I have a specific requirement for ARM templates and Azure API Management, so this question is different than other conditional ARM deployment questions.
Some background:
My APIM instance is deployed using ARM templates, however custom domains need to be setup but cannot be part of it. This is because my customer stores their certificates in a different system.
This means the custom domains are setup separately (manually) for the APIM instance, right after the instance was created by the ARM template.
The ARM template also applies the global policy and creates the products. I use a linked template setup.
The issue arises when we want to update something on the APIM instance, like extending the global policy or adding a product. Then the ARM template will also update the instance, but should leave the custom domain section untouched. According to the documentation, using 'incremental' mode leaves resources not in the ARM template untouched. So I thought to solve it by just leaving out the 'hostnameConfigurations' section in the ARM template. However it seems the ARM template doesn't ignore it, but interprets it as empty and effectively removing the custom domains from the APIM instance!
This doesn't seem like normal behavior, but I have to live with it. To solve this I have a couple of options.
One of them is extracting the global policies and products from the generic APIM ARM template, so I can skip the APIM instance part when updating. This would mean I have to run multiple separate ARM templates on creating the resources.
The solution I'd like to go for, is to conditionally deploy the ARM template creating the APIM instance, to only creating. I want to skip this linked template when the resource already exists.
I though I could do this by getting a reference to the APIM instance, but according to the documentation "The reference function derives its value from a runtime state, and therefore can't be used in the variables section.".
Question: Is it possible to conditionally deploy a linked ARM template, based on the fact whether a resource already exists or not?
The answer is no. You cannot really do that. Unless you are investigating different hacky ways. You can call Azure function to decide if the resource exist. You can use an output from the deployment to decide if the resource exist. But straight up there is nothing that can help you. only different hacks.
Related
I am working on IaC in Azure. I need to create a user group via ARM template. Is it possible to accomplish this task in this manner?
Unless something has change recently, no. You can use the MS Graph API. You can set up PowerShell Scripts to run. Etc. And if you need this as part of the pipeline, there is likely a plug in on marketplace, if keyed on pipeline.
But I am trying to understand the need for creating a new group as part of the IaC. Is this because you need it configurable for different types of installs through pipelines? In general, I don't mix security with infrastructure unless I am making a product for others to install, so just trying to make sure you are not heading down a bad road.Do you mean resource groups instead?
I have Automation Account linked with Log Analytics Workspace and Updates solution enable on it. Evrything has been created automatically by ARM Templates or Terraform code and I am trying to find any way how can I add solution targeting for Update Management only for particular VMs. When I add this solution by Azure Portal and link Automation Account with Log Analytics workspace from Update Management menu, it added automatically "MicrosoftDefaultScopeConfig-Updates" scope.
Is there any way to add scope by ARM Template or Terraform code? Or maybe with other automatically way for example as Powershell script?
Related / Duplicate question is raised in this MSDN thread; Just sharing this for the benefit of broader audience who might face similar issue and might look for an answer.
In the Azure API portal there is the Automation script tab, but that generates the ARM template for the entire resource group. It also includes a lot of other stuff that needed.
Is there a (simple) way to get hold of the ARM template for a specific API rather than the entire resource group? Can it be done through Azure cli? the REST API?
Yes, use the Azure Resource Explorer to locate your resource, the Uri at the top of the page will provide you a link to the template (requires authentication if you want to call it from outside of Resource Explorer).
I also always refer back to the reference documentation on ARM templates, it is a very good place to start from. Whilst it doesn't give you your exact template, it does give you a very clear base to start from (example below). I find this far more productive that trying to read the templates in the Automation Script" section of the portal.
Good luck.
No, you cannot do that. there is only 1 resource provider action to export and it exports the whole resource group. just remove all the extra parts.
I'm trying to set a standard virtual machine template via ARM deployed on the azure portal and feel I'm missing a trick.
When deploying a virtual machine via azure you can select existing vnets and based off your selection you can select a subnet.
Via the ARM template deployment method I do not see a way other then putting all the subnets in the allowed values and hoping the end user chooses the right one.
Can anyone help?
theres no easy way of doing this currently. Managed Applications might be of a value there, but they are not exactly arm templates. But they have some controls to allow for "smart" value picking.
I suppose I can generate a powershell script that queries azure dependant on selections and fill in the arm template from said selections. Just would be nice if could have built in the intelligence within ARM deployment.
Thank you for the managed applications information
I'm currently building out a number of virtual machines in azure using a template that we've built out. I would like to be able to pull the name of the user who chose to deploy this template so that we can verify a number of things exist on the server for them (i.e. userid). Is there anyway to do this? Any help would be appreciated.
No, this is not possible using arm templates (unless using some pretty horrible\unreliable\outside of arm template hacks).
You could probably work around that by creating a parameter where user inputs his details, but even that the second part of your plan will fail. You cannot really do checks on the OS level configurations from the template.
ARM templates aren't meant to actually check things, and while some interactions are possible, they are very limited (like listKeys).