Configure diagnostic setting for Azure sql database via ARM Template - azure

I am trying to set diagnostic settings for my Azure sql database via ARM template, However the diagnostic part (nested under database resource) is failing because the type 'providers/diagnosticsetting' is invalid.
Error:
New-AzResourceGroupDeployment : 4:56:26 AM - Resource providers/diagnosticSettings 'monitor' failed with message '{
"error": {
"code": "InvalidResourceNamespace",
"message": "The resource namespace 'providers' is invalid."
}
}'
ARM Template snippet:
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-02-02-preview",
"name": "[parameters('serverName')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"type": "databases",
"apiVersion": "2020-02-02-preview",
"name": "[parameters('sqlDBName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard",
"tier": "Standard"
},
"properties": {
"collation": "SQL_Latin1_General_CP1_CI_AS"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', concat(parameters('serverName')))]"
],
"resources": [
{
"type": "transparentDataEncryption",
"apiVersion": "2017-03-01-preview",
"name": "current",
"dependsOn": [
"[parameters('sqlDBName')]"
],
"properties": {
"status": "Enabled"
}
},
{
"type": "providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "monitor",
"dependsOn": [
"[parameters('sqlDBName')]"
],
"properties": {
"workspaceId": "[parameters('logAnalyticsWorkspaceIdForGlobalDiagnosticSetting')]",
"logs": [
],
"metrics": [
]
}
},
{
"type": "vulnerabilityAssessments",
"apiVersion": "2020-02-02-preview",
"name": "default",
"dependsOn": [
"[parameters('sqlDBName')]"
],
"properties": {
"storageContainerPath": "[parameters('storageContainerPathForVulnerabilityAssesment')]",
"storageAccountAccessKey": "[parameters('storageAccountAccessKeyForVulnerabilityAssesment')]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": false,
"emails": []
}
}
}
]
}
]
},
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2020-02-02-preview",
"name": "[concat(parameters('serverName'), '/AllowAzureIPs')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
},
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('azureActiveDirectoryAdminLogin')]",
"sid": "[parameters('azureActiveDirectoryAdminSid')]",
"tenantId": "[parameters('azureActiveDirectoryAdminTenantId')]"
}
},
{
"type": "Microsoft.Sql/servers/securityAlertPolicies",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"state": "Enabled",
"emailAccountAdmins": false
}
},
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"isDevopsAuditEnabled": false,
"retentionDays": 0,
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isStorageSecondaryKeyInUse": false,
"isAzureMonitorTargetEnabled": false,
"state": "Enabled",
"storageEndpoint": "[reference(resourceId(parameters('centralMonitoringResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('centralMonitoringStorageAccountName')), '2019-06-01').PrimaryEndpoints.Blob]",
"storageAccountAccessKey": "[parameters('centralMonitoringStorageAccountAccessKey')]",
"storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]"
}
},
{
"type": "Microsoft.Sql/servers/vulnerabilityAssessments",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"
],
"properties": {
"storageContainerPath": "[parameters('storageContainerPathForVulnerabilityAssesment')]",
"storageAccountAccessKey": "[parameters('storageAccountAccessKeyForVulnerabilityAssesment')]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": false,
"emails": []
}
}
},
{
"type": "Microsoft.Sql/servers/encryptionProtector",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('serverName'), '/current')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"kind": "servicemanaged",
"properties": {
"serverKeyName": "ServiceManaged",
"serverKeyType": "ServiceManaged",
"autoRotationEnabled": false
}
},
{
"type": "Microsoft.Sql/servers/connectionPolicies",
"apiVersion": "2014-04-01",
"name": "[concat(parameters('serverName'), '/ConnectionPolicies')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"connectionType": "[parameters('connectionType')]"
}
}
]

Related

The resource is not defined in the template - Azure ARM

I am trying to create a deployment template that creates a resource group and a VM with the necessary resources within it. The resources in their own deploymentTemplate deploy just fine. But in the subscriptionDeploymentTemplate I get the following error (in validation):
{
"code": "InvalidTemplate",
"message": "Deployment template validation failed: 'The resource 'Microsoft.Network/networkInterfaces/Assessment-NetInterfacescrobp34x4564' is not defined in the template. Please see https://aka.ms/arm-template for usage details.'."
}
After a lot of googling I have not found a solution that works in my case. I would appreciate any help.
The template:
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"type": "string"
}
},
"variables": {
"rgLocation": "westeurope",
"vm_id": "[concat('AssessmentVM', uniquestring(deployment().name))]",
"location": "westeurope",
"vnet_id": "[concat('Assessment-Vnet', uniquestring(deployment().name))]",
"nic_id": "[concat('Assessment-NetInterface', uniquestring(deployment().name))]",
"publicIP_id": "[concat('AssessmentVM-ip', uniquestring(deployment().name))]",
"nsg_id": "[concat('AssessmentVM-nsg', uniquestring(deployment().name))]",
"vmImage_id": "/subscriptions/x/resourceGroups/AssessmentCase_Snapshot/providers/Microsoft.Compute/galleries/AssessmentVM_Images/images/AssessmentVM/versions/0.0.1"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('rgName')]",
"location": "[variables('rgLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "assessmentDeployment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-05-01",
"name": "[variables('nsg_id')]",
"location": "[variables('location')]",
"properties": {
"securityRules": [
{
"name": "RDP",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-05-01",
"name": "[variables('publicIP_id')]",
"location": "[variables('location')]",
"sku": {
"name": "Basic"
},
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Dynamic",
"idleTimeoutInMinutes": 4,
"ipTags": []
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-05-01",
"name": "[variables('vnet_id')]",
"location": "[variables('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.1.4.0/24"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "10.1.4.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"virtualNetworkPeerings": [],
"enableDdosProtection": false
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-07-01",
"name": "[variables('vm_id')]",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('nic_id'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D4s_v3"
},
"storageProfile": {
"imageReference": {
"id": "[variables('vmImage_id')]"
},
"osDisk": {
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic_id'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": false
}
},
"licenseType": "Windows_Client"
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2020-05-01",
"name": "[concat(variables('nsg_id'), '/RDP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsg_id'))]"
],
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-05-01",
"name": "[concat(variables('vnet_id'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnet_id'))]"
],
"properties": {
"addressPrefix": "10.1.4.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-05-01",
"name": "[variables('nic_id')]",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIP_id'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnet_id'), 'default')]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsg_id'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAddress": "10.1.4.4",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIP_id'))]"
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnet_id'), 'default')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"dnsSettings": {
"dnsServers": []
},
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsg_id'))]"
}
}
}
]
}
}
}
],
"outputs": {}
}
The problem was the resourceId function which was in the wrong scope and therefore need to be additionally supplied with the subscription id and resource group name to return the correct ids. This template is now working as expected
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rg_name": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "westeurope"
}
},
"variables": {
"vm_id": "[concat('AssessmentVM', uniquestring(deployment().name))]",
"vnet_id": "[concat('Assessment-Vnet', uniquestring(deployment().name))]",
"nic_id": "[concat('Assessment-NetInterface', uniquestring(deployment().name))]",
"publicIP_id": "[concat('AssessmentVM-ip', uniquestring(deployment().name))]",
"nsg_id": "[concat('AssessmentVM-nsg', uniquestring(deployment().name))]",
"subscription_id": "x",
"vmImage_id": "/subscriptions/x/resourceGroups/AssessmentCase_Snapshot/providers/Microsoft.Compute/galleries/AssessmentVM_Images/images/AssessmentVM/versions/0.0.1"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('rg_name')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "assessment_vm_deployment",
"resourceGroup": "[parameters('rg_name')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rg_name'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-05-01",
"name": "[variables('nsg_id')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "RDP",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-05-01",
"name": "[variables('publicIP_id')]",
"location": "[parameters('location')]",
"sku": {
"name": "Basic"
},
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Dynamic",
"idleTimeoutInMinutes": 4,
"ipTags": []
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-05-01",
"name": "[variables('vnet_id')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.1.4.0/24"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "10.1.4.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"virtualNetworkPeerings": [],
"enableDdosProtection": false
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-07-01",
"name": "[variables('vm_id')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/networkInterfaces', variables('nic_id'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D4s_v3"
},
"storageProfile": {
"imageReference": {
"id": "[variables('vmImage_id')]"
},
"osDisk": {
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/networkInterfaces', variables('nic_id'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": false
}
},
"licenseType": "Windows_Client"
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-05-01",
"name": "[concat(variables('vnet_id'), '/default')]",
"dependsOn": [
"[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/virtualNetworks', variables('vnet_id'))]"
],
"properties": {
"addressPrefix": "10.1.4.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-05-01",
"name": "[variables('nic_id')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/publicIPAddresses', variables('publicIP_id'))]",
"[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/virtualNetworks/subnets', variables('vnet_id'), 'default')]",
"[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/networkSecurityGroups', variables('nsg_id'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAddress": "10.1.4.4",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/publicIPAddresses', variables('publicIP_id'))]"
},
"subnet": {
"id": "[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/virtualNetworks/subnets', variables('vnet_id'), 'default')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"dnsSettings": {
"dnsServers": []
},
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId(variables('subscription_id'), parameters('rg_name'), 'Microsoft.Network/networkSecurityGroups', variables('nsg_id'))]"
}
}
}
]
}
}
}
],
"outputs": {}
}
Please find the below template which I have modified -
There were few resources which were same but you were creating them 2 times, so modified that.
use of dependsOn - This error usually comes from having a dependency on a resource and we are not using dependsOn correctly, so modified the order of the resources that you were creating.
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"type": "string"
}
},
"variables": {
"rgLocation": "westeurope",
"vm_id": "[concat('AssessmentVM', uniquestring(deployment().name))]",
"location": "westeurope",
"vnet_id": "[concat('Assessment-Vnet', uniquestring(deployment().name))]",
"nic_id": "[concat('Assessment-NetInterface', uniquestring(deployment().name))]",
"publicIP_id": "[concat('AssessmentVM-ip', uniquestring(deployment().name))]",
"nsg_id": "[concat('AssessmentVM-nsg', uniquestring(deployment().name))]",
"vmImage_id": "/subscriptions/x/resourceGroups/AssessmentCase_Snapshot/providers/Microsoft.Compute/galleries/AssessmentVM_Images/images/AssessmentVM/versions/0.0.1"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('rgName')]",
"location": "[variables('rgLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "assessmentDeployment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {},
"resources": [
{
"apiVersion": "2020-05-01",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[variables('publicIP_id')]",
"location": "[parameters('location')]",
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Dynamic",
"idleTimeoutInMinutes": 4,
"ipTags": []
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-05-01",
"name": "[variables('nsg_id')]",
"location": "[variables('location')]",
"properties": {
"securityRules": [
{
"name": "RDP",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-05-01",
"name": "[variables('vnet_id')]",
"location": "[variables('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.1.4.0/24"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "10.1.4.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"virtualNetworkPeerings": [],
"enableDdosProtection": false
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-05-01",
"name": "[variables('nic_id')]",
"location": "[variables('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAddress": "10.1.4.4",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIP_id'))]"
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnet_id'), 'default')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"dnsSettings": {
"dnsServers": []
},
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsg_id'))]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIP_id'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnet_id'), 'default')]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsg_id'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-07-01",
"name": "[variables('vm_id')]",
"location": "[variables('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D4s_v3"
},
"storageProfile": {
"imageReference": {
"id": "[variables('vmImage_id')]"
},
"osDisk": {
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic_id'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": false
}
},
"licenseType": "Windows_Client"
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('nic_id'))]"
]
}
]
}
}
}
],
"outputs": {}
}

ARM template for 2 nets in mutual peering

I need to build a custom arm template that does the following:
create virtual-network-1
create virtual-network-2
create peering from virtual-network-1 to virtual-network-2
create peering from virtual-network-2 to virtual-network-1
I have created these resources manually, and generated the corresponding arm template, but when I try to run the template I receive a circular dependency error.
Any help is appreciated!
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualNetworks_vnet1_name": {
"defaultValue": "vnet1",
"type": "String"
},
"virtualNetworks_vnet2_name": {
"defaultValue": "vnet2",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-11-01",
"name": "[parameters('virtualNetworks_vnet1_name')]",
"location": "centralus",
"dependsOn": [
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.1.0.0/16"
]
},
"enableDdosProtection": false
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-11-01",
"name": "[parameters('virtualNetworks_vnet2_name')]",
"location": "centralus",
"dependsOn": [
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.2.0.0/16"
]
},
"enableDdosProtection": false
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-11-01",
"name": "[concat(parameters('virtualNetworks_vnet1_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet1_name'))]"
],
"properties": {
"addressPrefix": "10.1.0.0/24",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-11-01",
"name": "[concat(parameters('virtualNetworks_vnet2_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet2_name'))]"
],
"properties": {
"addressPrefix": "10.2.0.0/16",
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
"apiVersion": "2020-11-01",
"name": "[concat(parameters('virtualNetworks_vnet1_name'), '/peer1')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet1_name'))]",
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet2_name'))]"
],
"properties": {
"peeringState": "Connected",
"remoteVirtualNetwork": {
"id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet2_name'))]"
},
"allowVirtualNetworkAccess": true,
"allowForwardedTraffic": true,
"allowGatewayTransit": false,
"useRemoteGateways": false,
"remoteAddressSpace": {
"addressPrefixes": [
"10.2.0.0/16"
]
}
}
},
{
"type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
"apiVersion": "2020-11-01",
"name": "[concat(parameters('virtualNetworks_vnet2_name'), '/peer2')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet2_name'))]",
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet1_name'))]"
],
"properties": {
"peeringState": "Connected",
"remoteVirtualNetwork": {
"id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_vnet1_name'))]"
},
"allowVirtualNetworkAccess": true,
"allowForwardedTraffic": true,
"allowGatewayTransit": false,
"useRemoteGateways": false,
"remoteAddressSpace": {
"addressPrefixes": [
"10.1.0.0/16"
]
}
}
}
]
}

Circular dependency issue in ARM template for Cosmos DB with encryption

I want to create an ARM template for encrypted CosmosDB by customer managed key
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
...
},
"functions": [],
"variables": {
...
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2020-04-01-preview",
"name": "[variables('keyVaultName')]",
"location": "westeurope",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[parameters('tenantId')]",
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('dbAccountName'))]"
],
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(resourceId('Microsoft.DocumentDB/databaseAccounts', variables('dbAccountName')), '2021-03-01-preview', 'full').identity.principalId]",
"permissions": {
"keys": [
"get",
"wrapKey",
"unwrapKey"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"vaultUri": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]",
"provisioningState": "Succeeded",
"enablePurgeProtection": true
}
},
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('keyVaultName'), '/', variables('keyVaultName'), '-cosmos-db')]",
"location": "westeurope",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
],
"properties": {
"crv": "P-256",
"kty": "EC",
"key_size": 4096,
"keyOps": [
"wrapKey",
"unwrapKey"
],
"attributes": {
"enabled": true
}
}
},
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('dbAccountName')]",
"apiVersion": "2021-01-15",
"location": "[parameters('location')]",
"kind": "MongoDB",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"apiProperties": {
"serverVersion": "[parameters('serverVersion')]"
},
"keyVaultKeyUri": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/keys/', variables('keyVaultName'), '-cosmos-db')]"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/keys', variables('keyVaultName'), concat(variables('keyVaultName'), '-cosmos-db'))]"
]
}
],
"outputs": {
...
}
}
I was trying approach with nested template but getting such error after deployment: "DatabaseAccount name '****' already exists"
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
...
},
"functions": [],
"variables": {
...
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2020-04-01-preview",
"name": "[variables('keyVaultName')]",
"location": "westeurope",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[parameters('tenantId')]",
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('dbAccountName'))]",
"[resourceId('Microsoft.Web/sites', variables('appName'))]"
],
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(resourceId('Microsoft.DocumentDB/databaseAccounts', variables('dbAccountName')), '2021-03-01-preview', 'full').identity.principalId]",
// "objectId": "d8749310-a50e-457e-97cb-c6e8ea601eb9",
"permissions": {
"keys": [
"get",
"wrapKey",
"unwrapKey"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"vaultUri": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]",
"provisioningState": "Succeeded",
"enablePurgeProtection": true
}
},
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('keyVaultName'), '/', variables('keyVaultName'), '-cosmos-db')]",
"location": "westeurope",
// "dependsOn": [
// "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
// ],
"properties": {
"crv": "P-256",
"kty": "EC",
"key_size": 4096,
"keyOps": [
"wrapKey",
"unwrapKey"
],
"attributes": {
"enabled": true
}
}
},
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('dbAccountName')]",
"apiVersion": "2021-01-15",
"location": "[parameters('location')]",
"kind": "MongoDB",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"apiProperties": {
"serverVersion": "[parameters('serverVersion')]"
}
// "keyVaultKeyUri": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/keys/', variables('keyVaultName'), '-cosmos-db')]"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/keys', variables('keyVaultName'), concat(variables('keyVaultName'), '-cosmos-db'))]"
]
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "databaseUpdate",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/keys', variables('keyVaultName'), concat(variables('keyVaultName'), '-cosmos-db'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('dbAccountName')]",
"apiVersion": "2021-01-15",
"location": "[parameters('location')]",
"kind": "MongoDB",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"apiProperties": {
"serverVersion": "[parameters('serverVersion')]"
},
"keyVaultKeyUri": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/keys/', variables('keyVaultName'), '-cosmos-db')]"
}
},
{
"type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases",
"name": "[concat(variables('dbAccountName'), '/', variables('dbName'))]",
"apiVersion": "2021-01-15",
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts/', variables('dbAccountName'))]"
],
"properties": {
"resource": {
"id": "[variables('dbName')]"
},
"options": {
"throughput": "[parameters('throughput')]"
}
}
}
]
}
}
}
],
"outputs": {
...
}
}
I was also trying to create key vault resource and key vault access policy separately. But getting exception
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"Access policies operation not permitted. Allowed operations are "add", "replace", and "remove"."}]}

ARM Template to create SQL Database with a privatendpoint

I'm having errors while trying to deploy an ARM deploy with an SQL Database and its private endpoint.
here is the code below
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sqlAdministratorLogin": {
"type": "string",
"metadata": {
"description": "The administrator username of the SQL logical server"
}
},
"sqlAdministratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The administrator password of the SQL logical server."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"vnetName": "powerStateManagement-vnet",
"subnet1Name": "default",
"sqlServerName": "[concat('sqlserver', uniqueString(resourceGroup().id))]",
"databaseName": "[concat(variables('sqlServerName'),'/sample-db')]",
"privateEndpointName": "myPrivateEndpoint",
"privateDnsZoneName": "[concat('privatelink', environment().suffixes.sqlServerHostname)]",
"pvtendpointdnsgroupname": "[concat(variables('privateEndpointName'),'/mydnsgroupname')]",
"vnetResourceGroup":"powerStateManagement"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-02-02-preview",
"name": "[variables('sqlServerName')]",
"location": "[parameters('location')]",
"kind": "v12.0",
"tags": {
"displayName": "[variables('sqlServerName')]"
},
"properties": {
"administratorLogin": "[parameters('sqlAdministratorLogin')]",
"administratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]",
"version": "12.0",
"publicNetworkAccess": "Disabled"
},
"resources": [
]
},
{
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2020-02-02-preview",
"name": "[variables('databaseName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Basic",
"tier": "Basic",
"capacity": 5
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('sqlServerName'))]"
],
"tags": {
"displayName": "[variables('databaseName')]"
},
"properties": {
"collation": "SQL_Latin1_General_CP1_CI_AS",
"edition": "Basic",
"maxSizeBytes": 104857600,
"requestedServiceObjectiveName": "Basic",
"sampleName": "AdventureWorksLT"
}
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-06-01",
"name": "[variables('privateEndpointName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[variables('vnetName')]",
"[variables('sqlServerName')]"
],
"properties": {
"subnet": {
"id": "[resourceId(variables('vnetResourceGroup'),'/','Microsoft.Network/virtualNetworks','/',variables('vnetName'),'/',variables('subnet1Name'))]"
},
"privateLinkServiceConnections": [
{
"name": "[variables('privateEndpointName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Sql/servers',variables('sqlServerName'))]",
"groupIds": [
"sqlServer"
]
}
}
]
}
},
{
"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
"apiVersion": "2020-01-01",
"name": "[concat(variables('privateDnsZoneName'), '/', variables('privateDnsZoneName'), '-link')]",
"location": "global",
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]",
"[resourceId(variables('vnetResourceGroup'),'Microsoft.Network/virtualNetworks',variables('vnetName'))]"
],
"properties": {
"registrationEnabled": false,
"virtualNetwork": {
"id": "/subscriptions/*****/resourceGroups/powerStateManagement/providers/Microsoft.Network/virtualNetworks/powerStateManagement-vnet"
}
}
},
{
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-06-01",
"name": "[variables('pvtendpointdnsgroupname')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]",
"[variables('privateEndpointName')]"
],
"properties": {
"privateDnsZoneConfigs": [
{
"name": "config1",
"properties": {
"privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]"
}
}
]
}
}
]
}
The challenge here is that when I try to run this code I always get this error
Deployment template validation failed: 'The template reference 'powerStateManagement-vnet' is not valid: could not find template resource or resource copy with this name.
The ''powerStateManagement-vnet' is an existing Virtual Network which has been referenced below
{
"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
"apiVersion": "2020-01-01",
"name": "[concat(variables('privateDnsZoneName'), '/', variables('privateDnsZoneName'), '-link')]",
"location": "global",
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]",
"[resourceId(variables('vnetResourceGroup'),'Microsoft.Network/virtualNetworks',variables('vnetName'))]"
],
"properties": {
"registrationEnabled": false,
"virtualNetwork": {
"id": "/subscriptions/*****/resourceGroups/powerStateManagement/providers/Microsoft.Network/virtualNetworks/powerStateManagement-vnet"
}
}
}
Please help
There is something wrong with your dependsOn param of Microsoft.Network/privateEndpoints. And seems there are some other issues in your template, I did some modification based on your template,just try it below:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sqlAdministratorLogin": {
"type": "string",
"metadata": {
"description": "The administrator username of the SQL logical server"
}
},
"sqlAdministratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The administrator password of the SQL logical server."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"vnetName": "powerStateManagement-vnet",
"subnet1Name": "default",
"sqlServerName": "[concat('sqlserver', uniqueString(resourceGroup().id))]",
"databaseName": "[concat(variables('sqlServerName'),'/sample-db')]",
"privateEndpointName": "myPrivateEndpoint",
"privateDnsZoneName": "testdns.com",
"pvtendpointdnsgroupname": "[concat(variables('privateEndpointName'),'/mydnsgroupname')]",
"vnetResourceGroup": "powerStateManagement"
},
"resources": [{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-02-02-preview",
"name": "[variables('sqlServerName')]",
"location": "[parameters('location')]",
"kind": "v12.0",
"tags": {
"displayName": "[variables('sqlServerName')]"
},
"properties": {
"administratorLogin": "[parameters('sqlAdministratorLogin')]",
"administratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]",
"version": "12.0",
"publicNetworkAccess": "Disabled"
},
"resources": [
]
}, {
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2020-02-02-preview",
"name": "[variables('databaseName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Basic",
"tier": "Basic",
"capacity": 5
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('sqlServerName'))]"
],
"tags": {
"displayName": "[variables('databaseName')]"
},
"properties": {
"collation": "SQL_Latin1_General_CP1_CI_AS",
"edition": "Basic",
"maxSizeBytes": 104857600,
"requestedServiceObjectiveName": "Basic",
"sampleName": "AdventureWorksLT"
}
}, {
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2020-06-01",
"name": "[variables('privateEndpointName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]",
"[resourceId('Microsoft.Sql/servers', variables('sqlServerName'))]"
],
"properties": {
"subnet": {
"id": "[concat(resourceId('Microsoft.Network/virtualNetworks', variables('vnetName')),'/subnets/default')]"
},
"privateLinkServiceConnections": [{
"name": "[variables('privateEndpointName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Sql/servers',variables('sqlServerName'))]",
"groupIds": [
"sqlServer"
]
}
}
]
}
}, {
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-05-01",
"name": "[variables('vnetName')]",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"172.22.0.0/16"
]
}
},
"resources": [{
"type": "subnets",
"apiVersion": "2020-05-01",
"location": "[resourceGroup().location]",
"name": "default",
"dependsOn": [
"[variables('vnetName')]"
],
"properties": {
"addressPrefix": "172.22.0.0/24",
"privateEndpointNetworkPolicies": "Disabled"
}
}
]
}, {
"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
"apiVersion": "2020-01-01",
"name": "[concat(variables('privateDnsZoneName'), '/', variables('privateDnsZoneName'), '-link')]",
"location": "global",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
],
"properties": {
"registrationEnabled": false,
"virtualNetwork": {
"id":"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
}
}
}, {
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2020-06-01",
"name": "[variables('pvtendpointdnsgroupname')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpointName'))]"
],
"properties": {
"privateDnsZoneConfigs": [{
"name": "config1",
"properties": {
"privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]"
}
}
]
}
}
]
}
This template creates a new virtual network with a default subnet together, I use my own private DNS zone named : testdns.com. I have tested on my side by powershell and it works for me.
Result

How to enable using arm template vulnerabilityAssessments for sql server with storage account behind firewall

When enabling sql server vulnerabilityAssessments feature using arm template, following error is thrown when storage account has a firewall on.
"error": {
"code": "InvalidStorageAccountCredentials",
"message": "The provided storage account shared access signature or account storage key is not valid."
}
}
Template part:
{
"type": "Microsoft.Sql/servers/securityAlertPolicies",
"apiVersion": "2017-03-01-preview",
"name": "[concat(variables('sqls01Name'), '/Default')]",
"dependsOn": [
],
"properties": {
"state": "Enabled",
"emailAddresses": "[variables('emailActionGroupAddresses')]",
"emailAccountAdmins": false
}
},
{
"type": "Microsoft.Sql/servers/vulnerabilityAssessments",
"apiVersion": "2018-06-01-preview",
"location": "westeurope",
"name": "[concat(variables('sqls01Name'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('defenderSa'))]"
],
"properties": {
"storageContainerPath": "[concat('https://',variables('defenderSa'),'.blob.core.windows.net/vulnerability-assessment/')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('defenderSa')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": false,
"emails": "[variables('emailActionGroupAddresses')]"
}
}
},
{
"name": "[variables('defenderSA')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "westeurope",
"properties": {
"accessTier": "Cool",
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [{
"id": "[variables('subnetId')]",
"action": "Allow"
}],
"ipRules": [
],
"defaultAction": "Deny"
}
},
"dependsOn": [
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"tags": {
}
}
I notices that when enabling the feature from portal following communicate is displayed:
You have selected a storage that is behind a firewall or in a virtual network. Please be aware that using this storage will create a managed identity for the server and it will be granted 'storage blob data contributor' role on the selected storage.
The assignment is indeed created and the assessment works, however when I try to replicate this in arm template with following code it still fails.
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat(variables('defenderSA'),'/Microsoft.Authorization/',guid(variables('sqls01Name')))]",
"apiVersion": "2018-09-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts',variables('defenderSA'))]"
],
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"principalId": "[reference(resourceId('Microsoft.Sql/servers',variables('sqls01Name')),providers('Microsoft.Sql', 'servers').apiVersions[0],'Full').identity.principalId]"
}
}
Regarding the issue, please refer to the following template
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clientIp": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "allow you client to access Azure storage "
}
},
"virtualNetworksName": {
"defaultValue": "testsql09",
"type": "String"
},
"serverName": {
"type": "string",
"defaultValue": "[uniqueString('sql', resourceGroup().id)]",
"metadata": {
"description": "The name of the SQL logical server."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"administratorLogin": {
"type": "string",
"defaultValue": "sqladmin",
"metadata": {
"description": "The administrator username of the SQL logical server."
}
},
"administratorLoginPassword": {
"type": "securestring",
"defaultValue": "Password0123!",
"metadata": {
"description": "The administrator password of the SQL logical server."
}
},
"connectionType": {
"defaultValue": "Default",
"allowedValues": [ "Default", "Redirect", "Proxy" ],
"type": "string",
"metadata": {
"description": "SQL logical server connection type."
}
}
},
"variables": {
"serverResourceGroupName": "[resourceGroup().name]",
"subscriptionId": "[subscription().subscriptionId]",
"uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('serverResourceGroupName'), parameters('location'))]",
"storageName": "[tolower(concat('sqlva', variables('uniqueStorage')))]",
"roleAssignmentName": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), variables('storageBlobContributor'), resourceId('Microsoft.Sql/servers', parameters('serverName')))]",
"StorageBlobContributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-05-01",
"name": "[parameters('virtualNetworksName')]",
"location": "southeastasia",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.18.0.0/24"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "10.18.0.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"virtualNetworkPeerings": [],
"enableDdosProtection": false,
"enableVmProtection": false
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('virtualNetworksName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworksName'))]"
],
"properties": {
"addressPrefix": "10.18.0.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"delegations": [],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('serverName')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
}
},
{
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('serverName'), '/test')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"sku": {
"name": "Basic",
"tier": "Basic",
"capacity": 5
},
"kind": "v12.0,user",
"properties": {
"collation": "SQL_Latin1_General_CP1_CI_AS",
"maxSizeBytes": 2147483648,
"catalogCollation": "SQL_Latin1_General_CP1_CI_AS",
"zoneRedundant": false,
"readScale": "Disabled",
"storageAccountType": "LRS"
}
},
{
"type": "Microsoft.Sql/servers/securityAlertPolicies",
"apiVersion": "2020-02-02-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"state": "Enabled",
"emailAccountAdmins": false
}
},
{
"type": "Microsoft.Sql/servers/vulnerabilityAssessments",
"apiVersion": "2018-06-01-preview",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]",
"[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('serverName'), 'Default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]",
"[extensionResourceId(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), 'Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]"
],
"properties": {
"storageContainerPath": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment')]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": false
}
}
},
{
"type": "Microsoft.Sql/servers/connectionPolicies",
"apiVersion": "2014-04-01",
"name": "[concat(parameters('serverName'), '/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"connectionType": "[parameters('connectionType')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[variables('storageName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworksName'), 'default')]"
],
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": true,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
{
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworksName'), 'default')]",
"action": "Allow",
"state": "Succeeded"
}
],
"ipRules": [
{
"value": "[parameters('clientIp')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('storageName'), '/Microsoft.Authorization/', variables('roleAssignmentName'))]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]"
],
"properties": {
"roleDefinitionId": "[variables('StorageBlobContributor')]",
"principalId": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2020-02-02-preview', 'Full').identity.principalId]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]",
"principalType": "ServicePrincipal"
}
}
]
}

Resources