I need to add a subnet to a VNET in another resource group. I have an arm template (below) which adds a subnet to an existing resource group and it works okay but I need this subnet to be added to a VNET in another resource group.
example - there are 2 resource groups
Resource Group A - Contains the VNET
Resource Group B - VM deployed here but needs to connect to VNET in Resource Group A
When I deploy the template which created the VM to Resource Group B, i need to reference resource group A from within this ARM template, how can I do this?
I am deploying via Visual Studio at the moment so I am using right click then Deploy to and selecting the resource group where the VM is being deployed to eg Resource Group B. The below code works but it deploys to the wrong resource group, it should add the subnet to Resource group where the VNET is but adds it to the resource group the VM is being deployed to!
"vnetID": "[resourceId(parameters('ResourceGroupName'),'Microsoft.Network/virtualNetworks',parameters('existingVNETName'))]"
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('existingVNETName'), '/', parameters('newSubnetName'))]",
"location": "[resourceGroup().location]",
"properties": {
"addressPrefix": "[parameters('newSubnetAddressPrefix')]"
This isn't possible. The subnets in a VNET are properties of that VNET, so you cannot create a subnet in a different resource group.
You can however add users to a certain subnet, so only a certain user could only add machines to his " allowed" subnets.
It is not possible to add a Subnet to a VNET in another resource group, because a Subnet is not a top level resource in Azure. All Subnets within a virtual network always role up to the virtual network resource in your resource group.
Actually it can be done. Using Azure resource explorer I got the id of the subnet I wanted to add the virtual machine to. Then in the resource which builds the NIC (usually the "type": "Microsoft.Network/networkInterfaces"),under the subnet properties you can paste this id. Im working on parametizing this but worked. Azure resource explorer is the tool I used
"name": "NIC",
"type": "Microsoft.Network/networkInterfaces",
"location": "[resourceGroup().location]",
"apiVersion": "2016-03-30",
"dependsOn": [
],
"tags": {
"displayName": "[variables('NicName')]"
},
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAddress": "[parameters('primaryPrivateIPAddress')]",
"privateIPAllocationMethod": "Static",
"subnet": {
"id": ""/subscriptions/abcd123456789/resourceGroups/ResourceGroupA/providers/Microsoft.Network/virtualNetworks/ResourceGroupVirtualNetwork/subnets/newsubnet""
}
Related
Is there any in built role to deny permission to create resources in az subscription except some users. I.
I have used 'not allowed resources types' policy but it applies to whole subscription.
I Tried to reproduce the same in my environment to deny the resource creation in Azure:
Thanks to Tiny Wang for suggesting the same.
Assign Reader role to Users or Group for restricting resource creation in Azure, like below.
Azure Portal > Subscription > Select your subscription > Access control (IAM) > Add > Add role assignment.
Reader role assigned.
When I tried to create Azure VM within Subscription, I got an authorization error with the same user.
Note: if you create an Azure policy to deny the resource creation, the policy will apply to the scope level, not to users.
Ex: Subscription, Resource Groups
I have created a policy and assigned it to the resource group scope to deny resource creation within a resource group.
When I tried to create any resource, I got a policy restriction error.
Azure Policy rule:
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourcesTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
},
"parameters": {
"listOfResourcesTypesNotAllowed": {
"type": "Array",
"metadata": {
"displayName": "Not Allowed Resources creation",
"description": "The list of resources type that cannot be deployed.",
"strongType": "resourceTypes"
}
}
}
}
I'm trying to write an ARM template to deploy a connection to the storage account for my Logic App. The problem is that my Logic App belongs to one resource group & the storage account in another.
When I run the deployment pipeline I get the following deployment error:
The Resource 'Microsoft.Storage/storageAccounts/StorageAccountName'
under resource group 'Logic App Resource Group' was not found.
I understand that the storage account does not belong to this resource group but how do I write the ARM template to look for the storage account from another group?
Here is my template for the connection:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('storageConName')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"displayName": "[parameters('storageConName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(variables('storageAccountId'),'2019-06-01').keys[0].value]"
},
"api": {
"id": "[concat('/subscriptions/',parameters('resourceGroupId'),'/providers/Microsoft.Web/locations/northeurope/managedApis/azureblob')]"
}
}
}
I've worked out what was wrong, the properties:api:id was using the logic App resource group id where it should be using the storage accounts resource group id.
I misunderstood that this was the resource group where I wanted the connection to be created.
Hi I am trying to deploy the resource using ARM template of type "Microsoft.Sql/servers/administrators"
below is the template
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('activeDirectoryUserGroupName')]",
"sid": "",
"tenantId": "[subscription().tenantId]"
}
}
I am passing the active directory user group name as parameter, "sid" is the objectId of that active directory group. So is there any way to fetch the objectId in ARM template
We have no way to get the Azure AD group object id in Azure ARM template. Because the Azure AD group is Azure AD resource. It is not Azure resource. But the ARM template is only used to manage Azure resources. For more details, please refer to the document and the document
If the want to get the AD group object id, you can use Azure Powershell command $groubId=(Get-AzADGroup -DisplayName <groupName>).Id.
I'm using an on-premises gateway connection in Azure and I'm trying to deploy this using an ARM-template from a VSTS deployment. The VSTS deployment has an Resource Manager end-point. It seems that the service principal cannot create the On-premises Data Gateway service in Azure because it has no permission to the registered Gateway that is located in:
/subscriptions/{subscriptionid}/providers/Microsoft.Web/locations/{location}/connectionGatewayInstallations/{OnPremGatewayId}
The code in the ARM template is quite straigtforward and looks like this:
{
"type": "Microsoft.Web/connectionGateways",
"name": "[variables('OnPremGatewayName')]",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"connectionGatewayInstallation": {
"id": "[concat('/subscriptions/', subscription().subscriptionid, '/providers/Microsoft.Web/locations/', toLower(replace(resourceGroup().location,' ','')),'/connectionGatewayInstallations/', parameters('OnPremGatewayId'))]"
}
},
"dependsOn": []
},
The deployment throws this error:
"error": {
"code": "AuthorizationFailed",
"message": "The connection gateway 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' does not exist or the client with object id 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' under tenant id '********' does not have administrative rights on it."
}
}'
I've found that there is a new action added that you can assign to a role:
/Microsoft.Web/Locations/connectiongatewayinstallations/Read
I've created a role with this action and added it to the service principal, but dat didn't seem to help. I used the following script to create the role:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "On premises data gateway reader"
$role.Description = "Read registered On premises data gateways"
$role.Actions.Clear()
$role.Actions.Add("/Microsoft.Web/Locations/connectiongatewayinstallations/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/{subscriptionid}")
New-AzureRmRoleDefinition -Role $role
Get-AzureRmRoleDefinition -Name "On premises data gateway reader"
How can I give the VSTS service principal administrative rights on the registered gateway?
In one of our project, we are trying to automate deployment of cloud components on Azure. For majority of components (basically all ARM components like Redis, Service bus, App Service etc.) we were able to achieve it using ARM templates and Powershell script.
However, we are stuck at Cloud Service (classic) component. Cloud service component contains only WebRole in it and no VM needs to be provisioned.
We can go via classic deployment model i.e. using ASM commands in power shell. But since, ARM model supports provisioning and deployment from azure portal so I was wondering ARM REST API's must have out of box support for this component as well. I try to figure out but couldn't find any related documentation to it.
What I have tried so far
Azure template (AzureDeploy.json)
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"parameters": {
"name": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2014-06-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"type": "Microsoft.ClassicCompute/domainNames"
}
]
}
Powershell script:
Param(
[string] $ResourceGroupLocation = 'South India',
[string] $ResourceGroupName = 'FreeTrial',
[string] $TemplateFile = 'AzureDeploy.json'
)
$TemplateFile = [System.IO.Path]::GetFullPath([System.IO.Path]::Combine($PSScriptRoot, $TemplateFile))
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation -Verbose -Force -ErrorAction Stop
New-AzureRmResourceGroupDeployment -Name ((Get-ChildItem $TemplateFile).BaseName + '-' + ((Get-Date).ToUniversalTime()).ToString('MMdd-HHmm')) `
-ResourceGroupName $ResourceGroupName `
-TemplateFile $TemplateFile `
-Force -Verbose
If I try to execute the above script, execution gets stuck at Checking deployment for an hour or so and have to manually kill the script execution.
.
However, if I ran following command in power shell, it succesfully creates a resource in portal:
New-AzureRmResource -Location "South India" -ResourceName
"cloudsmplservice" -ResourceType
"Microsoft.ClassicCompute/domainNames" -ResourceGroupName "FreeTrial"
But I do not understand what's an issue with ARM template approach. Can someone please direct me to the problem in first approach?
Addendum:
I found a strange behaviour. If I hardcode the resource name value in the resource definition OR pass it when powershell prompt for it, deployment works fine.
However, if I set some default Value for parameter OR pass it via parameter file, its not working.
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"cloudName": {
"type": "string",
"defaultValue": "cloudsrvc"
}
},
"resources": [
{
"apiVersion": "2015-06-01",
"name": "[parameters('cloudName')]",
"location": "[resourceGroup().location]",
"type": "Microsoft.ClassicCompute/domainNames"
}
]
}
Addendum2:
Seems like some powershell configuration issue. Will report it to Azure team with more details. So, far was able to reproduce it with simple steps:
Created a fresh VM in azure.
Imported AzureRM modules.
Try to provision cloud service with default value template. (Stuck as mentioned)
Try to provision now by passing the parameter from powershell. (Worked fine)
Now try again with default value template. (Worked fine)
I will recommend you to validate your Cloud Service ARM Template from the Template Deployment in the Azure portal.
I am able to deploy a bare metal Cloud Service using the template below and the deployment is successful within seconds.
You can also "reverse engineer" the Cloud Service ARM Template by clicking on the Automation option when try to create a new Cloud Service from the Azure portal.
I didn't see the problem in automating Cloud Service by the ARM Template approach.
Note:
I have deployed this in South India location and it works.
Addendum:
I have deployed the template as below using your PowerShell script and it works as well.
Azure PowerShell version is 4.3.1 (August 2017).
Screenshot as below.
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2016-11-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"type": "Microsoft.ClassicCompute/domainNames"
}
]
}
Addendum 2:
Try with template with default param values and the deployment is also working successful.
Note: I notice your api version is older and the api version for my cloud service is 2016-11-01
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string",
"defaultValue": "[resourceGroup().name]"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"resources": [
{
"apiVersion": "2016-11-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"type": "Microsoft.ClassicCompute/domainNames"
}
]
}
We also could use the REST API to do that,I test it with fiddler.
https://management.azure.com/subscriptions/{subscriptionid}/resourceGroups/{resourcegroupname}/providers/Microsoft.ClassicCompute/domainNames/{cloudservicename}?api-version=2016-04-01
Note: please make sure that your subcription support to create the cloudservice in that location. If it is not supported, we will get the following error.
The location constraint is not valid