Azure ARM: deploymentScripts and first-party app identity error - azure

I try to execute the current ARM template for Storage static website fonctionnality activation :
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "[variables('scriptName')]",
"location": "[variables('regionName')]",
// "kind": "AzurePowerShell",
"kind": "AzureCLI",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storage'))]"
],
"identity": {
"type": "userAssigned",
"userAssignedIdentities": {
"/subscriptions/<MySubscription>/resourcegroups/<MyResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MyIdentityID>": {}
}
},
"properties": {
"forceUpdateTag": "[parameters('utcNow')]",
"storageAccountSettings": {
"storageAccountName": "[variables('storage')]",
"storageAccountKey": "[listKeys(variables('storage'), '2019-04-01').keys[0].value]"
},
// "azPowerShellVersion": "3.0",
"azCliVersion": "2.5.0",
"scriptContent": "[concat('az storage blob service-properties update --account-name ', variables('storage'), ' --static-website --index-document index.html')]",
"timeout": "PT2M",
"cleanupPreference": "OnSuccess",
"retentionInterval": "PT1H"
}
},
To do so, I created a new Managed Identity, and I affected Contributor role to this identity for my resource group. But during the creation of the deploymentScripts resource, it stays in 'Deploying' mode during a long time, and then failed with this error :
Exceeded maximum wait time of '00:05:00'. Message: 'First-party app identity has not become effective yet.'. (Code: DeploymentScriptOperationFailed)
I follow this guide for getting the Identity ID so I'm pretty sure the userAssignedIdentities is correct.

After some discussions with a Software Engineer from Microsoft, it seems that I have to wait that the Managed Identity replicates to multiple servers internally on Azure so that my scripts can found the Identity to execute properly.
I created the Managed Identity manually, waited 1 day and after that the script ran properly.

Related

Re-deploy Azure Web App Service and Plan using ARM Templates

I'm new to Azure and newer to using ARM templates.
I've got an App Service and Service Plan supporting Windows OS that needs to be changed to Linux. From what I can tell, there is no direct modification to achieve this result, I'm going to need to delete and redeploy.
I was looking at steps for manual deletion and re-build, but I'm thinking that using ARM templates would likely be more effective. I'm researching using ARM templates but not getting much information about using them for removal/modify/replacement. I'd guess that I can download the existing ARM templates and re-deploy, but there have to be a handful of gotchas, but I don't know what to look for.
My expectation is that the ARM template would not be able to deploy the custom domain and its certificate ready to go. Also, the existing template has references to snapshots that would likely be gone after deletion, so I'd expect to have to remove those references from the template prior to re-deploy.
Any guidance I can get would be greatly appreciated!
Per
One of the workaround you can follow ;
I'm researching using ARM templates but not getting much information
about using them for removal/modify/replacement
AFAIK, There is no direct command to delete the resources through which are deployed to Azure using ARM.
Instead of that you can use Azure cli as suggested in this SO THREAD,
Because after deployment there is still you can see in the deployment logs your resource are there you can delete from the portal itself.
After remove the app service from portal you can redeploy the same with adding your modifications.
We have tried after deploy the application and then remove/delete from portal as mentioned above and then re-deploy the app service with linux environment and its work fine.
You can make it use of below template(e.g):-
template.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"type": "string",
"defaultValue": "AzureLinuxApp",
"metadata": {
"description": "Base name of the resource such as web app name and app service plan "
},
"minLength": 2
},
"sku": {
"type": "string",
"defaultValue": "S1",
"metadata": {
"description": "The SKU of App Service Plan "
}
},
"linuxFxVersion": {
"type": "string",
"defaultValue": "php|7.4",
"metadata": {
"description": "The Runtime stack of current web app"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
"appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2020-06-01",
"name": "[variables('appServicePlanName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]"
},
"kind": "linux",
"properties": {
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-06-01",
"name": "[variables('webAppPortalName')]",
"location": "[parameters('location')]",
"kind": "app",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
],
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"siteConfig": {
"linuxFxVersion": "[parameters('linuxFxVersion')]"
}
}
}
]
}
app.parameter.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"value": "mylinuxappp"
}
}
}
OUTPUT DETAILS FOR REFERENCE:-
To deploy webapp with custom domain and ssl certificate need to make sure that its already verified and also need to use existing keyvault for the SSL binding . Please find this arm template for more information.
Please refer the below links for get started with Azure App service using arm template with different scenarios(step by step guidance). It should be help more to understand .
MICROSOFT DOCUMENTATIONS| Azure Resource Manager templates for App Service & Quickstart: Create App Service app using an ARM template

Add keys to an existing keyvault in azure using ARM template

Please i am getting the below error message upon sending the below ARM template to azure. what i am trying to do is to add key to an existing key vault on azure (under by subscription). The namespace provisioning should be in charge of storing the key in the Key Vault
Error:
05:12:00 "error": {
05:12:00 "message": "Encryption properties cannot be specified on creation of a namespace. They must be specified in a subsequent update. CorrelationId: dd69feae-5ba9-4c7e-9599-673493d31748",
05:12:00 "code": "BadRequest"
05:12:00 }
Request body:
"resources": [
{
"type": "Microsoft.EventHub/namespaces",
"apiVersion": "2018-01-01-preview",
"name": "[variables('eventHubNamespaceName')]",
"location": "[parameters('location')]",
"identity":{
"type":"SystemAssigned"
},
"sku": {
"name": "[parameters('eventHubSku')]",
"tier": "[parameters('eventHubSku')]",
"capacity": 1
},
"properties": {
"isAutoInflateEnabled": false,
"maximumThroughputUnits": 0,
"clusterArmId":"[resourceId('Microsoft.EventHub/clusters', parameters('eventHubName'))]",
"encryption":{
"keySource":"Microsoft.KeyVault",
"keyVaultProperties":[
{
"keyName":"[variables('eventHubNamespaceName')]",
"keyVaultUri":"[parameters('keyVaultUri')]"
}
]
}
}
},
{
"type": "Microsoft.EventHub/namespaces/eventhubs",
"apiVersion": "2017-04-01",
"name": "[concat(variables('eventHubNamespaceName'), '/', variables('eventHubName'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.EventHub/namespaces', variables('eventHubNamespaceName'))]"
],
"properties": {
"messageRetentionInDays": "[parameters('messageRetentionInDays')]",
"partitionCount": "[parameters('partition_count')]"
}
}
]
It seems like you're trying to provision the Event Hub namespace and also set encryption properties in the same ARM template at the same time. Hence the error.
I would suggest performing these tasks in the following order:
First, create an Event Hubs namespace with a managed service identity.
Next, create a Key vault and grant the service identity access to the Key vault.
And then, update the Event Hubs namespace with the Key vault information (key/value).
A more detailed walkthrough is given in the Event Hubs documentation for the same.

Azure ARM - Microsoft.Resources/deploymentScripts

I am going to configure created azure VM (for example, install role, initialize new hdd disk etc). I see that there is a new feature Microsoft.Resources/deploymentScripts in azure ARM. As per documantation I created Managed Identity in my subscription, give Contributor permissions to newly created Managed Identity, on Subscription level. then I developed below ARM template using Microsoft.Resources/deploymentScripts feature. code pasted below. I want to paste this code into my ARM template for VM deployment.Question is if I will be able to use this approach to perform scripts like: installing role on the OS level, like IIS or WSUS, configure HDD etc...
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string",
"defaultValue": "'John Dole'"
},
"utcValue": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "runPowerShellInlineWithOutput",
"location": "westeurope",
"kind": "AzurePowerShell",
"identity": {
"type": "userAssigned",
"userAssignedIdentities": {
"/subscriptions/SubID/resourceGroups/RGname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MI-ARMdeployment": {}
}
},
"properties": {
"forceUpdateTag": "[parameters('utcValue')]",
"azPowerShellVersion": "3.0",
"scriptContent": "
$output = 'hello'
Write-Output $output",
"arguments": "",
"timeout": "PT1H",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}
]
}
Well, yes (with some hacks), but its not meant for that. Its meant for provisioning\configuring Azure level resources, not things inside of the VM.
You have DSC extension and script extension for that (available for both windows\linux).

ARM template Office 365 connection for logic apps

I have a logic app that I am trying to automate through an ARM Template.
The logic app requires a connection to Office 365. Below I have the template for the connection generated from the automation pane of the Azure Portal.
When I run the script it fails - there is an authentication issue between the Azure subscription and the Office 365 subscription.
LinkedAuthorizationFailed
The client has permission to perform action 'Microsoft.Web/locations/managedApis/join/action' on scope ... however the current tenant 'curr-tenant-guid' is not authorized
to access linked subscription 'linked-sub-guid' ...
I wont be able to create this trust to automate the provisioning, but I would like to create the connection as placeholder so that the logic app can be deployed and I can go back to the portal to authorise the connection. Is this possible? Are there any other alternatives?
{
"comments": "Office 365 user for file monitoring",
"type": "Microsoft.Web/connections",
"name": "MyOffice365User",
"apiVersion": "2016-06-01",
"location": "northeurope",
"scale": null,
"properties": {
"displayName": "readuser#example.com",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/a6720ff8-f7cb-4bc8-a542-e7868767686/providers/Microsoft.Web/locations/northeurope/managedApis/', 'MyOffice365User')]"
}
},
"dependsOn": []
}
I found three post related to the same problem:
Deploying a logic app using ARM templates/powershell
Azure Logic Apps - ARM template to deploy filesystem API connection
How to set the connection string for a Service Bus Logic App action in an ARM template?
The problem is the same for all API Connection.
Connection parameters to access the specific service are stored on Azure and when you try to export the ARM Template there is nothing regarding these specific parameters (which make sens as Azure will not expose your secret, password...).
The trick is to query Azure Resource Management API to return the parameters needed for any connection in a Logic App.
Just follow the instructions on this article:
Deploying in the Logic Apps Preview Refresh
Use the below link to install logic app tool which can help to design workflow
https://marketplace.visualstudio.com/items?itemName=VinaySinghMSFT.AzureLogicAppsToolsforVisualStudio-18551
once done you can create office 365 connector and when you open ARM template you can see o365 component in the ARM template.
My template looks like :-
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[parameters('office365_1_Connection_Name')]",
"location": "[parameters('location')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/', 'office365')]"
},
"displayName": "[parameters('office36`enter code here`5_1_Connection_DisplayName')]"
}
}
and inside workflow
"triggers": {
"When_a_new_event_is_created_(V2)": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "#parameters('$connections')['office365']['connectionId']"
}
},
"method": "get",
"path": "/datasets/calendars/v2/tables/#{encodeURIComponent(encodeURIComponent('AAMkNbPwESLK3F8s5n1Q3BwAhXXXXXXXXXXXXXXXXXXXXXXXXXXX'))}/onnewitems"
},
"recurrence": {
"frequency": "Minute",
"interval": 1
},
"splitOn": "#triggerBody()?['value']"
}
}
================================================================
And the parameters for workflow
"parameters": {
"$connections": {
"value": {
"office365": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/', 'office365')]",
"connectionId": "[resourceId('Microsoft.Web/connections', parameters('office365_1_Connection_Name'))]",
"connectionName": "[parameters('office365_1_Connection_Name')]"
}
================================================================

"Cannot find Web space" error when provisioning web app using Azure Resource Manager

I am trying to provision some resources on Azure using the Azure Resource Manager with a template I have put together;
I am provisioning several web apps with independent Service Plans concurrently. Of course each web app resource "dependsOn" its Service plan.
Everyone once in a while when I deploy using Powershell I get the following error:
New-AzureRmResourceGroupDeployment : 4:21:22 PM - Resource Microsoft.Web/serverfarms 'ServicePlanA' failed with message 'Cannot find Web space
ExampleResourceGroup-AustraliaEastwebspace for subscription ...'
This fails randomly on one or more of the Service Plans.
I also found this GitHub issue, but since I am not using the CLI I couldn't see how this would help https://github.com/Azure/azure-xplat-cli/issues/1646
I also have the latest AzureRM packages from https://www.powershellgallery.com/packages/AzureRM/
The API version I am using is "2015-08-01", and the schema of the deployment template is https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#
Here is a segment from the template that creates the mentioned resources:
{
"name": "[variables('WebFrontServicePlanAName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[parameters('DataCenterALocation')]",
"apiVersion": "2015-08-01",
"dependsOn": [ ],
"tags": {
"displayName": "WebFrontServicePlanA"
},
"sku": {
"name": "[parameters('WebFrontServicePlanSKU')]"
},
"properties": {
"name": "[variables('WebFrontServicePlanAName')]",
"workerSize": "[parameters('WebFrontServicePlanAWorkerSize')]",
"numberOfWorkers": 1
}
},
....
{
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('DataCenterALocation')]",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', variables('WebFrontServicePlanAName'))]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', variables('WebFrontServicePlanAName'))]": "Resource",
"displayName": "webApp"
},
"properties": {
"name": "[variables('webAppName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('WebFrontServicePlanAName'))]"
},
}
Do you already have an existing resource group that you're deploying to? If not try using the cmdlet New-AzureRmResourceGroupinstead of New-AzureRmResourceGroupDeployment.
In Azure Web Apps, resource groups are backed by webspaces. Thus a resource group may contain multiple webspaces each in a different geo region. If you don't have the resource group, and you're not creating it, then you wouldn't have the corresponding webspace, which would cause the error you're seeing.

Resources