I'm trying to assign the role to 'Cosmos Db account' by using following template.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"defaultValue": "gb9e32f1-678f-4552-ae0a-0000f765aaaa",
"metadata": {
"description": ""
}
},
"CosmosDbAccountName": {
"type": "string",
"defaultValue": "cosmosdbaccount",
"metadata": {
"description": "Cosmos Db Account name"
}
},
"RoleType": {
"defaultValue" : "Contributor",
"type": "string",
"metadata": {
"description": "Built-in role to assign"
},
"allowedValues" : [
"Contributor"
]
}
},
"variables": {
"Scope": "[concat(parameters('CosmosDbAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
},
"resources": [
{
"type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
"name": "[variables('Scope')]",
"apiVersion":"2020-04-01-preview",
"properties": {
"RoleDefinitionId":"/subscriptions/[subscription().subscriptionId]/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "[parameters('principalId')]"
}
}
]
}
I am currently getting error as
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n "error": {\r\n "code": "RoleAssignmentUpdateNotPermitted",\r\n "message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."\r\n }\r\n}"}]}
I think there is existing role assignment with the same name that you are trying to create through this template and it ends up giving the error for "RoleAssignmentUpdateNotPermitted".
Few changes to your template can solve your problem like generating a unique GUID and then concat it with cosmos DB account name, Please try the below updated template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"defaultValue": "gb9e32f1-678f-4552-ae0a-0000f765aaaa",
"metadata": {
"description": ""
}
},
"CosmosDbAccountName": {
"type": "string",
"defaultValue": "cosmosdbaccount",
"metadata": {
"description": "Cosmos Db Account name"
}
},
"RoleType": {
"defaultValue" : "Contributor",
"type": "string",
"metadata": {
"description": "Built-in role to assign"
},
"allowedValues" : [
"Contributor"
]
},
"guid": {
"defaultValue": "[newGuid()]",
"type": "String"
}
},
"variables": {
"Scope": "[concat(parameters('CosmosDbAccountName'),'/Microsoft.Authorization/', parameters('guid'))]"
},
"resources": [
{
"type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
"name": "[variables('Scope')]",
"apiVersion":"2020-04-01-preview",
"properties": {
"RoleDefinitionId":"/subscriptions/[subscription().subscriptionId]/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "[parameters('principalId')]"
}
}
]
}
Related
I have the following ARM template and I am trying to give scoping access to a subscription/resource group that is different from the subscription that I am currently deploying the ARM template. I read this documentation that talks about the scoping but I am not sure how to add the correct properties.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"publicIpName": {
"type": "string"
},
"publicIpSku": {
"type": "string",
"defaultValue": "Standard"
},
"publicIPPrefixResourceId": {
"type": "string",
"metadata": {
"description": "Resource Id of the PublicIpPrefix to create VM VIP"
}
}
},
"resources": [
{
"apiVersion": "2019-02-01",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[parameters('publicIpName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('publicIpSku')]"
},
"properties": {
"publicIPAllocationMethod": "Static",
"publicIPPrefix": {
"Id": "[parameters('publicIPPrefixResourceId')]"
}
}
}
]
}
Below is the sample code where you can check properties related Arm Template here
ARM template
"parameters": {
"vnetAName": {
"type": "string",
"metadata": {
"description": "Name of the first VNET"
}
},
"vnetBName": {
"type": "string",
"metadata": {
"description": "Name of the Second VNET"
}
},
"vnetAPrefix": {
"type": "string",
"metadata": {
"description": "Prefix of the first VNET"
}
},
"vnetBPrefix": {
"type": "string",
"metadata": {
"description": "Prefix of the Second VNET"
}
},
"subscriptionAID": {
"type": "string",
"metadata": {
"description": "the Subscription ID for the first VNET"
}
},
"resourceGroupAName": {
"type": "string",
"metadata": {
"description": "the resource group name for the first VNET"
}
},
Go through this document for complete information.
Event Grid deployment is failing for below ARM template with internal server error.
Tried steps that mentioned in this link Event subscription by ARM template for topic with EndpointType as AzureFunction
But still facing the same issue.
ARM Template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appName": {
"type": "string",
"defaultValue": "harshitk-FA",
"metadata": {
"description": "The name of the function app that you wish to create."
}
},
"eventTopicName": {
"type": "String",
"defaultValue": "harshitTopic",
"metadata": {
"description": "Name for the system topic."
}
},
"eventSubName": {
"type": "string",
"defaultValue": "devharshitktest123sub",
"metadata": {
"description": "Name for the Event Grid subscription."
}
},
"functionName": {
"type": "string",
"defaultValue": "ArmFunctionApp",
"metadata": {
"description": "Function to be triggered by event grid topic"
}
},
"location": {
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
},
"type": "string"
},
"storageAccountName": {
"defaultValue": "harshitarmtest",
"type": "string"
}
},
"variables": {
"functionAppName": "[parameters('appName')]",
"eventTopicName": "[parameters('eventTopicName')]",
"eventSubscriptionName": "[parameters('eventSubName')]",
"eventHandler": "[parameters('functionName')]",
"storageAccountName": "[parameters('storageAccountName')]"
},
"resources": [
{
"type": "Microsoft.EventGrid/systemTopics",
"apiVersion": "2020-04-01-preview",
"name": "[variables('eventTopicName')]",
"location": "[parameters('location')]",
"properties": {
"source": "[resourceId('Microsoft.Storage/storageAccounts',variables('storageAccountName'))]",
"topicType": "Microsoft.Storage.StorageAccounts"
}
},
{
"type": "Microsoft.EventGrid/systemTopics/eventSubscriptions",
"apiVersion": "2020-04-01-preview",
"name": "[concat(variables('eventTopicName'), '/', variables('eventSubscriptionName'))]",
"dependsOn": [
"[resourceId('Microsoft.EventGrid/systemTopics', variables('eventTopicName'))]"
],
"properties": {
"destination": {
"endpointType": "AzureFunction",
"properties": {
//"resourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Web/sites/',variables('functionAppName'),'/functions/',variables('eventHandler'))]",
"resourceId": "[resourceId('Microsoft.Web/sites/functions/', variables('functionAppName'), variables('eventHandler'))]",
"maxEventsPerBatch": 10,
"preferredBatchSizeInKilobytes": 64
}
},
"filter": {
"includedEventTypes": [
"Microsoft.Storage.BlobCreated"
]
},
"eventDeliverySchema": "EventGridSchema"
}
}
enter code here
],
"outputs": {}
}
Error Message in powershell:
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Internal error",
"message": "The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report XXXXXXXXXXXXXXXXX`enter code here`:11/26/2020 6:01:09 PM (UTC) to our forums for assistance or raise a support ticket ."
}
]
}
I have written an ARM template to create an event subscription on an existing storage account, where I need to listen to a particular blob container's blob.created and blob.deleted events, and send them to an Azure eventgrid trigger function app.
The functionapp is already deployed in Azure https://myfunctionapp.azurewebsites.net, and I am having a hard time trying to create the event subscription through the ARM template. Please note that I have used API version 2020-01-01-preview in order to have AzureFunction as the endpoint. The template is as follows:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appName": {
"type": "string",
"metadata": {
"description": "Name of the function app"
}
},
"functionName": {
"type": "string",
"defaultValue": "MyFunction",
"metadata": {
"description": "Name of the function"
}
},
"eventSubName": {
"type": "string",
"defaultValue": "myfunctionappsub",
"metadata": {
"description": "The name of the event subscription to create."
}
},
"storageName": {
"type": "string",
"metadata": {
"description": "Storage account name"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Storage account location"
}
},
"containerNamefilter": {
"type": "string",
"defaultValue": "-inputblob",
"metadata": {
"description": "Container name filter"
}
}
},
"variables": {
"functionAppName": "[resourceId('Microsoft.Web/sites/functions/', parameters('appName'), parameters('functionName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/eventSubscriptions",
"name": "[concat(parameters('storageName'), '/Microsoft.EventGrid/', parameters('eventSubName'))]",
"apiVersion": "2020-01-01-preview",
"dependsOn": [
"[parameters('storageName')]"
],
"properties": {
"destination": {
"endpointType": "AzureFunction",
"properties": {
"resourceId": "[variables('functionAppName')]"
}
},
"filter": {
"subjectBeginsWith": "",
"subjectEndsWith": "",
"isSubjectCaseSensitive": false,
"includedEventTypes": [
"Microsoft.Storage.BlobCreated",
"Microsoft.Storage.BlobDeleted"
],
"advancedFilters": [
{
"key": "subject",
"operatorType": "StringContains",
"value": "[parameters('containerfilter')]"
}
]
}
}
}
]
}
This is the error I get when I try to run it on the pipeline:
2020-04-15T11:09:11.5347864Z Starting template validation.
2020-04-15T11:09:11.5368215Z Deployment name is azuredeploy-xxxxxxx-xxxxxx-xxxx
2020-04-15T11:09:13.1700166Z Template deployment validation was completed successfully.
2020-04-15T11:09:13.1700897Z Starting Deployment.
2020-04-15T11:09:13.1703528Z Deployment name is azuredeploy-xxxxxxx-xxxxxx-xxxx
2020-04-15T11:10:02.5842880Z There were errors in your deployment. Error code: DeploymentFailed.
2020-04-15T11:10:02.5893091Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2020-04-15T11:10:02.5910677Z ##[error]Details:
2020-04-15T11:10:02.5915877Z ##[error]Conflict: {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "Internal error",
"message": "The operation failed due to an internal server error. The initial state of the impacted resources (if any) are restored. Please try again in few minutes. If error still persists, report 72c636d4-6d09-4c50-8886-7153ddf2a4ee:4/15/2020 11:09:50 AM (UTC) to our forums for assistance or raise a support ticket ."
}
]
}
}
2020-04-15T11:10:02.5918976Z ##[error]Task failed while creating or updating the template deployment.
2020-04-15T11:10:02.5953000Z ##[section]Finishing: Create or update eventsubscription in RG
Am I doing anything wrong here? I'm very new to ARM templates.
If you want to create event grid subscription for the existing storage account, please refer to the following template
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionGroup": {
"type": "string",
"defaultValue" : "jimtest",
"metadata": {
"description": "he group name of function app"
}
},
"appName": {
"type": "string",
"defaultValue" : "testfunjs",
"metadata": {
"description": "Name of the function app"
}
},
"functionName": {
"type": "string",
"defaultValue": "EventGridTrigger1",
"metadata": {
"description": "Name of the function"
}
},
"eventSubName": {
"type": "string",
"defaultValue": "myfunctionappsub",
"metadata": {
"description": "The name of the event subscription to create."
}
},
"storageName": {
"type": "string",
"defaultValue" : "andyprivate",
"metadata": {
"description": "Storage account name"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Storage account location"
}
},
"containerNamefilter": {
"type": "string",
"defaultValue": "test",
"metadata": {
"description": "Container name filter"
}
}
},
"variables": {
"functionId" :"[resourceId(parameters('functionGroup'),'Microsoft.Web/sites/functions/', parameters('appName'), parameters('functionName'))]",
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/eventSubscriptions",
"name": "[concat(parameters('storageName'), '/Microsoft.EventGrid/', parameters('eventSubName'))]",
"apiVersion": "2020-01-01-preview",
"properties": {
"destination": {
"endpointType": "AzureFunction",
"properties": {
"resourceId": "[variables('functionId')]"
}
},
"filter": {
"subjectBeginsWith": "",
"subjectEndsWith": "",
"isSubjectCaseSensitive": false,
"includedEventTypes": [
"Microsoft.Storage.BlobCreated",
"Microsoft.Storage.BlobDeleted"
],
"advancedFilters": [
{
"key": "subject",
"operatorType": "StringContains",
"value": "[parameters('containerNamefilter')]"
}
]
}
}
}
]
}
via portal, I can define an Event Subscription in the Storage Account, at the End I have such a view in the portal:
Now I would like to do the same with ARM-Template, I have the following Code:
{
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"name": "[concat(variables('StorageAccountName'),'/Microsoft.EventGrid/',variables('EventGridName'))]",
"location": "[parameters('region')]",
"apiVersion": "2018-01-01",
"dependsOn": [ "[resourceId('Microsoft.Web/sites', variables('AzureFunction'))]" ],
"properties": {
"topic": "[concat('Microsoft.EventGrid/topics/',variables('StorageAccountName'))]",
"destination": {
"endpointType": "WebHook",
"properties": {
"topics": "[variables('StorageAccountName')]",
"endpointUrl": "[concat('https://', variables('AzureFunction'),'.azurewebsites.net/admin/extensions/EventGridExtensionConfig')]"
}
}
}
}
after running this code, I get the following error:
Resource Microsoft.EventGrid/topics/providers/eventSubscriptions 'xxxx0prod0sac0xx0we/Microsoft.EventGrid/xxxx-prod-eg-dz-we' failed with message '{
"error": {
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.EventGrid/topics/xxxx0prod0sac0xx0we' under resource group 'xxxx' was not found."
}
}'
Do you have any idea, what should I do to solve this problem?
#Kaja, Please use the below ARM template to create an Event Subscription in the Storage Account:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageName": {
"type": "string",
"defaultValue": "[concat('storage', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Provide a unique name for the Blob Storage account."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Provide a location for the Blob Storage account that supports Event Grid."
}
},
"eventSubName": {
"type": "string",
"defaultValue": "subToStorage",
"metadata": {
"description": "Provide a name for the Event Grid subscription."
}
},
"endpoint": {
"type": "string",
"metadata": {
"description": "Provide the URL for the WebHook to receive events. Create your own endpoint for events."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/eventSubscriptions",
"name": "[concat(parameters('storageName'), '/Microsoft.EventGrid/', parameters('eventSubName'))]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[parameters('endpoint')]"
}
},
"filter": {
"subjectBeginsWith": "",
"subjectEndsWith": "",
"isSubjectCaseSensitive": false,
"includedEventTypes": [
"All"
]
}
}
}
]
}
Reference: https://github.com/Azure/azure-quickstart-templates/blob/master/101-event-grid-subscription-and-storage/azuredeploy.json
After reading some article from here and here and here and looking at this example
I have tried to retrieve a password from KeyValut with LinkedTemplate.
To achieve this aim I have create such a Linked arm template azuredeploy.json:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the keyvault that contains the secret."
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "The name of the secret."
}
},
"vaultResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the resource group that contains the keyvault."
}
},
"vaultSubscription": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]",
"metadata": {
"description": "The name of the subscription that contains the keyvault."
}
}
},
"resources":
[
{
"apiVersion": "2018-05-01",
"name": "dynamicSecret",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "https://arm0storage.blob.core.windows.net/linkedtemplate/azuredeploy.json?sp=r&st=2019-07-17T13:28:26Z&se=2019-07-16T21:28:26Z&spr=https&sv=2018-03-28&sig=xxxv%2xxxxxxxxxxxxxxx%2FHmg9Yxxxxxxxxxxxxxxxxxxxxxxx%3D&sr=b"
},
"parameters": {
"adminPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "[parameters('secretName')]"
}
}
}
}
}
],
"outputs": {
"SQLPassword": {
"type": "string",
"value": "[reference('dynamicSecret').outputs.value]"
}
}
}
If I try to validate this template, I get this error message:
Deployment template validation failed: 'The template parameters 'adminPassword' in the parameters file are not valid; they are not present in the original template and can therefore not be provided at deployment time. The only supported parameters for this template are 'vaultName, secretName, vaultResourceGroupName, vaultSubscription'. Please see https://aka.ms/arm-deploy/#parameter-file for usage details.'.
and in my azuredeploy.parameters.json I have:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"value": "kvnamer"
},
"secretName": {
"value": "ExamplePassword"
},
"vaultResourceGroupName": {
"value": "rgname"
}
}
}
Do you have any Idea how can I solve my problem?
Regarding the issue, please check if your linked template has the parameter "adminPassword". For more details, please refer to the document. You also can refer to my JSON file.
1.Create azuredeploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the keyvault that contains the secret."
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "The name of the secret."
}
},
"vaultResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the resource group that contains the keyvault."
}
},
"vaultSubscription": {
"type": "string",
"defaultValue": "[subscription()]",
"metadata": {
"description": "The name of the subscription that contains the keyvault."
}
}
},
"resources": [{
"apiVersion": "2015-01-01",
"name": "linkedTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/keyvaultparameter/sqlserver.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"adminPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "[parameters('secretName')]"
}
},
"adminLogin": {
"value": "jimtest"
},
"sqlServerName": {"value": "jimteste12378902"}
}
}
}],
"outputs": {
"SQLPassword": {
"type": "string",
"value": "[reference('linkedTemplate').outputs.value]"
}
}
}
2.Create azuredeploy.parameters.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"value": ""
},
"secretName": {
"value": ""
},
"vaultResourceGroupName": {
"value": ""
},
"vaultSubscription": {
"value": ""
}
}
}
The template, you're using in the nested deployment here:
"https://arm0storage.blob.core.windows.net/linkedtemplate/azuredeploy.json?sp=r&st=2019-07-17T13:28:26Z&se=2019-07-16T21:28:26Z&spr=https&sv=2018-03-28&sig=xxxv%2xxxxxxxxxxxxxxx%2FHmg9Yxxxxxxxxxxxxxxxxxxxxxxx%3D&sr=b"
What does that template look like? The error message you're getting says that it does not have a parameter in it, named "adminPassword" - but your nested deployment resource is trying to pass it in.
The output you have in the template above is called "SQLPassword", they aren't necessarily related, but I'm guessing since we can't see the template you're linking to.