Using terraform and Azure ARM template, in order to configre event grid with a particular azure function, I am trying to recover some values in a terraform output.
Indeed, I have this ARm template deployment to have the systems keys of a particular function:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionApp": {
"type": "string",
"defaultValue": ""
}
},
"variables": {
"functionAppId": "[resourceId('Microsoft.Web/sites', parameters('functionApp'))]"
},
"resources": [],
"outputs": {
"systemKeys": {
"type": "object",
"value": "[listkeys(concat(variables('functionAppId'), '/host/default'), '2018-11-01').systemKeys]"
}
}
}
My deployment working well, because I can see in Azure Portal that there are in output a json objecy like this:
{
"durabletask_extension": "ASensituveValueIDoNotShareForDurableTaskExtension==",
"eventgrid_extension": "ASensituveValueIDoNotShareForEventGridExtension=="
}
Now the purpose is to get one of this value in a terraform output.
I tried these but I have got some errors:
output "syst_key" {
value = "${azurerm_template_deployment.function_keys.outputs["systemKeys"]}"
}
Error: on outputs.tf line 69, in output "syst_key":
69: value = "${azurerm_template_deployment.function_keys.outputs["systemKeys"]}"
|----------------
| azurerm_template_deployment.function_keys.outputs is empty map of string
output "syst_keys" {
value = "${lookup(azurerm_template_deployment.function_keys.outputs, "systemKeys")}"
}
Error: on outputs.tf line 77, in output "syst_key":
77: value = "${lookup(azurerm_template_deployment.function_keys.outputs, "systemKeys")}"
|----------------
| azurerm_template_deployment.function_keys.outputs is empty map of string
Call to function "lookup" failed: lookup failed to find 'systemKeys'.
In order to trigger eventgrid on this function I have to recover the values in terraform output of systemKeys from my ARM deployment template. I know that the deployment is working well, I just don't know how to recover theses values with terraform.
For your issue, you need to take care that only the type String, Int and Bool are supported in Terraform. So you need to change the output type in the template, then you can output them in Terraform. For more details, see outputs. And the right output in Terraform is below:
output "syst_key" {
value = "${azurerm_template_deployment.function_keys.outputs["systemKeys"]}"
}
Related
I feel really dump right now but I just can't get this to work. Kind of new to ARM Templates so sorry for my ignorance.
I am trying to use a parameters.json with New-AzResourceGroupDeployment but I want to dynamically feed it in the VMName.
I am trying to use this for the NSG name:
"value": "[concat(variables('vmName'),'-nsg')]"
But I get back an error of:
New-AzResourceGroupDeployment: 6:39:21 AM - Error:
Code=InvalidResourceName; Message=Resource name
[concat(variables('vmName'),'-nsg')] is invalid. The name can be up to
80 characters long. It must begin with a word character, and it must
end with a word character or with ''. The name may contain word
characters or '.', '-', ''.
What am I missing?
Where do you use the Concat function? Because ARM template functions are only available in the ARM template itself, not in the .parameters.json file.
Edit as a response:
It really depends on the use case but I would do something like this in the main ARM template if the 'nsg' value does not change for the given ARM template. If it does then define a second parameter 'vmsuffix' and concat both parameters into the full VMname.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"VmName": {
"type": "string",
"defaultValue": ""
}
},
"variables": {
"FullVmName": "[concat(parameters('VmName'), 'nsg')]"
},
"resources": [
{
...
## Use the [variables('FullVmName') somewhere here
}
]
}
I have defined an azurerm_resource_group_template_deployment my_rm which has ARM template source:
{
...
"parameters": {... },
"resources": [ ... ],
"outputs": {
"db_name": {
"type": "string",
"value": "test_value"
}
}
}
I would like to use this output in terraform, like:
output "db_name" {
value = azurerm_resource_group_template_deployment.my_rm.output_content["db_name"]
}
Unfortunately above definition returns empty value.
What is the correct way to define the output in terraform?
The output_content exports the JSON Content of the Outputs of the ARM Template Deployment.
After my validation, you could output the content with
output "db_name" {
value = azurerm_resource_group_template_deployment.my_rm.output_content
}
Then run terraform apply, you will see the output result, then you can change to filter the result with
output "db_name" {
value = jsondecode(azurerm_resource_group_template_deployment.my_rm.output_content).db_name.value
}
Please note that the db_name is not the same declaration db_name in your terraform code, it really should match the output JSON key in the first above step.
For example,
I have a misunderstanding how blueprint outputs works and how to properly import values from one artifact to another.
Let me describe my attempts to get variable from artifact:
I have created two artifacts inside resource groups:
I have tried to transfer variables like vnet_name, vnet_addresses from VNET artifact to SUBNET_AKS artifact using the following syntax:
VNET:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
........
"outputs": {
"vnet_name_output": {
"type": "string",
"value": "[variables('vnet_name')]"
},
"vnet_ip_range_output": {
"type": "string",
"value": "[parameters('vnet_ip_range')]"
},
"vnet_path_output": {
"type": "string",
"value": "[resourceId('Microsoft.Network/virtualNetworks', variables('vnet_name'))]"
}
}
}
Next step was to add output variable to SUBNET_AKS artifacts:
"resources": [
{
"apiVersion": "2018-04-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(artifacts('VNET').outputs.vnet_name_output, '/', concat(parameters('deployment_prefix'),'-aks-subnet'))]",
But the following error appears:
Deployment template validation failed: 'The template resource '[concat(artifacts('VNET').outputs.vnet_name_output, '/', concat(parameters('deployment_prefix'),'-aks-subnet'))]' at line '27' and column '9' is not valid: The template function 'artifacts' is not valid. Please see https://aka.ms/arm-template-expressions for usage details.. Please see https://aka.ms/arm-template-expressions for usage details.'.
How can I understand how outputs parameters should properly work in Azure Blueprint definition?
Azure Blueprint is just an orchestration layer responsible for the ordering and deployment of artifact(s). ARM templates are one of three valid types - policyAssignment and roleAssignment are the other two.
This means you have two "template" artifacts: VNET and SUBNET_AKS. Each one should be treated like an actor / black-box, meaning you can only use functions available to ARM templates. If you need a parameter from the Blueprint it must come in as a parameter.
That is why you are getting that particular syntax error. The artifacts() function is only available to Blueprints.
Instead, you need to update your ARM template so that it specifies a named output value. In your Azure Blueprint, you can reference the output of a prior artifact as an input parameter to a subsequent Blueprint artifact.
Hopefully these code snippets and docs can point you in the right direction.
How do i identify the azure resource is exists or not in the ARM templates by the resource type and identifier
It is actually kind of possible. You can use resource group tags to mark a current deployed version and skip deployment if the tag is set. All this could be achieved via linked template.
Note that we don't check for resource existence per se but we still allow writing ARM template that could contain one time initialization templates. The last will restore the resource if resource group was deleted and resources were lost (given that you created the resource group again). You can extend this to support per-resource tags which will be more useful in some cases.
The template that starts the deployment may look like this:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"DeploymentTemplateLink": {
"type": "string"
},
"DeploymentVersion": {
"defaultValue": 1,
"type": "int"
}
},
"variables": {
"rgWithDefaultVersion": {
"tags": {
"Version": "0"
}
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10",
"name": "DeploymentTemplate",
"condition": "[less(int(union(variables('rgWithDefaultVersion'), resourceGroup()).tags['Version']), parameters('DeploymentVersion'))]",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[parameters('DeploymentTemplateLink')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"DeploymentVersion": {
"value": "[parameters('DeploymentVersion')]"
}
}
}
}
]
}
The linked template's condition looks into tags and returns true only if current version (stored in the tag) is less than the requested one. You don't actually have to maintain versioning: just don't set the DeploymentVersion parameter and it will deploy only for the first time. If you decide to redeploy anyway you have always an option to increase the version, which will cause deployment of the linked template (aka "main deployment").
The main deployment template is on you, but it should contain a tags resource in order to maintain the logic.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"DeploymentVersion": {
"defaultValue": 1,
"type": "int"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/tags",
"name": "default",
"apiVersion": "2019-10-01",
"dependsOn": [],
"properties": {
"tags": {
"Version": "[string(parameters('DeploymentVersion'))]"
}
}
}
]
}
Remark for those who didn't understand the union() and rgWithDefaultVersion thing. ARM template deployment will fail if referenced object doesn't contain a property. In our case we have two such properties: 'tags' and 'Version'. 'Tags' will exist only if particular resource group has or ever had tags. 'Version' will exist only after we already wrote it once (in the main deployment). Therefore before we access them we perform union() operation on returned object with a proper default one, ensuring that we can safely access the mentioned properties.
there is no way of doing that in an arm template. you can use some external source (like powershell) to determine that and pass in parameter with appropriate value, alternatively you can use tags to figure that out (have a tag that represents an existence\absence of a resource).
Resource Manager provides the following functions for getting resource values: Resource functions for Azure Resource Manager templates
You could wrap your template with a piece of powershell\whatever, that would determine if the resource exists, and pass in the parameter value depending on that and use a conditional statement in the template that would decide what to do based on the input (but the input has to come from elsewhere)
I needed a solution to this recently to basically do an incremental update to a SQL server. Since you can't do this; the template will fail with a NameAlreadyExists error.
So I needed to check the resource doesn't exist and only create if it doesn't.
Add a "condition" check for the azure resource id exists; don't create if it does.
{
...
"condition": "[empty(resourceId('[resourceGroup().id]', 'Microsoft.SQL/servers', parameters('serverName')))]",
...
}
You can do this for any resource type.
I'm using the following piece of code in my ARM template parameters file to retrieve the secret value from keyvault:
"parameters": {
"mailAccount": {
"reference": {
"keyVault": {
"id": "/subscriptions/GUID/resourceGroups/KeyVaultRG/providers/Microsoft.KeyVault/vaults/KeyVault"
},
"secretName": "mailAccount"
}
},
and in the template file:
"appSettings": [
{
"name": "mailAccount",
"value": "[parameters('mailAccount')]"
},
{
I'd like to know if it is possible to reference a KeyVault by its name using dynamically constructed object (i.e. not /subscriptions/GUID/resourceGroups/KeyVaultRG/providers/Microsoft.KeyVault/vaults/KeyVault but [resourceId(subscription().subscriptionId, resourcegroup().name, 'Microsoft.KeyVault/vaults', parameters('KeyVaultName'))]) or [resourceId('Microsoft.KeyVault/vaults', parameters('KeyVaultName'))] ?
In fact, the main objective is to be able to pass the different KeyVault names when deploying templates - where the similar values are stored.
The need to have several KeyVaults is justified by the resources (and cost) separation.
Now I see only validation errors saying ~ resourceId function cannot be used while referencing parameters.
I cannot use nested\linked templates (and output values).
What I am usually doing to avoid this limitation of the resourceId function is to define a variable with the value of the parameter, then using the variable instead in the resourceId function.
Example:
"parameters": {
"KeyVaultName": {
"type": "string",
"metadata": {
"description": "Key Vault Name"
}
}
},
"variables": {
"KeyVaultName": "[parameters('KeyVaultName')]"
}
Then when I am referencing the KeyVault resource I reference it using the variable like this:
"[resourceId('Microsoft.KeyVault/vaults', variables('KeyVaultName')]"