Reference an existing Azure Automation Account in a different Resource Group - azure

I need to use an existing Azure Automation Account in ARM Templates to create a new compilation job. I know how to do this when the Automation Account is in the same Resource Group where I'm deploying, but I can't figure it out when it's an existing Automation Account in a different Resource Group.
for example:
Parent Template (Resource)
{
"name": "dscCompile",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2016-09-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'newGuid')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('templates').dsc]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"compile-settings": {
"value": {
"configurationData": "[concat('{\"AllNodes\": [{\"NodeName\":\"*\",\"PSDscAllowPlainTextPassword\":true,\"RetryIntervalSec\":30,\"RetryCount\":20},{\"Nodename\":\"localhost\",\"domainName\":\"', parameters('extn-settings').domain, '\",\"adminCreds\":\"', parameters('adminPassword'), '\",\"Role\":\"DC\"}]}')]",
"configurationName": "createPDC",
"location": "Australia Southeast",
"name": "[reference('newGuid').outputs.guid.value)]"
}
},
"tag-values": {
"value": "[parameters('tag-values')]"
}
}
}
Child Template
$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"compile-settings": {
"type": "object",
"metadata": {
"description": "These are settings for a DSC Compile"
}
},
"tag-values": {
"type": "object",
"metadata": {
"description": "These are the Tag values"
}
}
},
"resources": [
{
"name": "[parameters('compile-settings').jobGuid]",
"type": "Microsoft.Automation/automationAccounts/compilationjobs",
"apiVersion": "2015-10-31",
"location": "[parameters('compile-settings').location]",
"tags": "[parameters('tag-values')]",
"dependsOn": [],
"properties": {
"configuration": {
"name": "[parameters('compile-settings').configurationName]"
},
"parameters": {
"ConfigurationData": "[parameters('compile-settings').ConfigurationData]"
}
},
"resources": []
}
],
"outputs": {}
}
Thanks in advance!

Okay, so this wasn't even possible until recently, you can do it with cross resource group deployment.
Basically, you create a template inside a template (aka nested\child template) and pick a different resource group (using the resourceGroup property for that template. no other way.
{
"apiVersion": "2017-05-10",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "crossResourceGroupDeployment",
"properties": { }
}

Related

Can't reference principalId of user assigned identity for key vault in same arm template

I'm having trouble referencing a user assigned identity that I create alongside a KeyVault instance within the same template. I've searched through documentation on how to reference managed identities in general and I believe it looks like the following:
reference(resourceId('resource-type', 'resource-name'), 'api-version', 'Full)).identity.principalId
However, this doesn't work for me and I'm not sure if it has something to do with deploying my templates at the subscription scope. I'm currently using linkedTemplates so that I can organize my code better and have a main template like the following:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {},
"resources": [
{
"apiVersion": "2020-06-01",
"location": "[variables('location')]",
"name": "key-vault-test”,
"properties": {
"mode": "Incremental",
"parameters": { },
"templateLink": {
"relativePath": “vault.json"
}
},
"type": "Microsoft.Resources/deployments"
}
],
}
Next, vault.json is as follows:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
…
},
"resources": [
{
"apiVersion": "2018-05-01",
"location": “[…..]”,
"name": "key-vault",
"type": "Microsoft.Resources/resourceGroups"
},
{
"apiVersion": "2020-06-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', 'key-vault')]"
],
"name": “user-assigned-identity-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-11-30",
"location": “[…]”,
"name": “myIdentity”,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
},
{
"apiVersion": "2020-06-01",
"name": "key-vault-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-02-14",
"location": “[…]”,
"name": "[concat('key-vault-', uniqueString(subscription().id))]",
"properties": {
"accessPolicies": [
{
"objectId": "[reference(variables('keyVaultIdentityId'), '2018-11-30', 'Full').identity.principalId]",
"permissions": {
"secrets": [
"get",
"list"
]
},
"tenantId": "[subscription().tenantId]"
}
],
"enableSoftDelete": true,
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]"
},
"type": "Microsoft.KeyVault/vaults"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
}
],
"variables": {
"keyVaultIdentityId": "/subscriptions/…/resourceGroups/key-vault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity”
}
}
When I deploy the main template, the reference function that I've crafted returns me the deployment of the keyVault and not the managed identity at all.
'The language expression property 'identity' doesn't exist, available properties are 'apiVersion, location, tags, properties, deploymentResourceLineInfo, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, condition, isConditionTrue, isTemplateResource, isAction, provisioningOperation
I'm not sure if I'm doing something wrong or if there's a better way to do this. In summary, I'm attempting to create a user assigned identity and create a key vault with access policies for that identity in the same template.
If you want to get the principalId of the user assigned identity, you need to use the following expression. For more details, please refer to here
[reference(resourceId('<subscriptionId>','<resourceGroupName>','Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]
for example
my template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"defaultValue": "mytest",
"type": "String"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
}
],
"outputs": {
"principalId": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]",
"type": "string"
}
}
}
I got the same error but I had forgotten to assign a managed identity to my resource in the ARM template like:
"identity": {
"type": "SystemAssigned"
},
Example:
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[variables('uniqueResourceNameBase')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": { ... }
}
After doing this I could use .identity.principalId.
Source:
https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/
You can also manually set it in Azure Portal under your service -> Identity.
A system assigned managed identity is restricted to one per resource
and is tied to the lifecycle of this resource. You can grant
permissions to the managed identity by using Azure role-based access
control (Azure RBAC). The managed identity is authenticated with Azure
AD, so you don’t have to store any credentials in code. Learn more
about Managed identities.

How to wait for deploying a resource in another ResourceGroup in Arm template

We want to have two resource group, 1- shared-resource group for shared resources like app service plan, ...
2- another resource-group for other resources like web-app.
We are using nested link template which contains three level:
highest level is main deployment template file which contains everything.
next level is for calling all resource templates for each resource-group, e.g we have two template file in this level one for shared resource-group and two other resource-group, so for-example first file will call some link template to create app service plan, elastic pool and ....
second file will call link templates for deploying web-app, network and ....
last level is our generic resource templates, in this level for each resource we have a template file e.g for web-app we have a generic template which deploy web-app with some parameters.
Now the question is how we can use 'dependson' to create all shared-Resources first after that deploy all other resources?
*please note: shared resources are in different resource-group and other resources are in another resource-group so we have two resource-group which both and all included resources are deploying in main template file.
My main deployment template file is this:
// Include rg-CockpitShared and app specific resources - and share parameters
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-
01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"cockpitEnvironment": {
"type": "string"
}
},
"variables": {
"currentTemplateUri": "[deployment().properties.templateLink.uri]",
"rgCockpitSharedUrl": "[concat(uri(variables('currentTemplateUri'), 'rg-CockpitShared/rg-CockpitShared.json'))]",
"rgCockpitSharedParametersUrl": "[concat(uri(variables('currentTemplateUri'), concat('rg-CockpitShared/rg-CockpitShared.parameters.', parameters('cockpitEnvironment'), '.json')))]",
"rgClientCmdbTemplateUrl": "[concat(uri(variables('currentTemplateUri'), 'rg-ClientCmdb/rg-ClientCmdb.json'))]",
"rgClientCmdbParametersUrl": "[concat(uri(variables('currentTemplateUri'), concat('rg-ClientCmdb/rg-ClientCmdb.parameters.', parameters('cockpitEnvironment'), '.json')))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"location": "[parameters('location')]",
"apiVersion": "2019-10-01",
"name": "CockpitShared",
"tags": {
"devOwner": "aspBuild"
},
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('rgCockpitSharedUrl')]",
"contentVersion": "1.0.0.0"
},
"parametersLink": {
"uri": "[variables('rgCockpitSharedParametersUrl')]",
"contentVersion": "1.0.0.0"
}
}
},
{
"type": "Microsoft.Resources/deployments",
"location": "[parameters('location')]",
"apiVersion": "2019-10-01",
"name": "otherResources",
"tags": {
"devOwner": "aspBuild"
},
"dependsOn": [
"CockpitShared"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('rgClientCmdbTemplateUrl')]",
"contentVersion": "1.0.0.0"
},
"parametersLink": {
"uri": "[variables('rgClientCmdbParametersUrl')]",
"contentVersion": "1.0.0.0"
}
}
}
],
"outputs": {
"rgCockpitSharedUrl": {
"type": "string",
"value": "[variables('rgCockpitSharedUrl')]"
},
"rgCockpitSharedParametersUrl": {
"type": "string",
"value": "[variables('rgCockpitSharedParametersUrl')]"
}
}
}
So What I have done here is using dependsOn = "CockpitShared" and expected that first it deploys shared resources and after that start to deploy 'otherResources', but I got error that app-service-plan is not found which means it's not wait to shared resources be deployed and I don't understand why? :(
Finally I found a solution:
I used 'reference' instead of 'dependson'.
So in my shared-Resources arm template I return app service plan name as output and used it from my main deployment file so it wait for finishing shared resources deployment first and after that start to deploy web app ...
for more detail see below code:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"cockpitEnvironment": {
"type": "string"
},
"storageAccountUri": {
"type": "string"
}
},
"variables": {
"rgCockpitSharedUrl": "[concat(uri(parameters('storageAccountUri'), 'rg-CockpitShared/rg-CockpitShared.json'))]",
"rgClientCmdbTemplateUrl": "[concat(uri(parameters('storageAccountUri'), 'ClientCmdb/rg-ClientCmdb/rg-ClientCmdb.json'))]"
},
"functions": [
{
"namespace": "ClientCmdb",
"members": {
"SelectValueByEnv": {
"parameters": [
{
"name": "Environment",
"type": "string"
},
{
"name": "prodValue",
"type": "string"
},
{
"name": "devValue",
"type": "string"
},
{
"name": "testValue",
"type": "string"
}
],
"output": {
"type": "string",
"value": "[if(equals(parameters('Environment'),'prod'),parameters('prodValue'),if(equals(parameters('Environment'),'dev'),parameters('devValue'),parameters('testValue')))]"
}
}
}
}
],
"resources": [
{
"type": "Microsoft.Resources/deployments",
"location": "[parameters('location')]",
"apiVersion": "2019-10-01",
"name": "CockpitShared",
"tags": {
"devOwner": "aspBuild"
},
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('rgCockpitSharedUrl')]"
},
"parameters": {
"rgName": {
"value": "[ClientCmdb.SelectValueByEnv(parameters('cockpitEnvironment'),'rg-CockpitShared','rg-CockpitShared','rg-CockpitShared')]"
},
"location": {
"value": "[parameters('location')]"
},
"cockpitEnvironment": {
"value": "[parameters('cockpitEnvironment')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"location": "[parameters('location')]",
"apiVersion": "2019-10-01",
"name": "ClientCmdb",
"tags": {
"devOwner": "aspBuild"
},
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('rgClientCmdbTemplateUrl')]"
},
"parameters": {
"rgName": {
"value": "[ClientCmdb.SelectValueByEnv(parameters('cockpitEnvironment'),'rg-ClientCmdb','rg-ClientCmdb','rg-ClientCmdb')]"
},
"location": {
"value": "[ClientCmdb.SelectValueByEnv(parameters('cockpitEnvironment'),'northeurope','northeurope','northeurope')]"
},
"cockpitEnvironment": {
"value": "[parameters('cockpitEnvironment')]"
},
"planName": {
// Here__________________________________________________________________________________
"value": "[reference('CockpitShared').outputs.planName.value]"
}
}
}
}
],
}
so basically I pass my app service plan name from shared resource template to main template and main template gets it by 'reference' and pass it to other resources template via parameter.
Regarding to do that I had to use inline params as I was using params in seperated files...
Hope it's useful for someone else :)

How to use copyIndex in a nested template resource?

Big picture: I want to use the ARM template to create multiple topics on a service bus.
Known fact: The app service that deploys the template is in a different resource group than the service bus.
Pain point: I'm using a nested template because I'm trying to create resources (topics) that are external to the targeted resource group. Within this nested template, I'm not sure how to get copy to work correctly.
From this MS doc , I believe my syntax is correct.
This is how my parameters are listed:
"sharedResourcesResourceGroupName": {
"type": "string",
"defaultValue": "sharedResourceGroupName",
"metadata": {
"description": "Resource Group in which platform shared resources live"
}
},
"serviceBusNamespaceName": {
"type": "string",
"defaultValue": "serviceBusName",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"topics": {
"type": "array",
"metadata": {
"description": "List of topics"
},
"defaultValue": [
"topic1",
"topic2"
]
}
This is my resource object for creating the topics with the copyIndex() method:
{
"apiVersion": "2018-05-01",
"type": "Microsoft.Resources/deployments",
"name": "[concat(parameters('serviceBusNamespaceName'))]",
"resourceGroup": "[parameters('sharedResourcesResourceGroupName')]",
"properties": {
"mode": "Incremental",
"template":{
"$schema": "2018-05-01",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.ServiceBus/namespaces/topics",
"name": "[concat(parameters('serviceBusNamespaceName'), '/', parameters('topics')[copyIndex()])]",
"apiVersion": "2017-04-01",
"location": "[resourceGroup().location]",
"properties": {},
"copy": {
"name": "topics",
"count": "[length(parameters('topics'))]"
},
"dependsOn": [
"[parameters('serviceBusNamespaceName')]"
]
}
]
}
}
}
I am testing the arm template deployment using the Azure Powershell with these commands:
Connect-AzAccount
Set-AZContext -SubscriptionName subscriptionWhereTheAppServiceLives
New-AzResourceGroupDeployment -ResourceGroupName resourceGroupWhereAppServiceLives -TemplateFile <path to template file>\azuredeploy.json -TemplateParameterFile <path to parameters file>\azuredeploy.parameters.json
The error I'm getting from the Azure powershell console is:
The template function 'copyIndex' is not expected at this location. The function can only be used in a resource with copy specified.
If I remove the "copy" object and replace "name" with something like "[concat(parameters('serviceBusNamespaceName'), '/topicName')]", then the template is able to create ONE topic in the right service bus. But I'm looking to create multiple topics.
Any insight would be greatly appreciated!
I think you can do this:
{
"apiVersion": "2018-05-01",
"type": "Microsoft.Resources/deployments",
"name": "[concat(parameters('serviceBusNamespaceName'), copyIndex())]",
"resourceGroup": "[parameters('sharedResourcesResourceGroupName')]",
"copy": {
"name": "topics",
"count": "[length(parameters('topics'))]"
},
"dependsOn": [
"[parameters('serviceBusNamespaceName')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "2018-05-01",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ServiceBus/namespaces/topics",
"name": "[concat(parameters('serviceBusNamespaceName'), '/', parameters('topics')[copyIndex()])]",
"apiVersion": "2017-04-01",
"location": "[resourceGroup().location]",
"properties": {}
}
]
}
}
}

How to apply a NSG to an existing subnet using ARM Template

I am creating new NSG with ARM template and updating the subnets at the same ARM template. I would like to be able to get subnets addressprefix with "reference" but when doing so I always get the circular dependency detected. Is there any way around it? My subnet arm template section looks like this:
{
"name": "[parameters('subnetName')]",
"properties": {
"addressPrefix": "[reference(resourceId(variables('ResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]"
}
}
},
Here is a link on how to apply a NSG to an existing subnet:
Apply a NSG to an existing subnet
This template uses a link template to workaround the circular reference but you can also use a nested template to do the same in the same ARM template (see Using linked and nested templates when deploying Azure resources)
Here is an ARM template that do the same using a nested template:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.1",
"parameters": {
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "The name of the existing VNet"
}
},
"subnetName": {
"type": "string",
"defaultValue": "default",
"metadata": {
"description": "The name of the existing subnet."
}
},
"nsgName": {
"type": "string",
"metadata": {
"description": "The name of the new nsg."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('nsgName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2018-03-01",
"properties": {
}
},
{
"apiVersion": "2017-08-01",
"name": "apply-nsg-to-subnet",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[resourceGroup().name]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-03-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('virtualNetworkName'), '/', parameters('subnetName'))]",
"location": "[resourceGroup().location]",
"properties": {
"addressPrefix": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
}
}
}
]
}
}
}
],
"outputs": {}
}

Azure ServiceBus - Queue - Authorization rule creation error

I'm creating Azure resource manager template with ServiceBus, queue and couple shared access rules. I'm creating the namespace and the queue correctly but when I try to add authorization rule I get:
Resource Microsoft.ServiceBus/namespaces/authorizationRules
'myservicebusnamespace/SendOnlyKey' failed with message 'Request
payload is not in the expected format.
First of all is this possible? There's no samples out there and do documentation either..
Since this is quite generic message I was wondering if anyone else has encountered similar issues using ARM Template for creating Queues?
This is what I have so far:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sbNamespace": {
"type": "string",
"metadata": {
"description": "The service bus namespace"
}
}
},
"variables": {
"location": "[resourceGroup().location]",
"sbVersion": "[providers('Microsoft.ServiceBus', 'namespaces').apiVersions[0]]",
"queueName": "testQueue",
"defaultSASKeyName": "RootManageSharedAccessKey",
"authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('sbNamespace'), variables('defaultSASKeyName'))]",
"sendAuthRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('sbNamespace'), 'SendOnlyKey')]",
"keyGeneratorTemplateUri": "https://raw.githubusercontent.com/sjkp/Azure.ARM.ServiceBus/master/Azure.ARM.ServiceBus/Templates/keygenerator.json"
},
"resources": [
{
"apiVersion": "2015-01-01",
"name": "primaryKey",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "incremental",
"templateLink": {
"uri": "[variables('keyGeneratorTemplateUri')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"seed": { "value": "1234a5" }
}
}
},
{
"apiVersion": "2015-01-01",
"name": "secondaryKey",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "incremental",
"templateLink": {
"uri": "[variables('keyGeneratorTemplateUri')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"seed": { "value": "ac34a5" }
}
}
},
{
//namespace
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('sbNamespace')]",
"type": "Microsoft.ServiceBus/namespaces",
"location": "[variables('location')]",
"properties": {
"messagingSku": 2
},
"resources": [
{
//queue
"apiVersion": "[variables('sbVersion')]",
"name": "[variables('queueName')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('sbNamespace'))]"
],
"properties": {
"path": "[variables('queueName')]",
"defaultMessageTimeToLive": "14.0:0:0",
"maxQueueSizeInMegaBytes": "1024",
"maxDeliveryCount": "10"
}
}
,{
//auth rule 1
"apiVersion": "[variables('sbVersion')]",
"name": "[concat(parameters('sbNamespace'),'/SendOnlyKey')]",
"type": "Microsoft.ServiceBus/namespaces/authorizationRules",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('sbNamespace'))]",
"[concat('Microsoft.Resources/deployments/', 'primaryKey')]",
"[concat('Microsoft.Resources/deployments/', 'secondaryKey')]"
],
"location": "[variables('location')]",
"properties": {
"keyName": "SendOnlyKey",
"PrimaryKey": "[reference('primaryKey').outputs.key.value]",
"SecondaryKey": "[reference('secondaryKey').outputs.key.value]"
}
}
]
}
],
"outputs": {
"NamespaceDefaultConnectionString": {
"type": "string",
"value": "[listkeys(variables('authRuleResourceId'), variables('sbVersion')).primaryConnectionString]"
}
}
}
Sounds like something is failing with the sub template that should generate the keys.
Could you try to generate they keys with e.g. powershell instead:
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$key = [System.Convert]::ToBase64String($bytes)
To see if that fixes the error.
Difficult stuff, that's for sure. Have a look at
Service Bus ARM Templates
No Service Bus Provider for ARM yet

Resources