We are provisioning APIM service first(apim.json), Post which we provision multiple function App.
All the ARM templates are separate with their respective parameter file. We are using Azure Pipelines for CI/CD.
Pipeline1 functionapp1.json
Pipeline2 functionapp2.json
Pipeline3 functionapp3.json
Pipeline4 apim.json
We have an requirement of applying Access restriction on Function Apps. We want to add Access Restriction using ARM templates.
How can we get VIP of APIM on run time so that we can white list VIP of APIM in access restriction section of Function app. All the pipeline are separate for each function app and APIM
Using API and get the value on runtime(Powershell) is one of the option. But we want to handle it using ARM templates.
Any inputs would be highly appreciated.
Used the following to whitelist at runtime.
"ipAddress": "[concat(reference(resourceId('Microsoft.ApiManagement/service', parameters('apimName')),'2019-01-01').publicIPAddresses[0], '/32')]"
See "reference" function for ARM templates: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#reference
Related
I am using Terraform to provision my Azure resources which works great, however, for some resources such as Logic Apps, doing this natively doesn't really work so I am using the Logic Apps ARM template and doing a Terraform "azurerm_resource_group_template_deployment" in order to provision. I know doing an ARM template deployment within Terraform is a bit of a last resort. It works ok though and deploys fine but I have a Service Bus connection defined and that is of type "securestring". By default, these are not saved as part of ARM deployment so everytime Terraform runs in my pipeline, even if the Logic App ARM template has not changed, it still does the deployment as the top level deployment state Terraform knows about previously did not have the value saved so will always see it as new. Is there any way around this other than changing the "securestring" to "string" which I obviously do not want to do given the endpoint contains the SAS key etc?
Hit same issues today - really limits what is viable. Managed to work around my two scenario's.
For things like keys and connection strings you can use the listkeys function inside of the ARM template - some examples here. I had this exact issue trying to get a log analytics workspace key in to the template - https://github.com/Azure/azure-quickstart-templates/blob/master/demos/arm-template-retrieve-azure-storage-access-keys/azuredeploy.json - Get connection strings in ARM
Another scenario I had was wanting to pass a service principal secret from TF to template as securestring, to get around this I ended up getting the secret from keyvault inside of the ARM template instead.
I have an ARM template, which I will be using it to deploy resources (Mentioned as in Azure Portal) via Azure DevOps Pipeline. These ARM templates were created using my Dev Subscription. If I need to use this same ARM template to move to production, I need to manually update the subscription id etc in the ARM template and then run the respective pipelines. Is there any way to automate this manual updation process in ARM template.
I have tried using File Transform Agent job available under Azure DevOps Release pipeline. But since the values are available inside nested loops of ARM templates, it failed. Is there any PowerShell script that will be suitable for this process of updating values.
I don't want to manually update the ids under the ARM Template. Instead, I want to update it automatically.
Set Json Property task might help to set the property with specific value.
First in the marketplace search for "set Json property" task and install it for your organization.
Then you can set the property path and the value accordingly. check here for detail usage
Instead of hard coding in ARM templates you can use parameters file. For dev and prod you can have separate files and while deploying pass ARM Template along with parameter file whichever is required.
You can use AKV (Azure Key Vault) to access your subscription details in parameter file
subscription().subscriptionid will get you the details
I have ARM who deploy kubernetes cluster and httptrigger function app. Inside httptrigger func I have client for kubernetes who do some action if I trigger this func manually, its work fine. But I need run this trigger automatically after deploy ARM was finished.
The HTTP request that triggers the Azure Function may be sent either by ARM itself or by whatever orchestrator you use to execute the template (e.g. Azure DevOps pipeline). Terraform can execute scripts directly; unless you really want to use ARM, it might be an option.
If you want to go with ARM, there are at least three options:
Make the Azure Function return an "empty" ARM template and trigger it by a request for a nested deployment template. https://blog.cloudtrooper.net/2017/04/04/run-azure-functions-from-your-quickstart-arm-templates/
Use Azure Container Instances to launch an instance of a container image as a stand-alone container in Azure and execute an arbitrary command inside. https://samcogan.com/run-scripts-in-arm-deployments-with-aci/
Use the deployment scripts resource (Microsoft.Resources/deploymentScripts). It is basically built-in support for the approach using Azure Container Instances. See the official docs or an older article from the time the feature was still in preview that I still like: https://dev.to/omiossec/arm-template-what-s-new-for-2020-4kli#deployementsscripts-resource-provider
In any case, you will need to properly set up the dependsOn references so that the request is sent at the right time. Or better, use Bicep that mostly takes care of the dependencies implicitly, if used right.
Assuming you are using Powershell to deploy your ARM template, you can use Powershell to trigger your azure http trigger function right after you deploy your ARM template:
Invoke-WebRequest -Uri <function_uri> -Method POST
Hope this helps!
I have a set of resources and want to deploy them using Template Deployment feature in Azure portal. In my parameters file, I have few references to parameters in Key Vault as mentioned here. When deploying the template in Azure portal (clicking on Deploy a custom template) and supplying these values, the portal still asks for these parameters explicitly which I definitely cannot provide in plain text.
When using the same resources.json and parameters.json file in powershell, it works fine.Is the feature of KeyVault references currently not supported in Template Deployment done through portal ?
Yes, this is the case, but you can workaround that by wrapping you template with another template and that template will "get" the reference and pass it to the actual template.
reference: https://github.com/4c74356b41/bbbb-is-the-word/blob/master/_arm/parent.json#L151
I'm creating an ARM Template to deploy both an Azure Search instance and a Function App that depends on the Azure Search instance. As part of that I'm trying to pre-populate the Function Apps app settings with the Search Service's API Key.
I'm doing this by adding the following into the value of one of the app settings of the FunctionAppSite:
[listKeys(variables('searchServiceId'), '2015-08-19').key1]
I get the searchServiceId in the variables sections
[resourceId('Microsoft.Search/searchServices', parameters('SearchServiceName'))]
The FunctionAppSite component lists dependencies on the AppServicePlan, StorageAccount and SearchService.
When I deploy the template the Search Service gets created then an error occurs because listkeys couldn't find the Search Service. This happens about .25s after the service is created.
I'm pretty sure I have the syntax around the listkeys correct and the problem is just the timing, no sure how I can slow it down though. I tried forcing the StorageAccount to depend on the SearchService in my template, hoping the dependency chain would slow things down enough, but the listkeys error happens after the Search Service is created, but before the StorageAccount is created.
The full template can be found here and there is a 'Deploy to Azure' button on the readme.md of that repo if you want to see it in action.
Well, looking at provider operations for Microsoft.Search:
Microsoft.Search/register/action
Microsoft.Search/checkNameAvailability/action
Microsoft.Search/searchServices/write
Microsoft.Search/searchServices/read
Microsoft.Search/searchServices/delete
Microsoft.Search/searchServices/start/action
Microsoft.Search/searchServices/stop/action
Microsoft.Search/searchServices/listAdminKeys/action
Microsoft.Search/searchServices/regenerateAdminKey/action
Microsoft.Search/searchServices/createQueryKey/action
Microsoft.Search/searchServices/queryKey/read
Microsoft.Search/searchServices/queryKey/delete
this is how you do it:
"[listAdminKeys(variables('searchServiceId'), '2015-08-19').PrimaryKey]"
To list provider operations:
$ops = (Get-AzureRmProviderOperation -OperationSearchString */*).Operation