We have successfully configured a On Premise data gateway on an Azure VM, using this gateway as trigger in a logic app works. All this is done manually.
Is there a way to achieve this with ARM? Is there a sample ARM template available for this?
If you want to create on-premise data gateway with ARM template. Please have a try to use the following ARM template, it works correctly on my side.
Deploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"gatewayApiVersion": {
"type": "String"
},
"gatewayName": {
"type": "String"
},
"gatewayLocation": {
"type": "String"
},
"gatewayInstallationId": {
"type": "String"
}
},
"resources": [
{
"type": "Microsoft.Web/connectionGateways",
"name": "[parameters('gatewayName')]",
"apiVersion": "[parameters('gatewayApiVersion')]",
"location": "[parameters('gatewayLocation')]",
"properties": {
"connectionGatewayInstallation": {
"Id": "[parameters('gatewayInstallationId')]"
}
}
}
]
}
Parameters.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"gatewayApiVersion": {
"value": "2015-08-01-preview"
},
"gatewayName": {
"value": "gatewayName"
},
"gatewayLocation": {
"value": "location"
},
"gatewayInstallationId": {
"value": "/subscriptions/{subscriotionId}/providers/Microsoft.Web/locations/{location}/connectionGatewayInstallations/xxxxxxxxxx"
}
}
}
Before that we need to Install the on-premises data gateway manually on the machine, more details about how install on-premises data gateway please refer to the azure document.
For gatewayLocation value, please make sure that the same with on-premises
data gateway.
For gatewayInstallationId value, if we try to create it from azure we could get value from the portal.
Test result:
Related
I've set up the problem in the these two files. The template is simply POSTing the parameter with a fake url to check the value.
read_secret_params.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ftpPrivateKey": {
"reference": {
"keyVault": {
"id": "/subscriptions/dummyid/resourceGroups/dummyrg/providers/Microsoft.KeyVault/vaults/myvault"
},
"secretName": "mysecret"
}
}
}
}
read_secret_template.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ftpPrivateKey": {
"type": "securestring"
}
},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "read-secret",
"location": "East US",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Week",
"interval": 1
},
"type": "Recurrence"
}
},
"actions": {
"HTTP": {
"inputs": {
"body": "[parameters('ftpPrivateKey')]",
"method": "POST",
"uri": "https://dummysite.com"
},
"runAfter": {},
"type": "Http"
}
},
"outputs": {}
},
"parameters": {}
}
}
]
}
The first issue is, when I try to deploy via the portal, no value comes thru for the parameter so it can't create it due to the validation error "Validation failed. Required information is missing or not valid.". Is this because it's not able to read the secret, permissions thing? NOTE: the key vault is also created by myself so I am the owner.
I can get around the validation error and successfully deploy by adding a default value as follows:-
"parameters": {
"ftpPrivateKey": {
"type": "securestring",
"defaultValue": "privateKeyDefault"
}
},
But when I run the logic app, it's using the default value in the POST command so it seems like it's not pulling the secret out of the key vault.
So in summary I have 2 questions:-
Has this test proved that the logic app is not reading the secret OR might it have successfully read the secret but is for some reason displaying the default value in the POST command?
If it is not reading the secret, can anyone suggest a cause + fix?
If I deploy using the Azure CLI then it works i.e. gets the secret from Azure Key Vault. If deployed in the portal then it always uses the default value.
I have a logic app standard in a Subscription say Subscription A and cosmos DB in Subscription B. My ask is to create an API connection from the logic app to the cosmos db.
While I am using the cosmos DB connector from the azure portal the connection is established. But in terraform not getting connectionRuntimeUrl.
After running as output getting {} in depoyement.no connectionruntimeurl is generated
Can you please help on this matter?
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"connectionName": {
"type": "String"
},
"cosmosAccountName": {
"type": "String"
}
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"name": "[parameters('connectionName')]",
"properties": {
"api": {
"id": "[format(subscriptions/<**subscriptionID**> /providers/Microsoft.Web/locations/<**resourceLocation**>/managedApis/documentdb')]"
},
"displayName": "[parameters('cosmosAccountName')]",
"parameterValues": {
"databaseAccount": "[parameters('cosmosAccountName')]",
"accessKey": "<Cosmosdb_AccessKey>"
}
}
}
],
"outputs":{
"connectionRuntimeurl":{
"type":"string",
"value":"[reference(resourceId('Microsoft.Web/connections',parameters('connectionName')),'2016-06-01','full').properties.connectionRuntimeUrl]"
},
"connectionId":{
"type":"string",
"value":"[resourceId('Microsoft.Web/connections',parameters('connectionName'))]"
}
}
}
Is it the same issue as Create Azure Connection API with Connection Runtime Url? In that case you miss "kind": "V2"
There is an option to create Managed Identity from terraform for Stream analytics job (azurerm_stream_analytics_job, using identity block).
And it is possible to use Managed Identity to connect to databases (as explained here)
But I could not find how to use managed identity to create input using azurerm_stream_analytics_reference_input_mssql
UPDATE:
To be clear, thats what I am after:
And then
As Per July 2022
It does not look like terraform is supporting it (see documentation).
With this arm template, I was able to deploy ("authenticationMode": "Msi"):
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"streamAnalyticsJobName": {
"type": "string"
},
"streamAnalyticsJobNameInputName": {
"type": "string"
},
"sqlServerName": {
"type": "string"
},
"databaseName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.StreamAnalytics/streamingjobs/inputs",
"apiVersion": "2017-04-01-preview",
"name": "[format('{0}/{1}', parameters('streamAnalyticsJobName'), parameters('streamAnalyticsJobNameInputName'))]",
"properties": {
"type": "Reference",
"datasource": {
"type": "Microsoft.Sql/Server/Database",
"properties": {
"authenticationMode": "Msi",
"server": "[parameters('sqlServerName')]",
"database": "[parameters('databaseName')]",
"refreshType": "Static",
"fullSnapshotQuery": "SELECT Id, Name, FullName\nFrom dbo.Device\nFOR SYSTEM_TIME AS OF #snapshotTime --Optional, available if table Device is temporal"
}
}
}
}
]
}
So you could always use azurerm_template_deployment resource to deploy using terraform.
I have managed to release secrets to my Azure key vault via CI/CD from DevOps using my arm templates. The initial release went fine and added my new non existing secrets to my key vault resource. Though men trying to update the value of the secret in my ARM template and then pushing it to my GIT-repo to in turn release it as to update my secret in azure it fails giving me:
At least one resource deployment operation failed. Please list deployment operations for
details. Please see https://aka.ms/DeployOperations for usage details.
Details:
BadRequest:
Check out the troubleshooting guide to see if your issue is addressed:
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
Task failed while creating or updating the template deployment.
My template looks like this:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"value": "test-kv-devopstest01-d"
},
"TestCedential_1": {
"value": "TestCedentialSecretValue1"
},
"TestCedentialName_1": {
"value": "TestCedentialSecretName1_SecondVersion"
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"type": "string"
},
"TestCedential_1": {
"type": "secureString"
},
"TestCedentialName_1": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('TestCedential_1')]"
}
}
],
"outputs": {}
}
I've also tried granting permissions for the pipelines in access control in the key vault resource in azure.
Am i missing something maybe?
I tested the same code in my environment and it resulted in same error :
The issue is with the below :
"TestCedentialName_1": {
"value": "TestCedentialSecretName1_SecondVersion"
}
In Key vault secret '_' (underscore) is not allowed in name. The allowed values are alphanumeric characters and dashes.
Changing underscore to dash fixes the issue :
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"type": "string",
"defaultValue" :"test-kv-ansuman-d"
},
"TestCedential_1": {
"type": "secureString",
"defaultValue":"TestCedentialSecretValue1"
},
"TestCedentialName_1": {
"type": "string",
"defaultValue": "TestCedentialSecretName1-SecondVersion"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('TestCedentialName_1'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('TestCedential_1')]"
}
}
],
"outputs": {}
}
Output:
Can we retrieve the connection string for an Application Insights instance in an Azure Resource Group template ?
I can retrieve instrumentation key by below code but when I try to get connectionString with same or Listkey than it's giving error.
"outputs": {
"MyAppInsightsInstrumentationKey": {
"value": "[reference(resourceId('Microsoft.Insights/components', variables('myAppInsightsInstanceName')), '2014-04-01').connectionString]",
"type": "string"
}
}
Error :
{"error":{"code":"InvalidTemplate","message":"Deployment template validation failed: 'The template variable 'myAppInsightsInstanceName' is not found. Please see https://aka.ms/arm-template/#variables for usage details.'.","additionalInfo":[{"type":"TemplateViolation","info":{"lineNumber":95,"linePosition":40,"path":"properties.template.outputs.MyAppInsightsInstrumentationKey"}}]}}
As commented by #ZakiMa, you need to use a newer API version.
Something like that should work:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"MyAppInsightsInstanceName": "<My App Insights Instance Name>"
},
"outputs": {
"MyAppInsightsConnectionString": {
"value": "[reference(resourceId('Microsoft.Insights/components', variables('MyAppInsightsInstanceName')), '2020-02-02').ConnectionString]",
"type": "string"
}
},
"resources": []
}