Creating User managed identity and server administrator using ARM Template - azure

I want to add a user managed identity as admin to a sql server resource in azure. I can create the user identity using ARM Templates like this:
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('identityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
},
and I can create a administrator resource from ARM template as well. But how do I reference the above created identity in the administrator resource? :
{
"name": "[concat(variables('serverName'),'/ActiveDirectory')]",
"type": "Microsoft.Sql/servers/administrators",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('serverName'))]"
],
"apiVersion": "2019-06-01-preview",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('identityName')]",
"sid": "<How do I add reference here>",
"tenantId": "<How do I add reference here>"
}
}

I tried something and the following seems to be working fine:
{
"name": "[concat(variables('serverName'),'/ActiveDirectory')]",
"type": "Microsoft.Sql/servers/administrators",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('serverName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
],
"apiVersion": "2019-06-01-preview",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[variables('identityName')]",
"sid": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))).clientId]",
"tenantId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))).tenantId]"
}
},

Related

Azure ARM throws bad request for storage connection string during template deployment

I'm creating an azure storage account,key vault and adding the storage account access keys as a secret to the key vault. I dont see any issues with the ARM code but when I deploy this in Azure I get a bad request for the connection secret.
{
"condition": "[equals(parameters('storageAccountOption'), 'new')]",
"name": "[variables('storageaccountuniqueName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"tags": "[parameters('tagValues')]",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
}
},
{
"name": "[variables('kvname')]",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"location": "[resourceGroup().location]",
"tags": "[parameters('tagValues')]",
"properties": {
"enabledForDeployment": false,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": false,
"tenantId": "[variables('tenantId')]",
"accessPolicies": [
{
"tenantId": "[variables('tenantId')]",
"objectId": "[parameters('kv_owner_id')]",
"permissions": {
"secrets": [
"all"
]
}
},
{
"tenantId": "[variables('tenantId')]",
"objectId": "[reference(resourceId('Microsoft.DataFactory/factories', variables('adfname')), '2018-06-01', 'full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"list",
"get"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
}
},
{
"name": "[concat(variables('kvname'), '/', variables('kv-stg-secretname'))]",
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2019-09-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageaccountuniqueName'))]",
"[resourceId('Microsoft.KeyVault/vaults', variables('kvname'))]"
],
"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageaccountuniqueName'), ';AccountKey=', listKeys(variables('storageaccountid'), '2019-06-01').keys[0].value,';EndpointSuffix=core.windows.net')]"
}
}
I've set the dependencies for the keyvault secret to ensure it's done only after storage account and key vault is deployed. This is the deployment error from Azure. I'm using service principal with Azure Cli to deploy this, so the kv_owner_id is passed from cli as the service principal client id.
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": ""
}
]
}
Here is the overview of the deployment operations as seen from the portal. Except for the conn string secret everything was created successfully.
How do you define the storageaccountid variable? You could use the standard resourceId() reference in listKeys:
"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageaccountuniqueName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageaccountuniqueName')), '2019-06-01').keys[0].value,';EndpointSuffix=core.windows.net')]"
}

Azure VM Custom script extension identity access to Storage Account

In the custom script extension of a VM I want to execute this command:
#download azcopy from http://aka.ms/downloadazcopy
c:\azcopy login --identity
C:\azcopy copy https://mystorage.blob.core.windows.net/software C:\Temp --recursive
But for this to work the identity of the VM need to be added as "Storage Blob Data Contributor". In terraform we could do it this way
resource"azurerm_role_assignment""role" {​​​​​​​​
scope= data.azurerm_storage_account.vault.id
role_definition_name="Storage Blob Data Contributor"
principal_id= azurerm_windows_virtual_machine.vm.identity.0.principal_id
}​​​​​​​​
But if we do not use terraform and instead use Azure DevOps and ARM templates, how would you execute it ? Because the VM is not created yet to give identity access. Custom script extension is part of the creation.
You can enable a system-assigned managed identity using an Azure Resource Manager template. Reference here.
Step1
To enable system-assigned managed identity, locate the Microsoft.Compute/virtualMachines resource of interest within the resources section and add the "identity" property at the same level as the "type": "Microsoft.Compute/virtualMachines" property. Use the following syntax:
"identity": {
"type": "SystemAssigned"
},
Step2
When you're done, the following sections should be added to the resource section of your template and it should resemble the following:
"resources": [
{
//other resource provider properties...
"apiVersion": "2018-06-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned",
},
},
//The following appears only if you provisioned the optional VM extension (to be deprecated)
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
"apiVersion": "2018-06-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.ManagedIdentity",
"type": "ManagedIdentityExtensionForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"port": 50342
}
}
}
]
Step3
Grant it a role "Storage Blob Data Contributor" access to the resource group in which it was created.
Under the parameters section add the following:
"builtInRoleType": {
"type": "string",
"defaultValue": "StorageBlobDataContributor"
},
"rbacGuid": {
"type": "string"
}
Under the variables section add the following:
"StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
Under the resources section add the following:
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Authorization/roleAssignments",
"name": "[parameters('rbacGuid')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
"scope": "[resourceGroup().id]"
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
]
}
Update
To grant the identity with an RBAC role to access a specific storage account. Refer to this answer.
{
"apiVersion": "2018-01-01-preview",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat(variables('storageAccountName'), '/Microsoft.Authorization/',parameters('rbacGuid'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines',parameters('vmName')), '2017-12-01', 'Full').identity.principalId]"
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
]
}

How to create an azure blob storage using Arm template?

Need to create an ARM template for azure blob storage and adding a container in it. Can anybody enlighten me on this. Thanks in advance.
Create an Azure Storage Account and Blob Container on Azure
How to create a new storage account.
{
"name": "[parameters('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2018-02-01",
"location": "[resourceGroup().location]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"accessTier": "Hot"
}
}
Adding JSON to your ARM template will make sure a new storage account is created with the specified settings and parameters. How to create ARM templates.
Now for adding a container to this storage account! To do so, you need to add a new resource of the type blobServices/containers to this template.
{
"name": "[parameters('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2018-02-01",
"location": "[resourceGroup().location]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"accessTier": "Hot"
},
"resources": [{
"name": "[concat('default/', 'theNameOfMyContainer')]",
"type": "blobServices/containers",
"apiVersion": "2018-03-01-preview",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"publicAccess": "Blob"
}
}]
}
Deploying this will make sure a container is created with the name NameContainer inside the storage account.
{
"name": "[variables('StorageAccount')]",
"type": "Microsoft.Storage/storageAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2016-01-01",
"sku": {
"name": "[parameters('StorgaeAccountType')]"
},
"dependsOn": [],
"tags": {
"displayName": "Blob Storage"
},
"kind": "Storage",
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2018-03-01-preview",
"name": "[concat('default/', variables('blobContainer'))]",
"properties": {
"publicAccess": "Blob"
},
"dependsOn": [
"[variables('StorageAccount')]"
]
}
]
}
Let us know if the above helps or you need further assistance on this issue.

ARM Template for to configure App Services with new VNet Integration feature?

I am working on ARM Templates, I have created the template file with two or more azure app services along with app service plan and then configured with VNET Integration of each app service.
This is sample JSON code:
{
"comments": "Web-App-01",
"name": "[variables('app_name_01')]",
"type": "Microsoft.Web/sites",
"location": "[variables('location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('asp_name_01'))]"
],
"tags": {
"displayName": "[variables('app_name_01')]"
},
"properties": {
"name": "[variables('app_name_01')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('asp_name_01'))]",
"siteConfig": {
"alwaysOn": true
}
},
"resources": [
{
"type": "Microsoft.Web/sites/virtualNetworkConnections",
"name": "[concat(variables('app_name_01'), '/', variables('vnet_connection_name'),uniqueString('asdsdaxsdsd'))]",
"apiVersion": "2016-08-01",
"location": "[variables('location')]",
"properties": {
"vnetResourceId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vm_vnet_name'), variables('web_subnet_name'))]"
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('app_name_01'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vm_vnet_name'), variables('web_subnet_name'))]"
]
}
]
},
{
"comments": "Web-App-02",
"name": "[variables('app_name_02')]",
"type": "Microsoft.Web/sites",
"location": "[variables('location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('asp_name_02'))]"
],
"tags": {
"displayName": "[variables('app_name_02')]"
},
"properties": {
"name": "[variables('app_name_02')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('asp_name_01'))]",
"siteConfig": {
"alwaysOn": true
}
},
"resources": [
{
"type": "Microsoft.Web/sites/virtualNetworkConnections",
"name": "[concat(variables('app_name_02'), '/', variables('vnet_connection_name'),uniqueString('asdsdaxsdsd'))]",
"apiVersion": "2016-08-01",
"location": "[variables('location')]",
"properties": {
"vnetResourceId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vm_vnet_name'), variables('web_subnet_name'))]"
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('app_name_02'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vm_vnet_name'), variables('web_subnet_name'))]"
]
}
]
}
The above code works fine for few azure app services, but for the rest of the app services I am getting internal server error or Conflict or Bad Request during VNET Integration of Azure App Service.
Note: When I deployed the above the JSON Code, the old VNET
integration is configured instead of New VNET (Preview) feature. So, I need to configure New VNET (Preview) feature for each app service.
So, can anyone suggest me how to resolve the above issue.
I've found a working example for this on an Azure Docs GitHub post:
How do we integrate the new vnet integrartion with ARM templates?
Seems to work a different way with the new VNet integration which uses a Microsoft.Web/sites/config sub-resource named virtualNetwork instead of the Microsoft.Web/sites/virtualNetworkConnections sub-resource
As well as a few requirements that need to be set on the target subnet / vnet (described in the link). The integration piece looks something like this:
{
"apiVersion": "2018-02-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('appName')]",
"location": "[resourceGroup().location]",
...
"resources": [
{
"name": "virtualNetwork",
"type": "config",
"apiVersion": "2018-02-01",
"location": "[resourceGroup().location]",
"properties": {
"subnetResourceid": "[parameters('subnetResourceId')]",
"swiftSupported": true
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('appName'))]"
]
}
]
},
Apart from this I've not found much else documented, except for a reference to it in the azure-rest-api-specs which has the "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/networkConfig/virtualNetwork" endpoint defined:
azure-rest-api-specs / WebApps.json
It also seems (as the spec suggests) replacing "type": "config" with "type": "networkConfig" also works.
I've talked to a Prem Engineer of Microsoft.
The Key is to replace the Automation Template
{
"type": "Microsoft.Web/sites/virtualNetworkConnections",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('sites_FelixOFA_name'), '/xxxxxxx_Functions')]",
"location": "West Europe",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('sites_FelixOFA_name'))]"
],
"properties": {
"vnetResourceId": "[concat(parameters('virtualNetworks_FelixODevPremNet_externalid'), '/subnets/Functions')]",
"isSwift": true
}
}
with
{
"type": "Microsoft.Web/sites/networkConfig",
"name": "[concat(parameters('webAppName'),'/VirtualNetwork')]",
"apiVersion": "2016-08-01",
"properties":
{
"subnetResourceId": "[parameters('subnetResourceId')]"
}
}
Where subnetResourceId is the resource id of their subnet – it should look like /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
I tried to reach same functionality by Bicep file, finally using
virtualNetworkSubnetId:
worked for me.
For example:
resource webAppName_resource 'Microsoft.Web/sites#2020-12-01' = {
name: '${webAppName}'
location: location
properties: {
serverFarmId: appServicePlanPortalName.id
virtualNetworkSubnetId: '${vnetDeploy_module.outputs.vnetid}/subnets/${vnetDeploy_module.outputs.subnetname}'
siteConfig: {
linuxFxVersion: linuxFxVersion
minTlsVersion: minTlsVersion
http20Enabled: http20Enabled
}
httpsOnly: httpsOnly
}
}
See templates in https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/app-service-regional-vnet-integration.
Result in ARM is:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-01-01",
"name": "[parameters('appName')]",
"location": "[parameters('location')]",
"kind": "app",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"virtualNetworkSubnetId": "[reference(resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))).subnets[0].id]",
"httpsOnly": true,
"siteConfig": {
"vnetRouteAllEnabled": true,
"http20Enabled": true
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]"
]
}
To fix this, I simply changed the isSwift or swiftSupported option to false.

Azure - Set WebSocket On from ARM json template

I'm trying to turn WebSockets On for an Azure WebApp from an Azure ARM json template that deploys my whole infrastructure.
Here is an extract with regards to the Azure Web App. It doesn't work, i.e the WebSockets are still Off. I unsuccessfully tried different spelling: webSocketsEnabled or WebSockets.
"resources":[
{
"name": "[variables('MyApp')]",
"type": "Microsoft.Web/sites",
"location": "Brazil South",
"apiVersion": "2016-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('MyAppPlanBrazil'))]"
],
"tags": {
"[concat('hidden-related:', resourceId('Microsoft.Web/serverfarms', variables('MyAppPlanBrazil')))]": "Resource",
"displayName": "MyAppAppBrazil"
},
"properties": {
"name": "[variables('MyAppPlanBrazil')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('MyAppPlanBrazil'))]",
"siteConfig": {
"AlwaysOn": true,
"webSocketsEnabled": true,
"connectionStrings": [
{
...
},
{
...
},
]
}
}
]
UPDATE
As suggested in answer below I updated the apiVersion to "2016-08-01" but this still doesn't work.
Also note that while my schema is the one described here, apiVersion is squiggled in VS and it says the authorized value is "2015-08-01" only.
UPDATE2
I tried the solutions below. They work for their authors but not for me. I guess the problem is elsewhere. My infrastructure is already deployed and I try to update it with webSocketsEnabled. Whereas in the solution below I imagine the authors directly create the web app with webSocketsEnabled.
Also, I coupled webSocketsEnabled with alwaysOn whereas the pricing tier of my webapp doesn't allow "AlwaysOn" (as it says in the portal I need to upgrade to use that feature) so I'll try without alwaysOn.
UPDATE3
At the end, the above template worked when I removed AlwaysOn.
Thank you to those who tried to help me.
Set your api version to this: "2016-08-01"
Use
"webSocketsEnabled": true
This is from the Microsoft.Web/sites template reference:
https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites
The api version you are using (2015-08-01) from:
https://github.com/Azure/azure-resource-manager-schemas/blob/master/schemas/2015-08-01/Microsoft.Web.json
Doesn't have web sockets in it, but the later one:
https://github.com/Azure/azure-resource-manager-schemas/blob/master/schemas/2016-08-01/Microsoft.Web.json
Does have webSocketsEnabled.
Please have a try to use the following code. It works correctly on my side.
Updated: add whole test arm template and you could have a try to use the following code with your service plan name and resource group name
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverFarmName": {
"type": "string",
"defaultValue": "YourPlan"
},
"serverFarmResourceGroup": {
"type": "string",
"defaultValue": "ResourceGroupName"
}},
"variables": {
"ARMtemplateTestName": "[concat('ARMtemplateTest', uniqueString(resourceGroup().id))]"},
"resources": [
{
"name": "[variables('ARMtemplateTestName')]",
"type": "Microsoft.Web/sites",
"location": "southcentralus",
"apiVersion": "2015-08-01",
"dependsOn": [ ],
"tags": {
"[concat('hidden-related:', resourceId(parameters('serverFarmResourceGroup'), 'Microsoft.Web/serverFarms', parameters('serverFarmName')))]": "Resource",
"displayName": "ARMtemplateTest"
},
"properties": {
"name": "[variables('ARMtemplateTestName')]",
"serverFarmId": "[resourceId(parameters('serverFarmResourceGroup'), 'Microsoft.Web/serverFarms', parameters('serverFarmName'))]"
},
"resources": [
{
"name": "web",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('ARMtemplateTestName'))]"
],
"tags": {
"displayName": "enableWebSocket"
},
"properties": {
"webSocketsEnabled": true,
"alwaysOn": true
}
},
{
"apiVersion": "2015-08-01",
"name": "connectionstrings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('ARMtemplateTestName'))]"
],
"properties": {
"ConnString1": {
"value": "My custom connection string",
"type": "custom"
},
"ConnString2": {
"value": "My SQL connection string",
"type": "SQLAzure"
}
}
},
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('ARMtemplateTestName'))]"
],
"tags": {
"displayName": "Appsetting"
},
"properties": {
"key1": "value1",
"key2": "value2"
}
}
]
}],
"outputs": {}
}
Test Result:
All the above solution should work.
My initial snippet worked as well ... as soon as I removed alwaysOn.
Indeed, I was using a free tiers App Service Plan for which alwaysOn is not available. While there was no errors or anything else indicating something wrong, I could not set webSocketEnabled and alwaysOn at the same time in that case.

Resources