How to set legal hold on Azure storage account container in ARM template?
When setting immutable blob storage policy Azure portal allows you to choose from legal hold and Time-base retention. According to doc arm template supports immutable blob storage. However only requests with immutabilityPeriodSinceCreationInDays are accepted. When trying without setting it, I am getting:
Missing at least one of the following properties 'immutabilityPeriodSinceCreationInDays,allowProtectedAppendWrites'
Or:
immutabilityPeriodSinceCreationInDays must be set before setting allowProtectedAppendWrites
Weirdest - without properties block in immutabilityPolicies (as below) request fails with InternalServerError:
{
"status": "Failed",
"error": {
"code": "UnexpectedException",
"message": "The server was unable to complete your request."
}
}
{
"name": "testsa/default/testcontainer/default",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies",
"apiVersion": "2019-06-01"
// ,
// "properties": {
// // "immutabilityPeriodSinceCreationInDays" : 10,
// // "allowProtectedAppendWrites": false
// }
}
According to my research, the resource type Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies just can be used to create time-based retention policies. Meanwhile, when creating time-based retention policies, the parameter immutabilityPeriodSinceCreationInDays is required. For more details, please refer to here and here.
Besides, at the moment, Azure ARM template does not provide any resource type to create set legal hold policy. For more details, please refer to here and here. So I suggest you use deployment scripts in template to implement tit.
Related
I am having an issue with transcribing (Speech-To-Text) an audio file hosted on Azure Storage container from the Cognitive Services API.
The services are of the same resource (and I created a VNet and they are part of the same subnet).
After I take the response from there the contentUrl:
The error I get is:
{
"successfulTranscriptionsCount": 0,
"failedTranscriptionsCount": 1,
"details": [
{
"source":"https://{service-name}.blob.core.windows.net/meetingnotes/Meeting82035.wav",
"status": "Failed",
"errorMessage": "Error when downloading the recording URI. StatusCode: Conflict.",
"errorKind": "DownloadRecordingsUrisUnknownError"
}
]
}
I tested in my environment and was getting the same error as you.
To resolve the issue, you need to append the SAS Token with bloUrl in contentUrls field.
For Generating the SAS token allowed all the permission as I have done in below picture.
Generated Transcript report
Final OutPut Once Clicked on ContentUrl
I contacted Azure support and they provided the correct solution, which is to add the Role “Storage Blob Data Contributor” to the speech services resources.
Go to IAM of your storage account
Go to Role Assignments
click "Add", then add your speech service in Managed Identities.
That should fix it.
Assume we have a Checkpoint Firewall Template created on Azure Portal. Is there a way to test the Template within Azure? Also if the Template is modified, is there a way to Test that new modified Template within Azure?
You can test an ARM Template by using it in a deployment. You can also use the what-if setting to produce hypothetical output without actually deploying anything.
Microsoft Azure Docs for What-If
To create a What-If deployment you can proceed a number of ways; Azure CLI, PowerShell, REST, etc. Here is an example using REST (Postman).
Use the endpoint
POST https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}/whatIf?api-version=2020-06-01
Provide a body payload:
{
"location": "westus2",
"properties": {
"mode": "Incremental",
"parameters": {},
"template": {}
}
}
Add your template and parameters. Supply a bearer token for authentication and deploy.
You can check the Azure What-If REST API docs here.
We are using an ARM json template which has this:
"outputs": {
"gatewayurl": {
"type": "string",
"value": "[reference('Microsoft.ApiManagement/service/uat1api'), '2018-01-01', 'Full').properties.gatewayUrl]"
}
What exactly is Microsoft.ApiManagement/service/uat1api ?
How can I go into Microsoft.ApiManagement/service/uat1api and view the properties?
I can see that the value ends up being https://uat1api.azure-api.net/, but I'd like to go in and see where that value is coming from.
Microsoft.ApiManagement/service is the resource type while uat1api is the name of the resource (in your case, in API Management Service).
Properties are specific to each resource type and defined in a template reference (link below for API Management Service).
Another great resource is the Azure resource explorer. Not all properties are documented in template reference while the resource explorer seems to provide a more accurate visibility on properties available on each resources.
Microsoft.ApiManagement service template reference
Azure Resource Explorer
on this page:
https://learn.microsoft.com/en-us/azure/data-factory/v1/data-factory-usql-activity
there is a template for using Azure Datalake analytics in azure datafactory with service principal (instead of authorizing manually for each use).
the template looks like this:
{
"name": "AzureDataLakeAnalyticsLinkedService",
"properties": {
"type": "AzureDataLakeAnalytics",
"typeProperties": {
"accountName": "adftestaccount",
"dataLakeAnalyticsUri": "azuredatalakeanalytics.net",
"servicePrincipalId": "<service principal id>",
"servicePrincipalKey": "<service principal key>",
"tenant": "<tenant info, e.g. microsoft.onmicrosoft.com>",
"subscriptionId": "<optional, subscription id of ADLA>",
"resourceGroupName": "<optional, resource group name of ADLA>"
}
}
}
This template does not work in azure data factory, it insists that for the type
"AzureDataLakeAnalytics", it is not possible to have "serviceprincipalid" and it still requires "authorization" as a property.
my question is:
what is the correct json template for configuring a AzureDataLakeAnalyticsLinkedService with a serviceprincipal ?
Ok, sorry for asking a question that i figured out myself in the end.
While it is true that the azure portal complains about the template it does allow you deploy it. I had of course tried this, but since the azure portal does not show the error message, only an error flag, i did not realize the error was from the service principals lack of permission and not from the template it complained about.
So by adding more permissions to the service principal and deploying the json, disregarding the compiler complaints. It did work. Sorry for bothering.
I exported an Azure Resource Manager JSON template from my resource group on Azure. I see a bunch of tags in the generated file like:
"tags": {
"hidden-link:/subscriptions/[my-subscription-id-here]/resourceGroups/[my-resource-group]/providers/Microsoft.Sql/servers/[my-database-server-name]/databases/[my-database-name]": "Resource"
},
The only documentation I can find on it is from Using tags to organize your Azure resources, which says:
You may see tags that start with "hidden-" and "link:". These are internal tags, which you should ignore and avoid changing.
The problem is that I'm going to be deploying this resource template to a completely different subscription than the one whose ID is hard-coded into the tag. Any meaning that the hard-coded subscription id has in this tag will be lost. Can I safely remove this tag? What does it mean, and how is it used once deployed?
Just to help stop anyone else from wasting a couple of hours in frustration:
Don't remove these tags from your generated ARM template for web tests in Application Insights.
I was wondering if I really needed these tags since they were very specific to the resource that I used to create the template from. Reading this answer I figured that it wasn't necessary so I removed them and promptly forgot about removing them.
The deployment then started failing with the very descriptive error:
{
"code": "BadRequest",
"message": "{
"code": "BadRequest",
"message": "Bad Request\",
"innererror":
{
"diagnosticcontext": "d657bd3b-6b5f-4b24-8963-c2e9ac76a65b\",
"time": "2019-02-05T13:37:23.6473698Z"
}
}
Putting the "hidden-links" back in seems to fix the issue.
An alternative that makes the script a bit more reusable is specifying the "hidden-link" as follows:
"tags": { "[concat('hidden-link:', resourceId('Microsoft.Insights/components', parameters('appInsightsName')))]": "Resource" }
Where applicationInsightName is a variable containing the name of the ApplicationInsight instance
These tags are used to associate related resources. They are used to populate the Linked Resources section. Removing the tags will prevent resources from displaying as Linked Resources but will not impact any functionality.
Azure Resource Manager (ARM) tag is optional to an Azure Resource or an Azure Resource Group.
You can safely remove any tag without affecting your ARM deployment.