Creating Azure HDinsight Spark cluster with ADLS Gen 2,Userassigned managed idnetity with StorageBlobdataOwner role.
Successfully assigned msi role to storage but getting error with HDInsight deployment(Internal server error)
Theres some issue near HDInsight cluster(Storage profile)resource code in the template i think. I could use some help here.Attached image below.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clusterType": {
"type": "string",
"allowedValues": [ "hadoop", "hbase", "storm", "spark" ],
"metadata": {
"description": "The type of the HDInsight cluster to create."
}
},
"clusterName": {
"type": "string",
"metadata": {
"description": "The name of the HDInsight cluster to create."
}
},
"clusterLoginUserName": {
"type": "string",
"metadata": {
"description": "These credentials can be used to submit jobs to the cluster and to log into cluster dashboards."
}
},
"clusterLoginPassword": {
"type": "securestring",
"minLength": 10,
"metadata": {
"description": "The clusterloginpassword must be at least 10 characters in length and must contain at least one digit, one upper case letter, one lower case letter, and one non-alphanumeric character except (single-quote, double-quote, backslash, right-bracket, full-stop). Also, the password must not contain 3 consecutive characters from the cluster username or SSH username."
}
},
"sshUserName": {
"type": "string",
"metadata": {
"description": "These credentials can be used to remotely access the cluster and should not be same as clusterLoginUserName."
}
},
"sshPassword": {
"type": "securestring",
"minLength": 6,
"maxLength": 72,
"metadata": {
"description": "SSH password must be 6-72 characters long and must contain at least one digit, one upper case letter, and one lower case letter. It must not contain any 3 consecutive characters from the cluster login name"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"HeadNodeVirtualMachineSize": {
"type": "string",
"defaultValue": "Standard_D12_v2",
"allowedValues": [
"Standard_A4_v2",
"Standard_A8_v2",
"Standard_D3_v2",
"Standard_D4_v2",
"Standard_D5_v2",
"Standard_D12_v2",
"Standard_D13_v2"
],
"metadata": {
"description": "This is the headnode Azure Virtual Machine size, and will affect the cost. If you don't know, just leave the default value."
}
},
"WorkerNodeVirtualMachineSize": {
"type": "string",
"defaultValue": "Standard_D13_v2",
"allowedValues": [
"Standard_A4_v2",
"Standard_A8_v2",
"Standard_D1_v2",
"Standard_D2_v2",
"Standard_D3_v2",
"Standard_D4_v2",
"Standard_D5_v2",
"Standard_D12_v2",
"Standard_D13_v2"
],
"metadata": {
"description": "This is the workerdnode Azure Virtual Machine size, and will affect the cost. If you don't know, just leave the default value."
}
},
"clusterHeadNodeCount": {
"type": "int",
"defaultValue": 2,
"metadata": {
"description": "Number of worker nodes"
}
},
"clusterWorkerNodeCount": {
"type": "int",
"defaultValue": 4,
"metadata": {
"description": "Number of worker nodes"
}
},
"StorageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the Storage Account"
}
},
"StorageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS",
"Standard_RA-GRS"
],
"metadata": {
"description": "Type of the Storage Account"
}
},
"filesystemname": {
"type": "string",
"metadata": {
"description": "Name of the container"
}
},
"UserAssignedIdentityName": {
"type": "string",
"metadata": {
"description": "Name of the User Assigned Identity"
}
}
},
"variables": {
"managedIdentityId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name, '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('UserAssignedIdentityName'))]",
"StorageApiVersion": "2019-06-01",
"msiApiVersion": "2018-11-30",
"HDInsightApiVersion": "2015-03-01-preview",
"StorageBlobDataOwner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]",
"StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
"resources": [
{
"name": "[parameters('UserAssignedIdentityName')]",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "[variables('msiApiVersion')]",
"location": "[resourceGroup().location]"
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "[variables('StorageApiVersion')]",
"name": "[parameters('StorageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('StorageAccountType')]"
},
"kind": "StorageV2",
"properties": {
"encryption": {
"keySource": "Microsoft.Storage",
"services": {
"blob": {
"enabled": true
},
"file": {
"enabled": true
}
}
},
"isHnsEnabled": true,
"supportsHttpsTrafficOnly": true
}
},
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2018-01-01-preview",
"name": "[concat(parameters('StorageAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts',parameters('StorageAccountName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',parameters('UserAssignedIdentityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('StorageBlobDataOwner')]",
"principalId": "[reference(variables('managedIdentityId'),variables('msiApiVersion')).principalId]"
}
},
{
"apiVersion": "[variables('HDInsightApiVersion')]",
"name": "[parameters('clusterName')]",
"type": "Microsoft.HDInsight/clusters",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts',parameters('StorageAccountName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',parameters('UserAssignedIdentityName'))]"
],
"properties": {
"clusterVersion": "4.0",
"osType": "Linux",
"tier": "standard",
"clusterDefinition": {
"kind": "[parameters('clusterType')]",
"componentVersion": {
"Spark": "2.3"
},
"configurations": {
"gateway": {
"restAuthCredential.isEnabled": true,
"restAuthCredential.username": "[parameters('clusterLoginUserName')]",
"restAuthCredential.password": "[parameters('clusterLoginPassword')]"
}
}
},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[variables('managedIdentityId')]": {}
}
},
"storageProfile": {
"storageaccounts": [
{
"name": "[concat(parameters('StorageAccountName'),'.blob.core.windows.net')]",
"isDefault": true,
"fileSystem": "[parameters('filesystemname')]",
"resourceId": "[reference(resourceId('Microsoft.Storage/storageAccounts',parameters('StorageAccountName')),variables('StorageApiVersion'))]",
"msiResourceId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',parameters('UserAssignedIdentityName')),variables('msiApiVersion'))]"
}
]
},
"computeProfile": {
"roles": [
{
"name": "headnode",
"minInstanceCount": 1,
"targetInstanceCount": "[parameters('clusterHeadNodeCount')]",
"hardwareProfile": {
"vmSize": "[parameters('HeadNodeVirtualMachineSize')]"
},
"osProfile": {
"linuxOperatingSystemProfile": {
"username": "[parameters('sshUserName')]",
"password": "[parameters('sshPassword')]"
}
},
"virtualNetworkProfile": null,
"scriptActions": []
},
{
"name": "workernode",
"targetInstanceCount": "[parameters('clusterWorkerNodeCount')]",
"autoscale": {
"capacity": {
"minInstanceCount": 3,
"maxInstanceCount": 10
}
},
"hardwareProfile": {
"vmSize": "[parameters('WorkerNodeVirtualMachineSize')]"
},
"osProfile": {
"linuxOperatingSystemProfile": {
"username": "[parameters('sshUserName')]",
"password": "[parameters('sshPassword')]"
}
},
"virtualNetworkProfile": null,
"scriptActions": []
}
]
}
}
}
],
"outputs": {
"storage": {
"type": "object",
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName')))]"
},
"cluster": {
"type": "object",
"value": "[reference(resourceId('Microsoft.HDInsight/clusters', parameters('clusterName')))]"
}
}
}
InternalServerError and Operation detail shows "Anerror has occured" and no other info
Update: Ensure that your storage account has the user-assigned identity with Storage Blob Data Contributor role permissions, otherwise cluster creation will fail.
If you are using Azure Data Lake Storage Gen2 and receive the error AmbariClusterCreationFailedErrorCode: "Internal server error occurred while processing the request. Please retry the request or contact support.".
To resolve this issue, open the Azure portal, go to your Storage account, and under Access Control (IAM), ensure that the Storage Blob Data Contributor or the Storage Blob Data Owner role has Assigned access to the User assigned managed identity for the subscription. See Set up permissions for the managed identity on the Data Lake Storage Gen2 account for detailed instructions.
Make sure you have followed the necessary steps to configure a Data Lake Storage gen2 account.
Reference: Use Azure Data Lake Storage Gen2 with Azure HDInsight clusters
Related
I am learning to create DB account, DB, and container inside the DB in CosmosDB via ARM template.
If I follow this, https://learn.microsoft.com/en-us/azure/cosmos-db/sql/quick-create-template?toc=%2Fazure%2Fazure-resource-manager%2Ftemplates%2Ftoc.json&tabs=PowerShell, then I can successfully create all these. I have also confirmed that when I run this second time, it would simply create another container only (not DB account and DB, which is great).
Now the problem is, when I want to just create a container in an existing account, I see Dns record for c4p-dev under zone Document is already taken. Please use a different name for the account. error and not sure why.
i.e., this works. It doesn't throw error if DB account and DB exists, simply creates the new container (when I defined it)
"accountName": {
"type": "string",
"defaultValue": "[format('sql-{0}', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Cosmos DB account name, max length 44 characters"
}
}
if I use this, then it throws error:
"accountName": {
"type": "string",
"defaultValue": "[resourceGroup().id]", // OR if I hard code this with "c4p-dev"
"metadata": {
"description": "Cosmos DB account name, max length 44 characters"
}
}
Questions:
Shouldn't this behave the same way the other one behaves?
Is this happening because I have the same resource and account name?
i.e., c4p-dev
Additional Info:
Resource group: c4p-dev
Cosmos DB Account name: sql-43n3q7hq3aufo (this is created from first example). I also have c4p-dev account which was already created and I want to create containers over there.
CLI Command:
templateFile="/ARM_Template/azurecosmosdeploy.json"
az deployment group create \
--name adddatabasecontainer2 \
--resource-group c4p-dev \
--template-file $templateFile
azurecosmosdeploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "5817349859578875069"
}
},
"parameters": {
"resourceTags": {
"type": "object",
"defaultValue": {
"Environment": "Dev",
"BillTo": "specialprojects",
"Architecture": "AppService",
"AlertName": "mgmt"
}
},
"accountName": {
"type": "string",
"defaultValue": "[resourceGroup().id]",
"metadata": {
"description": "Cosmos DB account name, max length 44 characters"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for the Cosmos DB account."
}
},
"primaryRegion": {
"type": "string",
"metadata": {
"description": "The primary replica region for the Cosmos DB account."
}
},
"secondaryRegion": {
"type": "string",
"metadata": {
"description": "The secondary replica region for the Cosmos DB account."
}
},
"defaultConsistencyLevel": {
"type": "string",
"defaultValue": "Session",
"metadata": {
"description": "The default consistency level of the Cosmos DB account."
},
"allowedValues": [
"Eventual",
"ConsistentPrefix",
"Session",
"BoundedStaleness",
"Strong"
]
},
"maxStalenessPrefix": {
"type": "int",
"defaultValue": 100000,
"metadata": {
"description": "Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000."
},
"maxValue": 2147483647,
"minValue": 10
},
"maxIntervalInSeconds": {
"type": "int",
"defaultValue": 300,
"metadata": {
"description": "Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400."
},
"maxValue": 86400,
"minValue": 5
},
"automaticFailover": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Enable automatic failover for regions"
},
"allowedValues": [
true,
false
]
},
"databaseName": {
"type": "string",
"defaultValue": "c4p",
"metadata": {
"description": "The name for the database"
}
},
"containerName": {
"type": "string",
"defaultValue": "ARMTemplateSample2",
"metadata": {
"description": "The name for the container"
}
},
"throughput": {
"type": "int",
"defaultValue": 400,
"metadata": {
"description": "The throughput for the container"
},
"maxValue": 1000000,
"minValue": 400
}
},
"variables":{
"consistencyPolicy": {
"Eventual": {
"defaultConsistencyLevel": "Eventual"
},
"ConsistentPrefix": {
"defaultConsistencyLevel": "ConsistentPrefix"
},
"Session": {
"defaultConsistencyLevel": "Session"
},
"BoundedStaleness": {
"defaultConsistencyLevel": "BoundedStaleness",
"maxStalenessPrefix": "[parameters('maxStalenessPrefix')]",
"maxIntervalInSeconds": "[parameters('maxIntervalInSeconds')]"
},
"Strong": {
"defaultConsistencyLevel": "Strong"
}
},
"locations": [
{
"locationName": "[parameters('primaryRegion')]",
"failoverPriority": 0,
"isZoneRedundant": false
},
{
"locationName": "[parameters('secondaryRegion')]",
"failoverPriority": 1,
"isZoneRedundant": false
}
]
},
"resources":[
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2021-10-15",
"name": "[toLower(parameters('accountName'))]",
"location": "[parameters('location')]",
"kind": "GlobalDocumentDB",
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"enableAutomaticFailover": "[parameters('automaticFailover')]"
},
"tags": "[parameters('resourceTags')]"
},
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
"apiVersion": "2021-10-15",
"name": "[format('{0}/{1}', toLower(parameters('accountName')), parameters('databaseName'))]",
"properties": {
"resource": {
"id": "[parameters('databaseName')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts',toLower(parameters('accountName')))]"
],
"tags": "[parameters('resourceTags')]"
},
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
"apiVersion": "2021-10-15",
"name": "[format('{0}/{1}', format('{0}/{1}', toLower(parameters('accountName')), parameters('databaseName')), parameters('containerName'))]",
"properties": {
"resource": {
"id": "[parameters('containerName')]",
"partitionKey": {
"paths": [
"/testPartitionKey"
],
"kind": "Hash"
},
"indexingPolicy": {
"indexingMode": "consistent",
"includedPaths": [
{
"path": "/"
}
],
"compositeIndexes": [
[
{
"path": "/name",
"order": "ascending"
},
{
"path": "/age",
"order": "descending"
}
]
]
},
"uniqueKeyPolicy": {
"uniqueKeys": [
{
"paths": [
"/phoneNumber"
]
}
]
}
},
"options": {
"throughput": "[parameters('throughput')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', split(format('{0}/{1}', toLower(parameters('accountName')), parameters('databaseName')), '/')[0], split(format('{0}/{1}', toLower(parameters('accountName')), parameters('databaseName')), '/')[1])]"
],
"tags": "[parameters('resourceTags')]"
}
]
}
I am trying to deploy Service Fabric cluster through ARM template and attach the existing scale set. The pipeline is getting executed properly with no error but when i open service fabric in portal the status is "waiting for nodes". I don't know where i am making mistake. I am using the same certificate thumbprint which is there in scale set. my certificate is stored in KeyVault. Here is my ARM template
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"clusterName": {
"type": "string",
"defaultValue": "GEN-UNIQUE",
"metadata": {
"description": "Name of your cluster - Between 3 and 23 characters. Letters and numbers only"
}
},
"clusterLocation": {
"type": "string",
"defaultValue": "westus",
"metadata": {
"description": "Location of the Cluster"
}
},
"applicationStartPort": {
"type": "int",
"defaultValue": 20000
},
"applicationEndPort": {
"type": "int",
"defaultValue": 30000
},
"ephemeralStartPort": {
"type": "int",
"defaultValue": 49152
},
"ephemeralEndPort": {
"type": "int",
"defaultValue": 65534
},
"fabricTcpGatewayPort": {
"type": "int",
"defaultValue": 19000
},
"fabricHttpGatewayPort": {
"type": "int",
"defaultValue": 19080
},
"clusterProtectionLevel": {
"type": "string",
"allowedValues": [
"None",
"Sign",
"EncryptAndSign"
],
"defaultValue": "EncryptAndSign",
"metadata": {
"description": "Protection level.Three values are allowed - EncryptAndSign, Sign, None. It is best to keep the default of EncryptAndSign, unless you have a need not to"
}
},
"certificateThumbprint": {
"type": "string",
"defaultValue": "GEN-CUSTOM-DOMAIN-SSLCERT-THUMBPRINT",
"metadata": {
"description": "Certificate Thumbprint"
}
},
"certificateStoreValue": {
"defaultValue": "My",
"allowedValues": [
"My"
],
"type": "string",
"metadata": {
"description": "The store name where the cert will be deployed in the virtual machine"
}
},
"supportLogStorageAccountName": {
"type": "string",
"defaultValue": "[toLower( concat('sflogs', uniqueString(resourceGroup().id),'2'))]",
"metadata": {
"description": "Name for the storage account that contains support logs from the cluster"
}
},
"blobEndpoint":{
"type": "string"
},
"queueEndpoint":{
"type": "string"
},
"tableEndpoint":{
"type": "string"
},
"InstanceCount": {
"type": "int",
"defaultValue": 5,
"metadata": {
"description": "Instance count for node type"
}
},
"vmNodeTypeName": {
"type": "string"
},
"nodeTypes":{
"type": "array"
},
"lbIPName": {
"type": "string"
},
"fqdn":{
"type": "string"
},
"reliabilityLevel":{
"type": "string"
},
"upgradeMode":{
"type": "string"
}
},
"variables":{
"storageApiVersion": "2016-01-01",
"publicIPApiVersion": "2015-06-15"
},
"resources": [
{
"apiVersion": "2018-02-01",
"type": "Microsoft.ServiceFabric/clusters",
"name": "[parameters('clusterName')]",
"location": "[parameters('clusterLocation')]",
"dependsOn": [],
"properties": {
"addonFeatures": [
"DnsService"
],
"certificate": {
"thumbprint": "[parameters('certificateThumbprint')]",
"x509StoreName": "[parameters('certificateStoreValue')]"
},
"clientCertificateCommonNames": [],
"clientCertificateThumbprints": [],
"clusterState": "Default",
"diagnosticsStorageAccountConfig": {
"storageAccountName": "[parameters('supportLogStorageAccountName')]",
"protectedAccountKeyName": "StorageAccountKey1",
"blobEndpoint": "[parameters('blobEndpoint')]",
"queueEndpoint": "[parameters('queueEndpoint')]",
"tableEndpoint": "[parameters('tableEndpoint')]"
},
"fabricSettings": [
{
"parameters": [
{
"name": "ClusterProtectionLevel",
"value": "[parameters('clusterProtectionLevel')]"
}
],
"name": "Security"
}
],
"managementEndpoint": "[concat('https://',parameters('fqdn'),':',parameters('fabricHttpGatewayPort'))]",
"nodeTypes": "[parameters('nodeTypes')]",
"reliabilityLevel": "[parameters('reliabilityLevel')]",
"upgradeMode": "[parameters('upgradeMode')]"
}
}
]
}
For this deployment error, you can look through these problems and solutions in this blog.
It might be caused by the Certificate Thumbprint Issue and KeyVault issue.
If it's no luck, try to change the VM sizes or change the region of the nodes or just rebuild like this.
For more reference about SFC deployment with key vault cert, you also could refer to this article.
I've written an ARM template to deploy Azure Kubernetes Service (AKS). However, I'm unable to find a way to automate the creation of the service principal client ID and secret.
Is there a way I can create the service principal in an ARM template and store the client ID and secret in Azure Key Vault, as I've learned to do here?
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"environment": {
"metadata": {
"description": "The name of the environment."
},
"type": "string"
},
// Azure Kubernetes Service
"kubernetes_name": {
"metadata": {
"description": "The name of the Managed Cluster resource."
},
"type": "string"
},
"kubernetes_location": {
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location of AKS resource."
},
"type": "string"
},
"kubernetes_dnsPrefix": {
"metadata": {
"description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
},
"type": "string"
},
"kubernetes_osDiskSizeGB": {
"defaultValue": 0,
"metadata": {
"description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
},
"maxValue": 1023,
"minValue": 0,
"type": "int"
},
"kubernetes_osType": {
"allowedValues": [
"Linux"
],
"defaultValue": "Linux",
"metadata": {
"description": "The type of operating system."
},
"type": "string"
},
"kubernetes_agentCount": {
"defaultValue": 3,
"metadata": {
"description": "The number of agent nodes for the cluster."
},
"maxValue": 50,
"minValue": 1,
"type": "int"
},
"kubernetes_agentVMSize": {
"defaultValue": "Standard_D2_v2",
"metadata": {
"description": "The size of the Virtual Machine."
},
"type": "string"
},
"kubernetes_maxPods": {
"defaultValue": 30,
"metadata": {
"description": "Maximum number of pods that can run on a node."
},
"type": "int"
},
"kubernetes_servicePrincipalClientId": {
"defaultValue": null,
"metadata": {
"description": "Client ID (used by cloudprovider)"
},
"type": "securestring"
},
"kubernetes_servicePrincipalClientSecret": {
"defaultValue": null,
"metadata": {
"description": "The Service Principal Client Secret."
},
"type": "securestring"
},
"kubernetes_kubernetesVersion": {
"defaultValue": "1.7.7",
"metadata": {
"description": "The version of Kubernetes."
},
"type": "string"
},
"kubernetes_enableHttpApplicationRouting": {
"defaultValue": false,
"metadata": {
"description": "boolean flag to turn on and off of http application routing"
},
"type": "bool"
},
"kubernetes_networkPlugin": {
"allowedValues": [
"azure",
"kubenet"
],
"defaultValue": "kubenet",
"metadata": {
"description": "Network plugin used for building Kubernetes network."
},
"type": "string"
},
"kubernetes_enableRBAC": {
"defaultValue": true,
"metadata": {
"description": "boolean flag to turn on and off of RBAC"
},
"type": "bool"
},
"kubernetes_enableOmsAgent": {
"defaultValue": true,
"metadata": {
"description": "boolean flag to turn on and off of omsagent addon"
},
"type": "bool"
},
// Azure Log Analytics
"log_analytics_location": {
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specify the region for your OMS workspace"
},
"type": "string"
},
"log_analytics_workspaceName": {
"metadata": {
"description": "Specify the name of the OMS workspace"
},
"type": "string"
},
"log_analytics_workspaceId": {
"metadata": {
"description": "Specify the resource id of the OMS workspace"
},
"type": "string"
},
"log_analytics_sku": {
"allowedValues": [
"free",
"standalone",
"pernode"
],
"defaultValue": "free",
"metadata": {
"description": "Select the SKU for your workspace"
},
"type": "string"
}
},
"resources": [
{
"comments": "Azure Kubernetes Service",
"apiVersion": "2018-03-31",
"dependsOn": [
"[concat('Microsoft.Resources/deployments/', 'WorkspaceDeployment')]"
],
"type": "Microsoft.ContainerService/managedClusters",
"location": "[parameters('kubernetes_location')]",
"name": "[parameters('kubernetes_name')]",
"properties": {
"kubernetesVersion": "[parameters('kubernetes_kubernetesVersion')]",
"enableRBAC": "[parameters('kubernetes_enableRBAC')]",
"dnsPrefix": "[parameters('kubernetes_dnsPrefix')]",
"addonProfiles": {
"httpApplicationRouting": {
"enabled": "[parameters('kubernetes_enableHttpApplicationRouting')]"
},
"omsagent": {
"enabled": "[parameters('kubernetes_enableOmsAgent')]",
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('log_analytics_workspaceId')]"
}
}
},
"agentPoolProfiles": [
{
"name": "agentpool",
"osDiskSizeGB": "[parameters('kubernetes_osDiskSizeGB')]",
"osType": "[parameters('kubernetes_osType')]",
"count": "[parameters('kubernetes_agentCount')]",
"vmSize": "[parameters('kubernetes_agentVMSize')]",
"storageProfile": "ManagedDisks",
"maxPods": "[parameters('kubernetes_maxPods')]"
}
],
"servicePrincipalProfile": {
"ClientId": "[parameters('kubernetes_servicePrincipalClientId')]",
"Secret": "[parameters('kubernetes_servicePrincipalClientSecret')]"
},
"networkProfile": {
"networkPlugin": "[parameters('kubernetes_networkPlugin')]"
}
},
"tags": {
"Environment": "[parameters('environment')]"
}
},
{
"comments": "Azure Log Analytics (Container Insights)",
"type": "Microsoft.Resources/deployments",
"name": "SolutionDeployment",
"apiVersion": "2017-05-10",
"resourceGroup": "[split(parameters('log_analytics_workspaceId'),'/')[4]]",
"subscriptionId": "[split(parameters('log_analytics_workspaceId'),'/')[2]]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"apiVersion": "2015-11-01-preview",
"type": "Microsoft.OperationsManagement/solutions",
"location": "[parameters('log_analytics_location')]",
"name": "[concat('ContainerInsights', '(', split(parameters('log_analytics_workspaceId'),'/')[8], ')')]",
"properties": {
"workspaceResourceId": "[parameters('log_analytics_workspaceId')]"
},
"plan": {
"name": "[concat('ContainerInsights', '(', split(parameters('log_analytics_workspaceId'),'/')[8], ')')]",
"product": "[concat('OMSGallery/', 'ContainerInsights')]",
"promotionCode": "",
"publisher": "Microsoft"
}
}
]
}
},
"dependsOn": [
"[concat('Microsoft.Resources/deployments/', 'WorkspaceDeployment')]"
],
"tags": {
"Environment": "[parameters('environment')]"
}
},
{
"comments": "Azure Log Analytics",
"type": "Microsoft.Resources/deployments",
"name": "WorkspaceDeployment",
"apiVersion": "2017-05-10",
"resourceGroup": "[split(parameters('log_analytics_workspaceId'),'/')[4]]",
"subscriptionId": "[split(parameters('log_analytics_workspaceId'),'/')[2]]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"apiVersion": "2015-11-01-preview",
"type": "Microsoft.OperationalInsights/workspaces",
"location": "[parameters('log_analytics_location')]",
"name": "[parameters('log_analytics_workspaceName')]",
"properties": {
"sku": {
"name": "[parameters('log_analytics_sku')]"
}
}
}
]
}
},
"tags": {
"Environment": "[parameters('environment')]"
}
}
],
"outputs": {
"controlPlaneFQDN": {
"type": "string",
"value": "[reference(concat('Microsoft.ContainerService/managedClusters/', parameters('kubernetes_name'))).fqdn]"
}
}
}
Unfortunately you cannot create Service Principals in ARM templates.
I create them using PowerShell scripts and then either pass the relevant properties in to the ARM Template as parameters, or push them in to KeyVault and reference them from KeyVault where supported by the relevant ARM Template.
I have created an ARM template to deploy an Azure Kubernetes Service instance, which I am trying to plug into a CI/CD pipeline in VSTS. On the first deployment, everything works as expected and the K8s cluster is created successfully. However, upon redeployment, the template fails the validation stage with the following error:
{
"message": "The template deployment 'Microsoft.Template' is not valid according to the validation procedure."
"details": [
{
"code":"PropertyChangeNotAllowed",
"message":"Provisioning of resource(s) for container service <cluster name> in resource group <resource group name> failed. Message:"
{
"code": "PropertyChangeNotAllowed",
"message": "Changing property 'linuxProfile.ssh.publicKeys.keyData' is not allowed.",
"target": "linuxProfile.ssh.publicKeys.keyData"
}
}
]
}
The template is therefore clearly not idempotent which completely dishonours the intended nature of ARM template deployments.
Has anyone managed to find a workaround for this?
The solution to this is to specify the SSH RSA Public Key as a template parameter and use it when configuring the Linux profile. I have posted my ARM template below:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clusterName": {
"type": "string",
"metadata": {
"description": "The name of the Kubernetes cluster."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The data center in which to deploy the Kubernetes cluster."
}
},
"dnsPrefix": {
"type": "string",
"metadata": {
"description": "DNS prefix to use with hosted Kubernetes API server FQDN."
}
},
"osDiskSizeGB": {
"defaultValue": 32,
"minValue": 0,
"maxValue": 1023,
"type": "int",
"metadata": {
"description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
}
},
"agentCount": {
"defaultValue": 1,
"minValue": 1,
"maxValue": 50,
"type": "int",
"metadata": {
"description": "The number of agent nodes for the cluster."
}
},
"agentVMSize": {
"defaultValue": "Standard_D1_v2",
"type": "string",
"metadata": {
"description": "The size of the Virtual Machine."
}
},
"servicePrincipalClientId": {
"type": "securestring",
"metadata": {
"description": "The Service Principal Client ID."
}
},
"servicePrincipalClientSecret": {
"type": "securestring",
"metadata": {
"description": "The Service Principal Client Secret."
}
},
"osType": {
"defaultValue": "Linux",
"allowedValues": [
"Linux"
],
"type": "string",
"metadata": {
"description": "The type of operating system."
}
},
"kubernetesVersion": {
"defaultValue": "1.10.6",
"type": "string",
"metadata": {
"description": "The version of Kubernetes."
}
},
"enableOmsAgent": {
"defaultValue": true,
"type": "bool",
"metadata": {
"description": "boolean flag to turn on and off of omsagent addon"
}
},
"enableHttpApplicationRouting": {
"defaultValue": true,
"type": "bool",
"metadata": {
"description": "boolean flag to turn on and off of http application routing"
}
},
"networkPlugin": {
"defaultValue": "kubenet",
"allowedValues": [
"azure",
"kubenet"
],
"type": "string",
"metadata": {
"description": "Network plugin used for building Kubernetes network."
}
},
"enableRBAC": {
"defaultValue": true,
"type": "bool",
"metadata": {
"description": "Flag to turn on/off RBAC"
}
},
"logAnalyticsWorkspaceName": {
"type": "string",
"metadata": {
"description": "Name of the log analytics workspace which will be used for container analytics"
}
},
"logAnalyticsWorkspaceLocation": {
"type": "string",
"metadata": {
"description": "The data center in which the log analytics workspace is deployed"
}
},
"logAnalyticsResourceGroup": {
"type": "string",
"metadata": {
"description": "The resource group in which the log analytics workspace is deployed"
}
},
"vmAdminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Linux Virtual Machines."
}
},
"sshRsaPublicKey": {
"type": "securestring",
"metadata": {
"description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example: 'ssh-rsa AAAAB...snip...UcyupgH azureuser#linuxvm'"
}
}
},
"variables": {
"logAnalyticsWorkspaceId": "[resourceId(parameters('logAnalyticsResourceGroup'), 'Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]",
"containerInsightsName": "[concat(parameters('clusterName'),'-containerinsights')]"
},
"resources": [
{
"type": "Microsoft.ContainerService/managedClusters",
"name": "[parameters('clusterName')]",
"apiVersion": "2018-03-31",
"location": "[parameters('location')]",
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"enableRBAC": "[parameters('enableRBAC')]",
"dnsPrefix": "[parameters('dnsPrefix')]",
"addonProfiles": {
"httpApplicationRouting": {
"enabled": "[parameters('enableHttpApplicationRouting')]"
},
"omsagent": {
"enabled": "[parameters('enableOmsAgent')]",
"config": {
"logAnalyticsWorkspaceResourceID": "[variables('logAnalyticsWorkspaceId')]"
}
}
},
"agentPoolProfiles": [
{
"name": "agentpool",
"osDiskSizeGB": "[parameters('osDiskSizeGB')]",
"count": "[parameters('agentCount')]",
"vmSize": "[parameters('agentVMSize')]",
"osType": "[parameters('osType')]",
"storageProfile": "ManagedDisks"
}
],
"linuxProfile": {
"adminUsername": "[parameters('vmAdminUsername')]",
"ssh": {
"publicKeys": [
{
"keyData": "[parameters('sshRsaPublicKey')]"
}
]
}
},
"servicePrincipalProfile": {
"clientId": "[parameters('servicePrincipalClientId')]",
"secret": "[parameters('servicePrincipalClientSecret')]"
},
"networkProfile": {
"networkPlugin": "[parameters('networkPlugin')]"
}
},
"dependsOn": [
"[concat('Microsoft.Resources/deployments/', 'SolutionDeployment')]"
]
},
{
"type": "Microsoft.Resources/deployments",
"name": "SolutionDeployment",
"apiVersion": "2017-05-10",
"resourceGroup": "[parameters('logAnalyticsResourceGroup')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2015-11-01-preview",
"type": "Microsoft.OperationsManagement/solutions",
"location": "[parameters('logAnalyticsWorkspaceLocation')]",
"name": "[variables('containerInsightsName')]",
"properties": {
"workspaceResourceId": "[variables('logAnalyticsWorkspaceId')]"
},
"plan": {
"name": "[variables('containerInsightsName')]",
"product": "OMSGallery/ContainerInsights",
"promotionCode": "",
"publisher": "Microsoft"
}
}
]
}
}
}
],
"outputs": {
"controlPlaneFQDN": {
"type": "string",
"value": "[reference(concat('Microsoft.ContainerService/managedClusters/', parameters('clusterName'))).fqdn]"
},
"sshMaster0": {
"type": "string",
"value": "[concat('ssh ', parameters('vmAdminUsername'), '#', reference(concat('Microsoft.ContainerService/managedClusters/', parameters('clusterName'))).fqdn, ' -A -p 22')]"
}
}
}
In the Azure portal it is possible to create a documentDB database and collection in the step where you create the output of a Stream Analytics Job. Is it possible to do the same while creating the stream job and output with a ARM template?
I have found that it is only possible to create a documentDB account as a resource with an ARM template, but is it possible to create the database and collection while setting the output of the job, as it is in the portal?
Base on my experience, it is not supported to create documentDB database and collection in an ARM template currently. I will comfirm it with Azure team. If there is any feedback I will post here.
my work-around is that we could use REST API to do that. If the documentDB database and collection is existed then we could create the output of job with documentDb database and collection via ARM template.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.1.0.0",
"parameters": {
"databaseAccountName": {
"type": "string",
"metadata": {
"description": "The DocumentDB database account name."
}
},
"dbname": {
"type": "string",
"metadata": {
"description": "The database name"
}
},
"collectionname": {
"type": "string",
"metadata": {
"description": "collectionname"
}
},
"streamAnalyticsJobName": {
"type": "string",
"minLength": 3,
"maxLength": 63,
"metadata": {
"description": "Stream Analytics Job Name, can contain alphanumeric characters and hypen and must be 3-63 characters long"
}
},
"numberOfStreamingUnits": {
"type": "int",
"minValue": 1,
"maxValue": 48,
"allowedValues": [
1,
3,
6,
12,
18,
24,
30,
36,
42,
48
],
"metadata": {
"description": "Number of Streaming Units"
}
}
},
"variables": {
"offerType": "Standard"
},
"resources": [
{
"type": "Microsoft.StreamAnalytics/StreamingJobs",
"apiVersion": "2016-03-01",
"name": "[parameters('streamAnalyticsJobName')]",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "Standard"
},
"outputErrorPolicy": "stop",
"eventsOutOfOrderPolicy": "adjust",
"eventsOutOfOrderMaxDelayInSeconds": 0,
"eventsLateArrivalMaxDelayInSeconds": 5,
"dataLocale": "en-US",
"inputs": [],
"Outputs": [
{
"Name": "relateddb",
"Properties": {
"DataSource": {
"Properties": {
"AccountId": "[parameters('databaseAccountName')]",
"AccountKey": "[listKeys(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2015-11-06').primaryMasterKey]",
"CollectionNamePattern": "[parameters('collectionname')]",
"Database": "[parameters('dbname')]",
"DocumentId": null,
"PartitionKey": null
},
"Type": "Microsoft.Storage/DocumentDB"
},
"Diagnostics": null,
"Etag": null,
"Serialization": null
}
}
],
"transformation": {
"name": "Transformation",
"properties": {
"streamingUnits": "[parameters('numberOfStreamingUnits')]",
"query": "SELECT\r\n *\r\nINTO\r\n [YourOutputAlias]\r\nFROM\r\n [YourInputAlias]"
}
}
}
}
]
}
In case anybody stumbles across this: It is now possible to create databases and containers via ARM.
ARM support for databases, containers, and other resources in Azure Resource Manager
Azure Cosmos DB now provides support for Databases, Containers and Offers in Azure Resource Manager. Users can now provision databases and containers, and set throughput using Azure Resource Manager templates or PowerShell. This support is available across all APIs including SQL (Core), MongoDB, Cassandra, Gremlin, and Table. This capability also allows customers to create custom RBAC roles to create, delete, or modify the settings on databases and containers in Azure Cosmos DB. To learn more and to get started, see Azure Cosmos DB Azure Resource Manager templates.
https://learn.microsoft.com/en-us/azure/cosmos-db/manage-sql-with-resource-manager
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"accountName": {
"type": "string",
"defaultValue": "[concat('sql-', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Cosmos DB account name"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for the Cosmos DB account."
}
},
"primaryRegion":{
"type":"string",
"metadata": {
"description": "The primary replica region for the Cosmos DB account."
}
},
"secondaryRegion":{
"type":"string",
"metadata": {
"description": "The secondary replica region for the Cosmos DB account."
}
},
"defaultConsistencyLevel": {
"type": "string",
"defaultValue": "Session",
"allowedValues": [ "Eventual", "ConsistentPrefix", "Session", "BoundedStaleness", "Strong" ],
"metadata": {
"description": "The default consistency level of the Cosmos DB account."
}
},
"maxStalenessPrefix": {
"type": "int",
"minValue": 10,
"defaultValue": 100000,
"maxValue": 2147483647,
"metadata": {
"description": "Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000."
}
},
"maxIntervalInSeconds": {
"type": "int",
"minValue": 5,
"defaultValue": 300,
"maxValue": 86400,
"metadata": {
"description": "Max lag time (seconds). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400."
}
},
"multipleWriteLocations": {
"type": "bool",
"defaultValue": true,
"allowedValues": [ true, false ],
"metadata": {
"description": "Enable multi-master to make all regions writable."
}
},
"automaticFailover": {
"type": "bool",
"defaultValue": false,
"allowedValues": [ true, false ],
"metadata": {
"description": "Enable automatic failover for regions. Ignored when Multi-Master is enabled"
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name for the SQL database"
}
},
"throughput": {
"type": "int",
"defaultValue": 400,
"minValue": 400,
"maxValue": 1000000,
"metadata": {
"description": "The throughput for the database"
}
},
"container1Name": {
"type": "string",
"defaultValue": "container1",
"metadata": {
"description": "The name for the first SQL container"
}
},
"container2Name": {
"type": "string",
"defaultValue": "container2",
"metadata": {
"description": "The name for the second SQL container"
}
}
},
"variables": {
"accountName": "[toLower(parameters('accountName'))]",
"consistencyPolicy": {
"Eventual": {
"defaultConsistencyLevel": "Eventual"
},
"ConsistentPrefix": {
"defaultConsistencyLevel": "ConsistentPrefix"
},
"Session": {
"defaultConsistencyLevel": "Session"
},
"BoundedStaleness": {
"defaultConsistencyLevel": "BoundedStaleness",
"maxStalenessPrefix": "[parameters('maxStalenessPrefix')]",
"maxIntervalInSeconds": "[parameters('maxIntervalInSeconds')]"
},
"Strong": {
"defaultConsistencyLevel": "Strong"
}
},
"locations":
[
{
"locationName": "[parameters('primaryRegion')]",
"failoverPriority": 0
},
{
"locationName": "[parameters('secondaryRegion')]",
"failoverPriority": 1
}
]
},
"resources":
[
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"name": "[variables('accountName')]",
"apiVersion": "2016-03-31",
"location": "[parameters('location')]",
"kind": "GlobalDocumentDB",
"properties": {
"consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
"locations": "[variables('locations')]",
"databaseAccountOfferType": "Standard",
"enableAutomaticFailover": "[parameters('automaticFailover')]",
"enableMultipleWriteLocations": "[parameters('multipleWriteLocations')]"
}
},
{
"type": "Microsoft.DocumentDB/databaseAccounts/apis/databases",
"name": "[concat(variables('accountName'), '/sql/', parameters('databaseName'))]",
"apiVersion": "2016-03-31",
"dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts/', variables('accountName'))]" ],
"properties":{
"resource":{
"id": "[parameters('databaseName')]"
},
"options": { "throughput": "[parameters('throughput')]" }
}
},
{
"type": "Microsoft.DocumentDb/databaseAccounts/apis/databases/containers",
"name": "[concat(variables('accountName'), '/sql/', parameters('databaseName'), '/', parameters('container1Name'))]",
"apiVersion": "2016-03-31",
"dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts/apis/databases', variables('accountName'), 'sql', parameters('databaseName'))]" ],
"properties":
{
"resource":{
"id": "[parameters('container1Name')]",
"partitionKey": {
"paths": [
"/MyPartitionKey1"
],
"kind": "Hash"
},
"indexingPolicy": {
"indexingMode": "consistent",
"includedPaths": [{
"path": "/*",
"indexes": [
{
"kind": "Range",
"dataType": "number",
"precision": -1
},
{
"kind": "Range",
"dataType": "string",
"precision": -1
}
]
}
],
"excludedPaths": [{
"path": "/MyPathToNotIndex/*"
}
]
}
}
}
},
{
"type": "Microsoft.DocumentDb/databaseAccounts/apis/databases/containers",
"name": "[concat(variables('accountName'), '/sql/', parameters('databaseName'), '/', parameters('container2Name'))]",
"apiVersion": "2016-03-31",
"dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts/apis/databases', variables('accountName'), 'sql', parameters('databaseName'))]" ],
"properties":
{
"resource":{
"id": "[parameters('container2Name')]",
"partitionKey": {
"paths": [
"/MyPartitionKey2"
],
"kind": "Hash"
},
"indexingPolicy": {
"indexingMode": "consistent",
"includedPaths": [{
"path": "/*",
"indexes": [
{
"kind": "Range",
"dataType": "number",
"precision": -1
},
{
"kind": "Range",
"dataType": "string",
"precision": -1
}
]
}
]
}
}
}
}
]
}