Develop Reference

Updating Azure app gateway rewrite rules with ARM template

I've been learning about how ARM templates work and how there is an incremental mode. Can I do a custom deployment that will update a resource with a template that only includes what I want to update?
What I'm trying to accomplish is to update or add rewrite rules for a specific set in our app gateway
When I try the following I get InvalidTemplateDeployment errors with messages about missing template properties i.e. "0 IP configuration specified for gateway".
For my template I was trying to follow an example here https://learn.microsoft.com/en-us/azure/architecture/guide/azure-resource-manager/advanced-templates/update-resource
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
...
},
"resources": [
{
"apiVersion": "2020-06-01",
"type": "Microsoft.Resources/deployments",
"name": "updateRewriteRules",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"resources": [
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-05-01",
"name": "[parameters('applicationGatewayName')]",
"location": "[parameters('location')]",
"properties": {
"rewriteRuleSets": [
{
"name": "[parameters('rewriteSetName')]",
"properties": {
"rewriteRules": [
{
"ruleSequence": 300,
"conditions": [],
"name": "security-response-headers",
"actionSet": {
"requestHeaderConfigurations": [],
"responseHeaderConfigurations": [
{
"headerName": "Permissions-Policy",
"headerValue": "accelerometers=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
}
]
}
}
]
}
}
]
}
}
],
"outputs": {}
}
}
}
],
"outputs": {}
}

Looks like for app gateways you need to deploy the entire template with all its properties to make changes.
Update existing Application Gateway via ARM
Not sure where this is documented though.

Azure ARM role assignment for System Assigned Managed Identity fails the first run

My goal is to deploy a logic app with a system managed identity and a role assignment for that identity. Preferably, this is done in one ARM template.
I have a setup that fails the first run, but succeeds successive runs. Correct me if I'm wrong, but I think that the reason for this is that the deployment of the role assignment happens before the managed identity of the logic app is "ready", hence the following error I get the first time that I deploy the template. I don't get this error the second time I deploy the template, probably because the Identity already exists at that time.
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "PrincipalNotFound",
"message": "Principal *** does not exist in the directory ***."
}
]
}
My template (removed logic app definition for brevity). In this case the identity of the logic app requires access to a storage account which is located in another resource group.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"type": "string"
},
"storageAccountResourceGroup": {
"type": "String"
},
"storageAccountName": {
"type": "String"
}
},
"variables": {
"logicAppResourceId": "[resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))]",
"Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('logicAppName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
...
}
}
},
{
"type": "Microsoft.Resources/deployments",
"name": "[concat('RoleAssignment-', parameters('logicAppName'))]",
"apiVersion": "2020-06-01",
"resourceGroup": "[parameters('storageAccountResourceGroup')]",
"subscriptionId": "[subscription().subscriptionId]",
"dependsOn": [
"[parameters('logicAppName')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-09-01-preview",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, parameters('logicAppName')))]",
"properties": {
"roleDefinitionId": "[variables('Storage Blob Data Contributor')]",
"principalId": "[reference(variables('logicAppResourceId'), '2019-05-01', 'Full').identity.principalId]"
}
}
]
}
}
}
]
}
As you can see in the template, I added a dependsOn on the logic app itself. However that doesn't seem to be sufficient.
Does anyone have a solution for this?
Thank you!

I found the answer here: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
Deployment works consistently after adding "principalType": "ServicePrincipal"

using dependsOn property in ARM Template

I am deploying VNET before deploying other resources. It does deploy the first VNET template, but gives an error deploying others, as it says subnet is is provisioning state i.e. the resource is updating.
I am using nested templates and tried using dependsOn property in the ARM, although is not working. Is is possible to use it at the resource level?
"resources": [
{
"apiVersion": "2017-05-10",
"name": "vNet_ResourceUnit",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[resourceGroup().name]",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('vnetTemplateUrl')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"hyphenBasedPrefix": {
"value": "[variables('hyphenBasedPrefix')]"
},
"baseTemplateUrl": {
"value": "[parameters('baseTemplateUrl')]"
},
"vnetObject": {
"value": "[variables('vnet')]"
}
}
}
},
{
"apiversion": "2017-05-10",
"name": "keyVault_resourceunit",
"type": "microsoft.resources/deployments",
"resourcegroup": "[resourcegroup().name]",
"dependsOn": [
------
],
"properties": {
"mode": "incremental",
"templatelink": {
"uri": "[variables('keyVaultTemplateUrl')]",
"contentversion": "1.0.0.0"
},
"parameters": {
"hyphenbasedprefix": {
"value": "[variables('hyphenbasedprefix')]"
},
"basetemplateurl": {
"value": "[parameters('basetemplateurl')]"
},
"keyvaultobject": {
"value": "[variables('keyvault')]"
},
"vnetObject": {
"value": "[variables('vnet')]"
}
}
}
}
]
How can i use the dependsOn property here at resource level? I did try at the last template using :
"[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
But its not working.
How can i use it in the 'keyVault_resourceunit' itself?

Instead of using a resource id in the dependency, try using the name of the resource object i.e. the value "vNet_ResourceUnit" from line 3 of the code in your question.
"dependsOn": [
"vNet_ResourceUnit"
]
The effect that has is to make the arm process wait until that resource deployment (named "vNet_ResourceUnit") has completely finished, before starting your keyVault_resourceunit deployment.

you need to wait for the deployment to finish, not the resources inside the deployment (because they are in a different deployment, template doesnt know anything about them).
"[resourceId('Microsoft.Resources/deployments', 'vNet_ResourceUnit')]"

How to listkeys on a storage account deployed via linked ARM template?

Below I have a (simplified) Azure ARM Template to deploy a website which has in its appSettings the storage account. I originally passed the key via a string output parameter which works fine.
Storage Template
"outputs": {
"storageKey": {
"type": "string",
"value": "[listKeys(resourceid(resourceGroup().name, 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"
}
}
Root template
{
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Resources/deployments",
"name": "[concat(resourceGroup().Name, '-', variables('tdfConfiguration')[copyIndex()]['roleName'], '-storage')]",
"copy": {
"name": "storageCopy",
"count": "[length(variables('tdfConfiguration'))]"
},
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('storageAccountTemplateUri')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"storageAccountName": { "value": "[variables('tdfConfiguration')[copyIndex()]['componentName']]" },
"storageAccountLocation": { "value": "[resourceGroup().location]" },
"storageAccountType": { "value": "[variables('storageAccountType')]" }
}
}
},
{
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Resources/deployments",
"name": "[concat(resourceGroup().Name, '-', variables('tdfConfiguration')[copyIndex()]['roleName'], '-website')]",
"copy": {
"name": "webSiteCopy",
"count": "[length(variables('tdfConfiguration'))]"
},
"dependsOn": [
"[concat('Microsoft.Resources/deployments/', resourceGroup().Name, '-', variables('tdfConfiguration')[copyIndex()]['roleName'], '-serviceplan')]",
"[concat('Microsoft.Resources/deployments/', resourceGroup().Name, '-', variables('tdfConfiguration')[copyIndex()]['roleName'], '-storage')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('webSiteTemplateUri')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"azureWebJobsStorageAccountKey": { "value": "[reference(concat(resourceGroup().Name, '-', variables('tdfConfiguration')[copyIndex()]['roleName'], '-storage')).outputs.storageKey.value]" }
}
}
},
I'm worried that passing that around as a string may expose it in some deployment logs. However if I switch it to a securestring output parameter I can no longer access the value. So it seems like I need to listkeys in the root template, but if I change my website parameters to
"azureWebJobsStorageAccountKey": { "value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts',variables('tdfConfiguration')[copyIndex()]['componentName']), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]" }
it fails because even though the storage account is listed as a dependsOn, it attempts to resolve this value immediately without waiting for the storage account to be deployed. Any ideas?

list* functions will wait for the resource to be available if it is being created in the same template. but you are using nested templates so it has no way of knowing the resource is provisioned or not, so it just assumes its provisioned (standard behavior when you use list* functions).
dont pass it in as a value (it makes no sense really), just use the same expression inside the deployment and it will work. because the deployment will start only after the previous deployment was finished and the storage account will be there already.
Also, I dont see why you are doing this with nested templates, I dont see any reason for doing this in your case, you are over complicating your deployment\code for no benefit (and even created a problem for yourself because of that). Just drop nested deployments and use resources.

Deploy two Azure App Services to the same App Service Plan using idempotent ARM TEMPLATE

PROBLEM
How to deploy two different Azure App Services to the same App Service plan when using VSTS idempotent continuous integration / continuous deployment processes.
ENVIRONMENT
I have written two ARM TEMPLATES each of which deploy a web application to Azure App Service.
In order to deploy an App Service an Service Plan must be created first.
The ARM TEMPLATES currently create a unique Service Plan each for each Web App.
I am using VSTS Release Definitions to deploy on each successful VSTS build. i.e releases are designed to be idempotent.
Currently each web app has its own Resource Group which includes it own App Service Plan. Ideally each web app has its own Resource Group, App Service Plan can be in its own Resource Group however (if this is possible).
The template below is an example of one of the templates used to deploy the Web App service to an App Service Plan.
It shows the creation of the App Service Plan using the naming conversion:
appname-Plan-q2dkkaaaaaaaa
This is created using:
Seven Character identifier "appname" defined in the ARM parameters files.
Resource identifier "plan".
Resource Group name , which comes from random named Storage Account name "q2dkkaaaaaaaa" when it was created.
i.e
"hostingPlanName": "[concat(parameters('appName'),'-Plan-', uniqueString(resourceGroup().id))]",
EXAMPLE
{
"parameters": {
"appName": {
"type": "string",
"maxLength": 7,
"metadata": {
"description": "The name of the app that you wish to create."
}
},
"appServicePlanSku": {
"type": "string",
"defaultValue": "Standard",
"metadata": {
"description": "The Service Plan SKU"
}
},
"appServicePlanWorkerSize": {
"type": "string",
"defaultValue": "0",
"metadata": {
"description": "The App Service Plan Worker Size (?)"
}
},
"appServicePlanSkuCode": {
"type": "string",
"defaultValue": "S1",
"metadata": {
"description": "The App Service Plan SKU Code"
}
},
"appServicePlanNumWorkers": {
"type": "string",
"defaultValue": "2",
"metadata": {
"description": "The Number of App Service Workers."
}
},
"variables": {
"webAppName": "[concat(parameters('appName'),'-wa-', uniqueString(resourceGroup().id))]",
"hostingPlanName": "[concat(parameters('appName'),'-Plan-', uniqueString(resourceGroup().id))]",
"stageSlotName": "stageSlot",
"devSlotName": "devSlot"
}
},
"resources": [
{
"apiVersion": "2016-09-01",
"name": "[variables('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"properties": {
"name": "[variables('hostingPlanName')]",
"workerSizeId": "[parameters('appServicePlanWorkerSize')]",
"numberOfWorkers": "[parameters('appServicePlanNumWorkers')]"
},
"sku": {
"Tier": "[parameters('appServicePlanSku')]",
"Name": "[parameters('appServicePlanSkuCode')]"
},
"dependsOn": []
},
{
"apiVersion": "2015-08-01",
"type": "Microsoft.Web/sites",
"name": "[variables('webAppName')]",
"location": "[resourceGroup().location]",
"kind": "webapp",
"tags": {
"Environment": "production",
"displayName": "WebAppService"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
],
"properties": {
"name": "[variables('webAppName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms',variables('hostingPlanName'))]"
},
"resources": [
{
"name": "slotConfigNames",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('webAppName'))]"
],
"tags": {
"displayName": "slotConfigNames"
},
"properties": {
"appSettingNames": []
}
},
{
"apiVersion": "2015-08-01",
"name": "[variables('stageSlotName')]",
"type": "slots",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('webAppName'))]"],
"properties": {},
"resources": []
},
{
"apiVersion": "2015-08-01",
"name": "[variables('devSlotName')]",
"type": "slots",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('webAppName'))]"],
"properties": {},
"resources": []
}
]
}
]
}
QUESTION
I am attempting to execute two ARM TEMPLATES (similar to the above example) to deploy two different Web Apps to the same Service Plan.
Its clear that both of these Web Apps must call the same central resource to ensure they both deploy to same App Service resource name and execute any changes.
If the App Service plan exists = deploy web app.
If the App Service plan does not exist = create service plan then deploy web app.
If the App Service plan is changed = deploy the service plan change (e.g Tier change) then deploy the web app.
Taking the environmental description above into consideration , what options do I have to get this working?
VSTS Global parameter in the Release Definition maybe ?
ARM TEMPLATES call a PowerShell script that creates the app service plan ?
Keen to follow best practice.
I hope the above is described in enough detail. Sorry if something has been missed. Thank you.

SOLUTION
The solution in my case was to create three templates:
Template 1 to create the app service plan. This ARM template is stored in a BLOB container and is accessible to the release pipeline via a SAS URI.
Template 2 to create web app A. This template uses LINKED TEMPLATE features to call and execute the shared template.
Template 3 to create web app B. This template uses LINKED TEMPLATE features to call and execute the shared template.
RESULT
Both web apps are then published to the same server farm, sharing the
instances.
The idempotent nature of the deployment is maintained.
Single point of truth for any app service plan deployment and any amendments.
Money saved on number of server farms required.
EXAMPLE
Shared Service Plan - ARM Template example of a shared service plan:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"planLabel": {
"defaultValue": "shared-service-plan",
"type": "string"
}
},
"variables": {
"servicePlanName": "[concat(parameters('planLabel'),'-Plan-', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"comments": "Creates an App Service Plan on the Standard (S1) SKU.",
"type": "Microsoft.Web/serverfarms",
"sku": {
"name": "S1",
"tier": "Standard",
"size": "S1",
"family": "S",
"capacity": 2
},
"kind": "app",
"name": "[variables('servicePlanName')]",
"apiVersion": "2016-09-01",
"location": "[resourceGroup().location]",
"properties": {
"name": "[variables('servicePlanName')]"
},
"dependsOn": []
}
],
"outputs": {
"servicePlanResourceId": {
"type": "string",
"value": "[resourceId('Microsoft.Web/serverfarms', variables('servicePlanName'))]"
},
"servicePlanName":{
"type": "string",
"value": "[variables('servicePlanName')]"
},
"resourceGroupName":{
"type": "string",
"value": "[resourceGroup().name]"
}
}
}
Web App A - ARM Template Example containing LINKED TEMPLATE:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"servicePlanLabel": {
"type": "string",
"metadata": {
"description": "The base name for the App Service Plan to be used in the linked template."
},
"defaultValue": "plan"
},
"appServicePlanResourceGroup": {
"type": "string",
"metadata": {
"Description": "The name of the Resource Group the shared App Service Plan will be deployed to."
},
"defaultValue": "group"
},
"appServicePlanTemplateUri": {
"type": "string",
"metadata": {
"description": "The URI to the App Service Plan linked template in BLOB"
}
}
},
"variables": {},
"resources": [
{
"apiVersion": "2017-05-10",
"name": "appServicePlanTemplate",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[parameters('appServicePlanResourceGroup')]",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[parameters('appServicePlanTemplateUri')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"planLabel": {
"value": "[parameters('servicePlanLabel')]"
}
}
}
},
{
"apiVersion": "2015-08-01",
"type": "Microsoft.Web/sites",
"name": "[variables('webAppName')]",
"location": "[resourceGroup().location]",
"kind": "webapp",
"tags": {
"Environment": "production",
"displayName": "App"
},
"dependsOn": [
"[resourceId(parameters('appServicePlanResourceGroup'), 'Microsoft.Resources/deployments', 'appServicePlanTemplate')]"
],
"properties": {}
}
}
}
Hope this is useful to someone.
Thanks
Scott
REF
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-resource-manager/resource-group-linked-templates.md

Your requirement is default supported by ARM template. Basically if an ARM template encounters a resource which is exist, it will update the resource if the properties do not match. Otherwise it will create the resource using the properties which you set in ARM template.