",
"metadata": {
"description": "These are the Tag values"
}
}
},
"resources": [
{
"name": "[parameters('compile-settings').jobGuid]",
"type": "Microsoft.Automation/automationAccounts/compilationjobs",
"apiVersion": "2015-10-31",
"location": "[parameters('compile-settings').location]",
"tags": "[parameters('tag-values')]",
"dependsOn": [],
"properties": {
"configuration": {
"name": "[parameters('compile-settings').configurationName]"
},
"parameters": {
"ConfigurationData": "[parameters('compile-settings').ConfigurationData]"
}
},
"resources": []
}
],
"outputs": {}
}
Thanks in advance!
Okay, so this wasn't even possible until recently, you can do it with cross resource group deployment.
Basically, you create a template inside a template (aka nested\child template) and pick a different resource group (using the resourceGroup property for that template. no other way.
{
"apiVersion": "2017-05-10",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "crossResourceGroupDeployment",
"properties": { }
}

Resources