I am working to build a ci/cd pipeline for AKS. the first task set is "Azure resource group deployment" which is used for creating vnet /subnet for the AKS .
The intention is to skip the task next time onwards since the vnet and subnet are already in place. Second time onwards getting the following error -
BadRequest: { "error": { "code": "InUseSubnetCannotBeDeleted", "message": "Subnet AKSSubnet is in use by /subscriptions/***************************************/resourceGroups/MC_**************-CLUSTER_eastus/providers/Microsoft.Network/networkInterfaces/aks-agentpool-
########-nic-0/ipConfigurations/ipconfig1 and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.", "details": [] } }
Error: Task failed while creating or updating the template deployment.
Looks like the task is trying to delete the subnet instead of skipping it. What is the resolution?
It is using following arm templates : azuredeploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vnetName": {
"type": "string",
"defaultValue": "GEN-VNET-NAME",
"metadata": {
"description": "Name of the virtual Network"
}
},
"vnetAddressPrefix": {
"type": "string",
"defaultValue": "10.10.0.0/16",
"metadata": {
"description": "Address prefix"
}
},
"subnetPrefix": {
"type": "string",
"defaultValue": "10.10.0.0/24",
"metadata": {
"description": "Subnet Prefix"
}
},
"subnetName": {
"type": "string",
"defaultValue": "Subnet",
"metadata": {
"description": "GEN-SUBNET-NAME"
}
}
},
"variables": {},
"resources": [
{
"apiVersion": "2018-06-01",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('vnetName')]",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('vnetAddressPrefix')]"
]
}
},
"resources": [
{
"apiVersion": "2018-06-01",
"type": "subnets",
"location": "[resourceGroup().location]",
"name": "[parameters('subnetName')]",
"dependsOn": [
"[parameters('vnetName')]"
],
"properties": {
"addressPrefix": "[parameters('subnetPrefix')]"
}
}
]
}
],
"outputs": {
"vnetName": {
"type": "string",
"value": "[parameters('vnetName')]"
},
"subnetName": {
"type": "string",
"value": "[parameters('subnetName')]"
}
}
}
azuredeploy.parameters.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vnetName": {
"value": "###########"
},
"vnetAddressPrefix": {
"value": "10.10.0.0/16"
},
"subnetPrefix": {
"value": "10.10.0.0/24"
},
"subnetName": {
"value": "######"
}
}
}
What is happening right here - your template is coded in such a fashion:
vnet resources
empty subnets property
subnet resource(s)
bla-bla-bla
and what is happening here it is trying to coerce the vnet to have 0 subnets, due to how you authored your template. you have 2 options:
put a condition on the vnet resource definition and pass a parameter to it if the build number is greater than 1 (or just manually specify at build time whether to skip it or not).
modify your template to look like so:
vnet resource
subnets property populated with subnets
bla-bla-bla
essentially, this has nothing to do with Azure Devops.
Related
I am working on a common template where it uses different vnet in each Region. How do we change the template based on location, set vnet name.
Can we use if (resourcegroup.location) ?
I think that I know what it's happening to you, you are not comparing against a valid value, "EastUs" it's not the resourceGroup().location, in this case is "eastus". You can make a test deployment ande see the output to check that kind of values.
I have modified the template that you have passed in the comments to do what you wanted.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS",
"Premium_LRS"
],
"metadata": {
"description": "Storage Account type"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"storageAccountName": "[if(equals(resourceGroup().location,'eastus'),'eastusstorageaccount','noteastusstorageaccount')]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2018-07-01",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('storageAccountType')]"
},
"kind": "StorageV2",
"properties": {}
}
],
"outputs": {
"storageAccountName": {
"type": "string",
"value": "[variables('storageAccountName')]"
},
"location": {
"type": "string",
"value": "[resourceGroup().location]"
}
}
}
To do what you want in a dynamic way, I would try to encode the name of the vbnet. Something like this:
eastusvbnet
westeuropevbnet
uksouthvbnet
And in the variable I will put this:
"variables": {
"storageAccountName": "[concat(resourceGroup().location,'vbnet')]"
}
I'm trying to manage CA certificates in Azure APIM through ARM but everything I tried gave no positive result.
For visualization, this is what I'm talking about:
When I look at the schema Microsoft.ApiManagement/service, there's a section for certificates where I can set the storeName variable but without results.
For sanity, I tried to upload it though Powershell plus manually and both option worked but that CA Certificate got wiped from the APIM at each deployment of my ARM template even if I used the "Incremental" option.
First I tried to modify the APIM ARM template by adding that block to the "properties" section:
"certificates": [
{
"encodedCertificate": "[parameters('RootCertificateBase64Content')]",
"certificatePassword": "[parameters('RootCertificatePassword')]",
"storeName": "Root"
}]
Here's my first test snippet for complete traceability:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apimName": {
"type": "string",
"metadata": {
"description": "Name of the apimanagement"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"sku": {
"type": "string",
"allowedValues": [
"Developer",
"Standard",
"Premium"
],
"defaultValue": "Developer",
"metadata": {
"description": "The pricing tier of this API Management service"
}
},
"skuCapacity": {
"type": "string",
"allowedValues": [
"1",
"2"
],
"defaultValue": "1",
"metadata": {
"description": "The instance size of this API Management service."
}
},
"subnetResourceId": {
"type": "string",
"metadata": {
"description": ""
}
},
"RootCertificateBase64Content": {
"type": "string",
"metadata": {
"description": "The Root certificate content"
}
},
"RootCertificatePassword": {
"type": "string",
"metadata": {
"description": "The Root certificate password"
}
}
},
"variables": {
"publisherEmail": "whatever#heyho.com",
"publisherName": "Whatever Team",
"notificationSenderEmail": "whatever#heygo.com"
},
"resources": [
{
"apiVersion": "2019-12-01",
"name": "[parameters('apimName')]",
"type": "Microsoft.ApiManagement/service",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"notificationSenderEmail": "[variables('notificationSenderEmail')]",
"publisherEmail": "[variables('publisherEmail')]",
"publisherName": "[variables('publisherName')]",
"virtualNetworkConfiguration": {
"subnetResourceId": "[parameters('subnetResourceId')]"
},
"virtualNetworkType": "Internal",
"certificates": [
{
"encodedCertificate": "[parameters('RootCertificateBase64Content')]",
"certificatePassword": "[parameters('RootCertificatePassword')]",
"storeName": "Root"
}]
},
"identity": {
"type": "SystemAssigned"
}
}
],
"outputs": {
"apiManagementPrivateHostIp": {
"type": "string",
"value": "[reference(concat(resourceId('Microsoft.ApiManagement/service', parameters('apimName')))).privateIPAddresses[0]]"
}
}
}
Second alternative I tried was to use the Microsoft.ApiManagement/service/certificates schema. There is no option there to specify the StoreName so I assumed it wasn't the right schema but I tried anyway. All attempts generated a certificate in the built-in Certificates store instead of the CA Certificates store.
Here's my second attempt's snippet:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apimName": {
"type": "string",
"metadata": {
"description": "The parent APIM name"
}
},
"certificateName": {
"type": "string",
"metadata": {
"description": "The certificate name"
}
},
"CertificateBase64Content": {
"type": "string",
"metadata": {
"description": "The content of the certificate"
}
},
"CertificatePassword": {
"type": "string",
"metadata": {
"description": "The certificate password"
}
}
},
"resources": [
{
"name": "[concat(parameters('apimName'), '/Root/', parameters('certificateName'))]",
"type": "Microsoft.ApiManagement/service/certificates",
"apiVersion": "2019-01-01",
"properties": {
"data": "[parameters('CertificateBase64Content')]",
"password": "[parameters('CertificatePassword')]"
}
}
],
"outputs": {}
}
While looking at terraform documentation, it seems that it's possible to manage these certificates through the base schema and I confirmed that through the terraform azurerm provider source code (Unfortunately I cannot use Terraform and I MUST use ARM in that scenario).
Any clues on how to manage CA certificates in Azure APIM through ARM?
I assume you want to update CA certificate authority sections of already existing APIM? If yes then just provide all required properties for Microsoft.ApiManagement/service but for name use already existing APIM name that you want to update and choose the same resource group.
Thanks to this, it will just update existing APIM with properties you provided, instead of creating new APIM. The required properties are name, type, apiVersion, location, sku, properties. For properties you need to provide publisherEmail and publisherName, and of course certificates - this is what you want to update after all. So the absolute minimum for update will look like this:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":{
"base64EncodedCertificate":{
"defaultValue":"base64 encoded certificate",
"type":"String"
},
"certificatePassword":{
"defaultValue":"certificate password",
"type":"String"
}
},
"variables": {},
"resources": [
{
"name": "existing-apim-name",
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2021-01-01-preview",
"location": "West Europe",
"sku": {
"name": "Developer",
"capacity": 1
},
"properties": {
"publisherEmail": "publisher#gmail.com",
"publisherName": "Publisher Name",
"certificates": [
{
"encodedCertificate": "[parameters('base64EncodedCertificate')]",
"certificatePassword": "[parameters('certificatePassword')]",
"storeName": "Root"
}
]
}
}
]
}
Watch out. certificates array must contain all certificates that you want to have on this APIM. All existing CA certs that are not in this array will be deleted.
I have an existing Event Grid Topic and want to add an Event Subscription to it, with an existing Azure Function endpoint.
To achieve this I am using Linked Templates. ARM Template validation passes, but deployment fails, with quite a peculiar error:
"InvalidResourceNamespace: "The resource namespace 'subscriptions' is invalid. (Code: InvalidResourceNamespace)"
Here's the raw error:
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "InvalidContentLink",
"message": "Unable to download deployment content from 'https://storagearmtpl.blob.core.windows.net/arm-tpl-service-cd-11111-artifacts/nestedtemplates/eventGridSubscriptionTemplate.json?sv=sasartifactsstring'. The tracking Id is '11111111'. Please see https://aka.ms/arm-deploy for usage details."
},
{
"code": "InvalidResourceNamespace",
"message": "The resource namespace 'subscriptions' is invalid."
}
]
}
Where sasartifactsstring is a valid artifacts locations sas token. (I'm assuming, it looks correct)
I understand that this error stems from the "type" of the resource in the template being invalid, but as you can see below, it's simply Microsoft.EventGrid/topics/providers/eventSubscriptions.
/nestedtemplates/eventGridSubscriptionTemplate.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"subscriptionName": {
"type": "string",
"metadata": {
"description": "Name of the event grid subscription"
}
},
"topicName": {
"type": "string",
"metadata": {
"description": "Event grid Topic Name to Subscribe."
}
},
"functionResourceGroupName": {
"type": "string",
"metadata": {
"description": "Resource group name for functionapp"
}
},
"functionAppName": {
"type": "string",
"metadata": {
"description": "function app name"
}
},
"subscriptionId": {
"type": "string",
"metadata": {
"description": "The id string of the Azure subscription"
}
},
"topicResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the topic resource group"
}
}
},
"variables": {},
"resources": [
{
"name": "[concat(parameters('topicName'), '/Microsoft.EventGrid/', parameters('subscriptionName'))]",
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"location": "[resourceGroup().location]",
"apiVersion": "2020-06-01",
"properties": {
"topic": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('topicResourceGroupName'), 'providers/Microsoft.EventGrid/topics/', parameters('topicName'))]",
"destination": {
"endpointType": "AzureFunction",
"properties": {
"resourceId": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('functionResourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/functions/HelloWorld')]",
"maxEventsPerBatch": 1,
"preferredBatchSizeInKilobytes": 64
}
},
}
},
"dependsOn": [
]
}
],
"outputs": {}
}
/azuredeploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"_artifactsLocation": {
"type": "string"
},
"_artifactsLocationSasToken": {
"type": "securestring"
},
"functionResourceGroupName": {
"type": "string"
},
"functionAppName": {
"type": "string"
},
"topicName": {
"type": "string"
},
"topicResourceGroupName": {
"type": "string"
},
"subscriptionId": {
"type": "string"
}
},
"variables": {
"templateFolder": "nestedtemplates",
"subscriptionTemplateFileName": "eventGridSubscriptionTemplate.json"
},
"resources": [
{
"name": "functionsubscription"
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10"
"resourceGroup": "[parameters('topicResourceGroupName')]",
"dependsOn": [ ],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(parameters('_artifactsLocation'), '/', variables('templateFolder'), '/', variables('subscriptionTemplateFileName'), parameters('_artifactsLocationSasToken'))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"subscriptionName": {
"value": "FunctionSubscription"
},
"topicName": {
"value": "[parameters('topicName')]"
},
"functionResourceGroupName": {
"value": "[parameters('functionResourceGroupName')]"
},
"functionAppName": {
"value": "[parameters('functionAppName')]"
},
"topicResourceGroupName": {
"value": "[parameters('topicResourceGroupName')]"
},
"subscriptionId": {
"value": "[parameters('subscriptionId')]"
}
}
}
}
]
}
azure deploy parameters file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
,
"functionResourceGroupName": {
"value": "functionResourceGroup"
},
"functionAppName": {
"value": "functionAppName"
},
"subscriptionId": {
"value": "1111111111"
},
"topicName": {
"value": "topicName"
},
"topicResourceGroupName": {
"value": "topicResourceGroup"
}
}
Really not sure what I'm doing wrong here. Worth noting that the first error is annoying as well and I'm not sure why it can't download the deployment content...
update/edit:
It's worth noting that the release is using Classic Azure Release Pipelines. And the error comes up during the release.
Looking into the deployment logs for the resource group, I was able to see that the deployment was trying to deploy an invalid resource, with the type starting "subscriptions/.....", so at least I know where the error is coming from. Still investigating what is causing this misread...
The cause of the odd 'subscriptions' error was due to the fact that I inserted a new resource into my resources list in my deployment (parent) ARM template, but not at the end of the list.
Once I put the deployment resource that references the new event grid subscription at the end of the resources list, the error did not show up.
azuredeploy.json
resources: [
{all other existing deployment resources ....},
{
"name": "functionsubscription"
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10"
"resourceGroup": "[parameters('topicResourceGroupName')]",
"dependsOn": [ ],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(parameters('_artifactsLocation'), '/', variables('templateFolder'), '/', variables('subscriptionTemplateFileName'), parameters('_artifactsLocationSasToken'))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"subscriptionName": {
"value": "FunctionSubscription"
},
"topicName": {
"value": "[parameters('topicName')]"
},
"functionResourceGroupName": {
"value": "[parameters('functionResourceGroupName')]"
},
"functionAppName": {
"value": "[parameters('functionAppName')]"
},
"topicResourceGroupName": {
"value": "[parameters('topicResourceGroupName')]"
},
"subscriptionId": {
"value": "[parameters('subscriptionId')]"
}
}
}
}
]
However, I am still dealing with the InvalidContentLink error, the main problem of the question has been resolved.
I have some arm template where creation of subnet resource is dependent on creation of VNet. Below is the code:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vnetName": {
"type": "string",
"metadata": {
"description": "Name of the Virtual Network"
}
},
"vnetAddressPrefix": {
"type": "string",
"metadata": {
"description": "The IP Address pool for the virtual network in CIDR format."
}
},
"subnetPrefix": {
"type": "string",
"metadata": {
"description": "The IP Address pool for the Subnet in CIDR format."
}
},
"subnetName": {
"type": "string",
"metadata": {
"description": "Name of the Subnet"
}
}
},
"variables": {
"templateBaseUrl": "[deployment().properties.templateLink.uri]",
"virtualNetworkTemplateUrl": "[uri(variables('templateBaseUrl'), 'VirtualNetwork.json')]",
"subnetTemplateUrl": "[uri(variables('templateBaseUrl'), 'Subnet.json')]",
"parametersUrl": "[uri(variables('templateBaseUrl'), 'networksubnetnsgtest.parameters.json')]"
},
"resources": [
{
"apiVersion": "2017-05-10",
"name": "VnetDeployment",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('virtualNetworkTemplateUrl')]"
},
"parameters": {
"uri": {
"value": "[variables('parametersUrl')]"
}
}
}
},
{
"apiVersion": "2017-05-10",
"name": "SubnetDeployment",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('subnetTemplateUrl')]"
},
"parameters": {
"uri": {
"value": "[variables('parametersUrl')]"
}
}
},
"dependsOn": [
"VnetDeployment"
]
}
],
"outputs": {
"returnedVnetName": {
"type": "string",
"value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
},
"returnedVnetAddressPrefix": {
"type": "string",
"value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetAddressPrefix'))]"
}
}
}
Few parameters are saved in parameter file referred by parameterUrl variable, as you can see. But apart from this, i need to pass additional parameters say like password or any required parameter , which i may be reading from external sources like vault, and need to pass from commandline.
How will i pass this in parameters section within resources.
Command i am using to deploy azure template is below:
az group deployment create --resource-group testrg --template-file ${WORKSPACE}/azuredeploy.json --parameters #${WORKSPACE}/networksubnetnsgtest.parameters.json --parameters DBMasterUserPassword=${DBMasterUserPassword}
excerpt from official documentation:
az group deployment create -g MyResourceGroup --template-file azuredeploy.json \
--parameters #params.json --parameters https://mysite/params.json --parameters MyValue=This MyArray=#array.json
https://learn.microsoft.com/en-us/cli/azure/group/deployment?view=azure-cli-latest#examples
I am creating new NSG with ARM template and updating the subnets at the same ARM template. I would like to be able to get subnets addressprefix with "reference" but when doing so I always get the circular dependency detected. Is there any way around it? My subnet arm template section looks like this:
{
"name": "[parameters('subnetName')]",
"properties": {
"addressPrefix": "[reference(resourceId(variables('ResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]"
}
}
},
Here is a link on how to apply a NSG to an existing subnet:
Apply a NSG to an existing subnet
This template uses a link template to workaround the circular reference but you can also use a nested template to do the same in the same ARM template (see Using linked and nested templates when deploying Azure resources)
Here is an ARM template that do the same using a nested template:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.1",
"parameters": {
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "The name of the existing VNet"
}
},
"subnetName": {
"type": "string",
"defaultValue": "default",
"metadata": {
"description": "The name of the existing subnet."
}
},
"nsgName": {
"type": "string",
"metadata": {
"description": "The name of the new nsg."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('nsgName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2018-03-01",
"properties": {
}
},
{
"apiVersion": "2017-08-01",
"name": "apply-nsg-to-subnet",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[resourceGroup().name]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-03-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('virtualNetworkName'), '/', parameters('subnetName'))]",
"location": "[resourceGroup().location]",
"properties": {
"addressPrefix": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
}
}
}
]
}
}
}
],
"outputs": {}
}