I have created a template which deploys a deploymentScripts to do some work in SQL. Since we locked down SQL on a network level I needed to create a custom container instance which is connected to my vnet. That Container Instance needs to have a volume mounted on an Azure Storage Account. The fileshare on that is created by the deploymentScripts deployment but you don't seem to be able to set that. How do I reliably get to that value so I can create that myself and mount? Here's the part of the container instance I'm talking about. Its the "shareName": "hvtqyj3nqhygoazscripts" I'm looking for. Seems to be using the uniqueString() function concatenated with 'azscripts'. What is the input to the uniqueString() function?
"volumes": [
{
"name": "azscripts",
"azureFile": {
"shareName": "hvtqyj3nqhygoazscripts",
"storageAccountName": "<storename>",
"storageAccountKey": "<key>"
}
}
]
In DeploymentScripts (DS), ACI is not seen as a shared resource, so you cannot create it in advance and use it in DS (there's 1 ACI per DS), but you can use an existing Storage Account as seen here. File shares are controlled by DS to isolate script content and outputs so you cannot control the name.
Related
I have performed discovery operations for listing protectable items in Azure Backup: 'SQL in Azure VM'.
I am able to perform 'Disovery' using the following template
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers",
"apiVersion": "2016-12-01",
"name": "[concat(parameters('vaultName'), '/', parameters('fabricName'), '/',parameters('protectionContainers')[copyIndex()])]",
"properties": {
"backupManagementType": "[parameters('backupManagementType')]",
"workloadType": "[parameters('workloadType')]",
"containerType": "[parameters('protectionContainerTypes')[copyIndex()]]",
"sourceResourceId": "[parameters('sourceResourceIds')[copyIndex()]]",
"operationType": "Register"
},
"copy": {
"name": "protectionContainersCopy",
"count": "[length(parameters('protectionContainers'))]"
}
}
]
I similarly tried the following operation types:
"Reregister": Works as expected.
"Invalid: Did not perform any operation.
Could someone guide me with unregistering of containers using the ARM template?
(I already have the API to do it, but I need it with an ARM template).
Similarly is there any way to rediscover DBs within a registered container using an ARM template?
Any help is much appriceiated.
Looking at the Register API for Protection Containers, it looks like the supported values for OperationType are: Invalid, Register and Reregister. The Unregister API fires a HTTP DELETE request that is not straightforward to simulate with an ARM template. ARM Templates are primarily meant to be used for creating and managing your Azure resources as an IaC solution.
That said, if you have ARM templates as your only option, you could try deploying it in Complete mode. In complete mode, Resource Manager deletes resources that exist in the resource group but aren't specified in the template.
To deploy a template in Complete mode, you'd have to set it explicitly using the Mode parameter since the default mode is incremental. Be sure to use the what-if operation before deploying a template in complete mode to avoid unintentionally deleting resources.
I'm trying to programatically insert the object Id of a certain user account into an ARM template, like this:
"objectId": "[reference(resourceId('Microsoft.AAD/domainServices/user/read','domain','User.Name'),'2019-01-01').Id]",
I've tried many different resource providers in an attempt to get this to work. For example:
"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/read','user#domain.onmicrosoft.com'),'2019-01-01').Id]",
and:
"objectId": "[reference(resourceId('Microsoft.Portal/usersettings/read','user#domain.onmicrosoft.com'),'2018-10-01').Id]"
I looked up the API call used to get a list of users, to see if that would hint at the correct provider to use (it didn't):
GET https://graph.windows.net/{TenantId}/users?api-version=1.6 HTTP/1.1
I've been looking through this list of provider operations but have found two problems with this:
1 I can't see an operation which looks relevant to what I want to do.
2 It doesn't provide information on what parameters are required.
So I guess I have two questions really:
How do I dynamically look up the ObjectId of a user in an ARM template?
How do I find out in future which lookup functions are available and which parameters are required?
You could not insert the user object Id in the ARM template.
The user account is managed by your Azure AD tenant, it is not the azure resource, the ARM template is for the azure resources in your subscription.
Reference:https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview
Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.
You can try from below code if you have VM in same template and enabled managed identity
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-resource#remarks-1
{
"type": "Microsoft.KeyVault/vaults",
"properties": {
"tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
"accessPolicies": [
{
"tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
"objectId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.principalId]",
"permissions": {
"keys": [
"all"
],
"secrets": [
"all"
]
}
}
]
I find the best way to achieve this is to expose the ID as a parameter, then when you call the ARM template deployment, simply pass the parameter into the template.
How do you get the ID into the template parameter? Well, I run my ARM deployments via Azure DevOps CI/CD and I use the pipeline task AzureAppConfiguration.azure-app-configuration-task.custom-build-release-task.AzureAppConfiguration#1 to extract the ID from my own custom configuration setup.
How do you get the ID into the Azure App Configuration service? Well, when I seed an environment for the first time there will be some initial setup, e.g. users and groups. I just then run some scripts to extract this kind of "metadata" into my Azure App Configuration service.
e.g.
APP_ID=$(az ad sp list --all --query "[?displayName=='name-of-spn'].appId" --output tsv)
az appconfig kv set --name name-of-app-config-store --key name-of-spn-app-id --value ${APP_ID}
I think I have solution.
I am tying to refer to a Client ID in a Managed User Identity generated by an ARM template.
I have declared the name of the Managed Identity as a Parameter to use as an administrator for an SQL server:
[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',parameters('managed-identity')), '2018-11-30', 'full').properties.clientId]
Once you switch our the parameter you should be good to go.
I am developing a Logic App which is scheduled every minute and creates a storage blob with logging data. My problem is that I must create a container for the blob manually to get it working. If I create blob within a not existing container
I get the following error:
"body": {
"status": 404,
"message": "Specified container tmp does not exist.\r\nclientRequestId: 1111111-2222222-3333-00000-4444444444",
"source": "azureblob-we.azconn-we.p.azurewebsites.net"
}
This stackoverflow question suggested putting the container name in the blob name
but If I do so I get the same error message: (also with /tmp/log1.txt)
{
"status": 404,
"message": "Specified container tmp does not exist.\r\nclientRequestId: 1234-8998989-a93e-d87940249da8",
"source": "azureblob-we.azconn-we.p.azurewebsites.net"
}
So you may say that is not a big deal, but I have to deploy this Logic App multiple times with a ARM template and there is no possibility to create a container in an storage account (see this link).
Do I really need to create the container manually or write a extra azure function to check if the container exists?
I have run in this before, you have a couple of options:
You write something that runs after the ARM template to provision the container. This is simple enough if you are provisioning through VSTS release management where you can just add another step.
You move from ARM templates to provisioning in PowerShell where you have the power to do the container creation. See New-AzureStorageContainer.
I'm trying to attach an existing VHD disk from a Storage Account to VM during Azure Resource manager provisioning with a template.
My dataDisk resource is:
"dataDisks": [
{
"name": "jmdisk",
"diskSizeGB": "100",
"lun": 0,
"vhd": {
"uri": "https://jmje.blob.core.windows.net/vhds/jenkinshome.vhd"
},
"createOption": "attach"
}
]
But during deploy - I have an error from Azure:
STATUSMESSAGE{
"error": {
"code": "OperationNotAllowed",
"target": "dataDisk",
"message": "Addition of a blob based disk to VM with managed disks is not supported."
}
}
Unfortunately can't google anything related, i.e. - a correct way to attach an existing disk.
UPD Solved this by just creating new Managed disk and copy data there.
You can create a managed disk from an existing blob -- you can see a sample of that here: https://github.com/chagarw/MDPP/blob/master/101-create-image-availabilityset-2vm-from-blob/azuredeploy.json
It uses existing blobs for both OS and data, you don't have to do it that way... In your case it sounds like you want an implicit OS disk and then an explicit data disk? Which you could also do, just use different images for each.
Well, the error gives it up, you are probably not familiar with Managed Disks yet. So you are creating a VM with OS disk as managed, in that case you cannot use existing disks to attach to a VM, just create a VM with regular disk (just like you do with data disk).
I'm looking for any examples of configuring Azure Batch using an Azure Resource Manager template. Googling yielded nothing, and the Azure QuickStart Templates do not yet have any Batch examples, however this SO question implies that it has been done.
What I would like to achieve is, via an ARM template, to create a Batch account and configure a pool (with a minimum number of compute nodes, auto expanding to a maximum number of nodes), and then set the resulting pool ID into my API server's appsettings resource.
I'm about to start reverse engineering it using the Azure Resource Explorer, but any pre-existing examples would be very much appreciated.
Update
So far I've managed to create the resource:
{
"name": "[variables('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2015-07-01",
"dependsOn": [ ],
"tags": {
"displayName": "BatchInstance"
}
}
And to configure the account settings in the appsettings of my API server:
"BATCH_ACCOUNT_URL": "[concat('https://', reference(concat('Microsoft.Batch/batchAccounts/', variables('batchAccountName'))).accountEndpoint)]",
"BATCH_ACCOUNT_KEY": "[listKeys(resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName')), providers('Microsoft.Batch', 'batchAccounts').apiVersions[0]).primary]",
"BATCH_ACCOUNT_NAME": "[variables('batchAccountName')]"
I still haven't managed to create a pool and fetch the pool ID via ARM, mainly because the pool I created using Batch Explorer never showed up in either the Azure Portal or the Azure Resource Explorer. I'll update this if I find the solution.
Unfortunately we don't have a way today to create a pool using ARM templates. The Azure Portal should show the pools created under your account (even if you didn't created them using ARM).
This is supported, please see the reference docs here: https://learn.microsoft.com/azure/templates/microsoft.batch/2019-04-01/batchaccounts/pools