Develop Reference

Unable to enable soft delete on Key Vault via ARM Template

I'm attempting to enable soft delete on a pre-existing Key Vault via a ARM template (The KV was provisioned using ARM). I've checked the template reference documentation and I've added the enableSoftDelete property in the template.
Here's my full ARM template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault_name": {
"type": "string"
},
"keyVault_secrets": {
"type": "array"
},
"keyVault_location": {
"type": "string"
},
"accessPolicies": {
"type": "array"
},
"tenant": {
"type": "string"
},
"sku": {
"type": "string"
},
"redeploy_keyVault_Instance": {
"type": "bool"
},
"softDeleteRetentionPeriodInDays": {
"type": "int"
}
},
"variables": {},
"resources": [
{
"apiVersion": "2016-10-01",
"name": "[parameters('keyVault_name')]",
"location": "[parameters('keyVault_location')]",
"type": "Microsoft.KeyVault/vaults",
"properties": {
"enabledForDeployment": false,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": false,
"accessPolicies": "[parameters('accessPolicies')]",
"enableSoftDelete": true,
"softDeleteRetentionInDays": "[parameters('softDeleteRetentionPeriodInDays')]",
"tenantId": "[parameters('tenant')]",
"sku": {
"name": "[parameters('sku')]",
"family": "A"
}
},
"condition": "[parameters('redeploy_keyVault_Instance')]"
},
{
"apiVersion": "2016-10-01",
"name": "[concat(parameters('keyVault_name'), '/', parameters('keyVault_secrets')[copyIndex()].secretName)]",
"type": "Microsoft.KeyVault/vaults/secrets",
"properties": {
"attributes": {
"enabled": true
},
"contentType": "string",
"value": "InvalidPassword"
},
"location": "[parameters('keyVault_location')]",
"copy": {
"name": "KeyVaultSecretCopy",
"count": "[length(parameters('keyVault_secrets'))]"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('keyVault_name'))]"
],
"condition": "[parameters('keyVault_secrets')[copyIndex()].deployTemplate]"
}
]
}
Despite adding the property, when I navigate to the portal, I see that Soft Delete is still disabled, along with Purge Protection.
I have a condition on the Key Vault that sets the Redeploy Key Vault instance to false. So with this in mind, I have two questions:
Is the condition that is set on the parameter preventing the ARM template to update the resource and if so, If I remove this condition, won't that redeploy the Key Vault and potentially remove any keys/secrets/certs that were uploaded manually?
If the condition property is not what's causing this, do I need to enable purge protection as well for the changes to take affect?

I too faced same issue sometime back. Suggest you to use latest API version as specified in below URL
https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?tabs=json

Azure Web App staging slot App Settings missing on ARM template deployment

I am working on ARM templates for some web application deployments. These templates set up a web application along with a staging slot for this application. The way I wish to handle this is to only deploy the app settings to the staging slot. By doing this I can handle rollbacks nicely as the app settings will swap with the slot and have any old values tied to the app they were deployed with. However upon deploying these ARM templates successfully I can see there are no app settings deployed to my staging slots other than website_node_default_version.
Below is a snippet of the ARM templates showing one pair of web app + staging slot:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "[variables('egressAppName')]",
"location": "[parameters('location')]",
"kind": "app",
"properties": {
"enabled": true,
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"clientAffinityEnabled": true
}
},
{
"type": "Microsoft.Web/sites/slots",
"apiVersion": "2016-08-01",
"name": "[concat(variables('egressAppName'),'/','staging')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('egressAppName'))]"
],
"kind": "app",
"properties": {
"enabled": true,
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"clientAffinityEnabled": true,
"appSettings": [
{
"name": "APP_INSIGHTS_INSTRUMENTATION_KEY",
"value": "[reference(resourceId(variables('rsg') ,'microsoft.insights/components/', variables('ainName')), '2015-05-01').InstrumentationKey]"
},
{
"name": "ASPNETCORE_ENVIRONMENT",
"value": "[parameters('netCoreEnvironment')]"
},
{
"name": "MONITOR_API_ACCOUNT_RATE_LIMIT",
"value": "[parameters('accountRateLimit')]"
},
{
"name": "MONITOR_API_ACCOUNT_RATE_LIMIT_WINDOW_SECONDS",
"value": "[parameters('accountLimitWindow')]"
},
{
"name": "MONITOR_API_IP_RATE_LIMIT",
"value": "[parameters('ipLimit')]"
},
{
"name": "MONITOR_API_IP_RATE_LIMIT_WINDOW_SECONDS",
"value": "[parameters('ipLimitWindow')]"
},
{
"name": "MONITOR_DATA_EXPLORER_INSTANCE_NAME",
"value": "[variables('dataExplorerName')]"
},
{
"name": "MONITOR_DATA_EXPLORER_REGION",
"value": "[parameters('location')]"
},
{
"name": "MONITOR_DIAG_ACCOUNT_APP_ID",
"value": "[parameters('diagAccountAppID')]"
},
{
"name": "MONITOR_DIAG_ACCOUNT_APP_SECRET_LOCATION",
"value": "[parameters('diagAccountAppSecret')]"
},
{
"name": "MONITOR_EGRESS_APP_TENANT",
"value": "[parameters('egressTenantID')]"
},
{
"name": "MONITOR_KEY_VAULT_APP_ID",
"value": "[parameters('keyVaultAppID')]"
},
{
"name": "MONITOR_KEY_VAULT_APP_SECRET",
"value": "[parameters('keyVaultAppSecret')]"
},
{
"name": "MONITOR_KEY_VAULT_NAME",
"value": "[variables('keyVaultName')]"
},
{
"name": "MONITOR_PGSQL_CONNECTION_STRING",
"value": "[parameters('postgresConnectionString')]"
},
{
"name": "MONITOR_TOKEN_VALIDATION_CLOCK_SKEW_SECONDS",
"value": "[parameters('validationClockSkew')]"
},
{
"name": "WEBSITE_RUN_FROM_PACKAGE",
"value": "1"
}
]
}
}
I have tried deleting just the staging slots and redeploying as well as deleting all the web apps and redeploying with no luck. At this point I'm just hoping to get more eyes over this to see if I've missed anything obvious. I'm deploying these ARM templates through Azure DevOps release pipelines using the Azure Resource Group Deployment task.

The appSettings should be defined in the SiteConfig object instead of Microsoft.Web/sites/slots properties as your template. To create a Microsoft.Web/sites/slots/config resource for app settings, you could add the JSON to the resources section of your template.
Also, you can see the Monitoring and diagnostic settings could be swapped here.

Can't see the alerts I created on Azure Portal

I am creating alerts inside Application Insights on the Azure Portal, but for some reason I am not able to see them. I know the alerts are working because I am getting the emails as expected.
Using the management API I am able to see the alerts:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.insights/scheduledQueryRules/{scheduleQueryName}?api-version=2018-04-16
What could be preventing them from appearing on the portal? This is my ARM template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appInsightsName": {
"type": "string"
},
"alertEmail": {
"type": "string"
},
"utilityActionGroup": {
"type": "string"
},
"scheduleQueryName": {
"type": "string"
},
"monitoringUtilityAlertEnabled": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"apiVersion": "2014-04-01",
"name": "[parameters('appInsightsName')]",
"type": "Microsoft.Insights/components",
"location": "[resourceGroup().location]",
"properties": {
"applicationId": "[parameters('appInsightsName')]"
}
},
{
"type": "Microsoft.Insights/actionGroups",
"name": "[parameters('utilityActionGroup')]",
"apiVersion": "2018-03-01",
"location": "Global",
"properties": {
"groupShortName": "Utility",
"enabled": true,
"emailReceivers": [
{
"name": "AlertEmail",
"emailAddress": "[parameters('alertEmail')]"
}
]
},
"dependsOn": []
},
{
"type": "Microsoft.Insights/scheduledQueryRules",
"name": "[parameters('scheduleQueryName')]",
"apiVersion": "2018-04-16",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-link: ', resourceId('Microsoft.Insights/components', parameters('appInsightsName')))]": "Resource"
},
"scale": null,
"properties": {
"description": "Sends an alert when the utility stops sending a trace to app insights",
"enabled": "[parameters('monitoringUtilityAlertEnabled')]",
"source": {
"query": "traces\n| where message == \"Utility Service is alive\" | where timestamp >= ago(30m) ",
"authorizedResources": [],
"dataSourceId": "[resourceId('microsoft.insights/components', parameters('appInsightsName'))]",
"queryType": "ResultCount"
},
"schedule": {
"frequencyInMinutes": 5,
"timeWindowInMinutes": 5
},
"action": {
"odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
"severity": "2",
"aznsAction": {
"actionGroup": [ "[resourceId('microsoft.insights/actionGroups', parameters('utilityActionGroup'))]" ],
"emailSubject": "Monitoring Utility Stopped working"
},
"trigger": {
"thresholdOperator": "Equal",
"threshold": 0
}
}
},
"dependsOn": [
"[resourceId('microsoft.insights/components', parameters('appInsightsName'))]",
"[resourceId('microsoft.insights/actionGroups', parameters('utilityActionGroup'))]"
]
}
],
"outputs": { }
}

As per my test, I create the alert inside application insights via azure portal, and it can appear in the portal.
When check the alert in portal, please make sure that select the correct resource as the one you create alert.

Azure ARM Template

Need you Help on something really quick :
How to set storage account "soft delete" option enabled using arm template?
2.What's the property that I should be using in arm template. Tried browsing through this site but couldn't get muchinformation - https://learn.microsoft.com/en-us/rest/api/storagerp/storageaccounts/getproperties
Any help is Much Appreciated.
Rocky

It seems that with the release of the 2018-11-01 version of the storage template it's now possible to enable soft delete in your ARM template.
Below you can find the template I've used:
{
"parameters": {
"NameForResources": {
"type": "string",
},
"ResourceLocation": {
"type": "string",
"defaultValue": "westeurope"
},
"Storage_Type": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS"
],
"metadata": {
"description": "Storage Account type"
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "[parameters('Storage_Type')]"
},
"kind": "Storage",
"name": "[parameters('NameForResources')]",
"apiVersion": "2018-11-01",
"location": "[parameters('ResourceLocation')]",
"properties": {
"encryption": {
"services": {
"blob": {
"enabled": true
},
"file": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"supportsHttpsTrafficOnly": true
},
"resources": [
{
"name": "[concat(parameters('NameForResources'),'/','default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2018-11-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": 30
}
},
"dependsOn": ["[concat('Microsoft.Storage/storageAccounts/', parameters('NameForResources'))]"]
}
]
}
],
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0"
}

I do not think it is currently possible to configure soft delete using ARM. Soft delete is a blob service property, not a property of the storage account.
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete#powershell

For keyvaults, use "enableSoftDelete": true.
For storage accounts, add a blob service with 1) the following properties and 2) a dependsOn condition on the storage account:
{
"name": "[concat(parameters('storageAccountName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2018-07-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": 30
}
},
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
]
}

How to enable app-service-authentication and logging into a blob via ARM-Template?

How to enable app-service-authentication and logging into a blob via ARM-Template?
hello everybody, i have a question i want to activate the app-service-authentication for anonymous requests and also the logging of everything that could happen in the website into a blob of a storageaccount via the resource template. what should i add to the template-json-file to do that?
thanks for every help
Edit:
I found out something.
with this snippet it work but that are not the correct settings
"properties": {
"name": "<#= website.Name #>",
"siteConfig": {
"alwaysOn": true,
"siteAuthEnabled": true,
"siteAuthSettings": null,
"httpLoggingEnabled": true,
"logsDirectorySizeLimit": 35,
"detailedErrorLoggingEnabled": true
},
now it looks like so:
but that is how it should be looking for:

According to your scenario, I have deployed my ARM template to enable Application Logging and Web server logging against Blob Storage, enable App Service Authentication and allow Anonymous requests for my Web App. Here are some detailed steps, you could refer to them.
1.Create Azure Resource Group project and add the Web App template;
2.Add "MONITORING > Diagnostic logs" configuration as follows:
3.Add "SETTINGS > Authentication/Authorization" configuration as follows:
4.Deploy the Web App and check it on Azure Portal:
Here is my website.json, you could refer to it.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"hostingPlanName": {
"type": "string",
"minLength": 1
},
"skuName": {
"type": "string",
"defaultValue": "F1",
"allowedValues": [
"F1",
"D1",
"B1",
"B2",
"B3",
"S1",
"S2",
"S3",
"P1",
"P2",
"P3",
"P4"
],
"metadata": {
"description": "Describes plan's pricing tier and capacity. Check details at https://azure.microsoft.com/en-us/pricing/details/app-service/"
}
},
"skuCapacity": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"metadata": {
"description": "Describes plan's instance count"
}
}
},
"variables": {
"webSiteName": "[concat('webSite', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "[parameters('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "HostingPlan"
},
"sku": {
"name": "[parameters('skuName')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"name": "[parameters('hostingPlanName')]"
}
},
{
"apiVersion": "2015-08-01",
"name": "[variables('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"displayName": "Website"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]"
],
"properties": {
"name": "[variables('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
},
"resources": [
{
"name": "logs",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [ "[resourceId('Microsoft.Web/sites/', variables('webSiteName'))]" ],
"tags": {
"displayName": "websiteLogs"
},
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "Off"
},
"azureTableStorage": {
"level": "Off",
"sasUrl": null
},
"azureBlobStorage": {
"level": "Error",
"sasUrl": "https://{your-storageaccount-name}.blob.core.windows.net/{container-name}?{sasToken}",
"retentionInDays": null
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 35,
"retentionInDays": null,
"enabled": false
},
"azureBlobStorage": {
"sasUrl":"https://{your-storageaccount-name}.blob.core.windows.net/{container-name}?{sasToken}",
"retentionInDays": null,
"enabled": true
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
},
{
"name": "authsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [ "[resourceId('Microsoft.Web/sites/', variables('webSiteName'))]" ],
"tags": {
"displayName": "websiteAuthSettings"
},
"properties": {
"enabled": true,
"httpApiPrefixPath": null,
"unauthenticatedClientAction": 1,
"tokenStoreEnabled": true,
"allowedExternalRedirectUrls": null,
"defaultProvider": 0,
"clientId": null,
"clientSecret": null,
"issuer": null,
"allowedAudiences": null,
"additionalLoginParams": null,
"isAadAutoProvisioned": false,
"googleClientId": null,
"googleClientSecret": null,
"googleOAuthScopes": null,
"facebookAppId": null,
"facebookAppSecret": null,
"facebookOAuthScopes": [
""
],
"twitterConsumerKey": null,
"twitterConsumerSecret": null,
"microsoftAccountClientId": null,
"microsoftAccountClientSecret": null,
"microsoftAccountOAuthScopes": [
""
]
}
}
]
}
]
}
Additionally, you could retrieve the configurations from resources.azure.com. Here is the screenshot for you to have a better understanding of the ARM template:

WebApp logging and authentication can be enabled via following resources in your template
{
"apiVersion": "2015-08-01",
"name": "logs",
"type": "config",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Web/Sites', variables('webSiteName'))]" ],
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "off"
},
"azureTableStorage": {
"level": "off",
"sasUrl": null
},
"azureBlobStorage": {
"level": "off",
"sasUrl": null,
"retentionInDays": null
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 35,
"retentionInDays": null,
"enabled": true
},
"azureBlobStorage": {
"sasUrl": null,
"retentionInDays": null,
"enabled": false
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
},
{
"apiVersion": "2015-08-01",
"name": "authsettings",
"type": "config",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Web/Sites', variables('webSiteName'))]" ],
"properties": {
"enabled": false,
"isAadAutoProvisioned": false
}
}
If you are not sure, what values should be in template.
Do following:
Provision Web App through the portal
Enable necessary settings
Go to https://resources.azure.com/ and check how template is configured for your Web App
Make changes in your template json file

​Log all the things
You could enable Diagnostics Logging (https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log)
for your App Service and add it to your App Service Website by following this guide https://learn.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-enable-diagnostic-logs-using-template
For a general logging solution that helps you keep track of (almost) everything that happens in an App Service web site you could use Application Insights (AI). You can add Application Insights to your ARM template by following this article https://learn.microsoft.com/en-us/azure/application-insights/app-insights-powershell#create-an-azure-resource-manager-template. This will help you setup AI for your web and define any specific tracking and telemetry you want to log.
Basically this is what you need to add to your ARM template in order to add AI to an App Service:
"resources": [
{
"apiVersion": "2014-08-01",
"location": "[parameters('appLocation')]",
"name": "[parameters('appName')]",
"type": "microsoft.insights/components",
"properties": {
"Application_Type": "[parameters('applicationType')]",
"ApplicationId": "[parameters('appName')]",
"Name": "[parameters('appName')]",
"Flow_Type": "Redfield",
"Request_Source": "IbizaAIExtension"
}
},
{
"name": "[variables('billingplan')]",
"type": "microsoft.insights/components/CurrentBillingFeatures",
"location": "[parameters('appLocation')]",
"apiVersion": "2015-05-01",
"dependsOn": [
"[resourceId('microsoft.insights/components', parameters('appName'))]"
],
"properties": {
"CurrentBillingFeatures": "[variables('pricePlan')]",
"DataVolumeCap": {
"Cap": "[parameters('dailyQuota')]",
"WarningThreshold": "[parameters('warningThreshold')]",
"ResetTime": "[parameters('dailyQuotaResetTime')]"
}
}
},
"__comment":"web test, alert, and any other resources go here"
]
Of course, you need to provide values for all the parameters and variables based on the price plan and quotas you want to set.
You could then setup Continuous Export (https://learn.microsoft.com/en-us/azure/application-insights/app-insights-export-telemetry) from AI to export all logged telemetry to a separate Azure Storage blob for long term retention of your logged data. Unfortunatelly you cannot setup Continuous Export from the ARM template, but it will likely be available soon: https://visualstudio.uservoice.com/forums/357324-application-insights/suggestions/13718607-enable-programatic-configuration-of-continuous-exp
Authenticate all the things
Setting up Authentication in your App Service you can specify the authentication options as properties for your WebSite resource. I suggest you start by configuring the desired authentication model using the portal or PowerShell first and then extract the template from the resulting deployment https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template as the actual properties and values to set are not well documented.
Creating an ARM template from the portal
You can do all the changes to your website, setup diagnostics directly in the portal and then extract a template that reflects what is currently deployed in that Resource Group.
Just go to your Resource Group and select Automation script, this will extract the template definition. It may not be the prettiest template or best structured, but it will contain your deployment (unless it shows a warning for some resources).