Trying to deploy an Azure Key Vault but keeping some form of Infrastructure as Code, unfortunately from what I've been able to find the only way you can utilize the --no-self-perms property is with the usage of Azure CLI
https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest
Is there any simple way that I can still use --no-self-perms property in an ARM template? Even better is there a simple way to use it with terraform (not currently available as a property)
After my validation, you just need to set the accessPolices field like "accessPolicies": [], in your ARM template, then the result will be the same as that you use --no-self-perms property in Azure CLI az keyvault create --location $location --name $MyKeyVault --resource-group $MyResourceGroup --no-self-perms.
If you want to use it with terraform. You could use azurerm_template_deployment to invoke your template with terraform or use local-exec Provisioner under resource "null_resource" to execute Azure CLI commands locally.
Related
I am trying to configure my app service to use user assigned managed identity to pull image from ACR. I figured how to do it by using az cli tool.
az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.acrUseManagedIdentityCreds=True
az resource update --ids /subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/<app-name>/config/web --set properties.AcrUserManagedIdentityID=$clientId
For certain resons I cannot utilize az cli in my release pipelines. My question is if it would be possible to achieve the same by using Az.Websites, looks like Set-AzWebApp doesn't support this option.
As mentioned in the docs, the current version of the Azure PowerShell cmdlets for Azure App Service do not support user-assigned identities.
You could instead try setting those properties with the Set-AzResource cmdlet.
I'm in the process of creating bicep files for our current Azure resources. Is there a way to generate a bicep file from an existing azure resource, say a storage account or an app service?
You should be able to do it. You will need to use the ARM template for the resource though. Once you have it, you can use Bicep CLI to decompile the template.
From this link:
az bicep decompile --file main.json
Other alternative would be to use Bicep Playground which can also take an ARM template JSON and give you a Bicep file.
With az deployment group create --template-file vm.bicep -g "Something", I can create just fine things which are defined in the file vm.bicep (or ARM template vm.json for that matter).
But how do I actually get rid of EXACTLY just the resources that had been created by running create with a template file? az deployment group delete doesn't support a --template-file parameter.
Edit: Clarification: I only want to get rid of what has been created by the template. Not everything in a Resource Group.
Is there a way to extract azure resource template formats programmatically (REST API, Powershell, Azure CLI)?
The end result should be something along the lines of the JSON presented here, that includes datatypes etc.:
https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/vaults?tabs=json
Preferably being able to select API-version too:
https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2015-06-01/vaults?tabs=json
I have tried using az provider and expand properties, but properties are always null.
az provider show -n Microsoft.KeyVault --expand resourceTypes/properties
az resource seems only to work on existing resources.
If you just want to extract Azure ARM template format, try the PowerShell below:
$webRequest = Invoke-WebRequest "https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults"
$webRequest.ParsedHTML.getElementsByClassName("lang-json") | % innerHTML
It works under 5.0:
Could someone please let me know how to list all the DBR workspaces under a particualr subscription in Azure.
I have tried Az Cli Option but it doesn't have any option to list any workspace.
you can always use something like this:
az resource list --resource-type "Microsoft.Databricks/workspaces"
so use a generic command to query the rest api directly (what the other answer suggests) but using Azure CLI, so you dont need to handle the auth\tokens\etc
ps. you'd first need to change your Azure CLI context to that subscription with:
az account set -s "sub_name_goes_here"
You can use the REST API,
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Databricks/workspaces?api-version=2018-04-01