Loop for nested template and dynamically get keyvault secret name - json

Based on information from Microsoft site, it is possible get key vault secrets during the implementation. I would like to have similar solution but for 5 VMs and reuse templates in Loop to create 5 VMs with different password from key vault. The key vault already exists with the secrets name. The secrets name are like: Secrets0...Secrets4.
Does anyone has any idea of how to do this? Below my solution with Loop but doesn't works for me.
I appreciate for your support.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location where the resources will be deployed."
}
},
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the keyvault that contains the secret."
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "The name of the secret."
}
},
"vaultResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the resource group that contains the keyvault."
}
},
"vaultSubscription": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]",
"metadata": {
"description": "The name of the subscription that contains the keyvault."
}
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[concat('DynamicSecret,copyIndex('VMsLoop'))]"
"copy": {
"name": "VMsLoop",
"count": 5,
"mode": "Serial",
"batchSize": 1
},
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminLogin": {
"type": "string"
},
"adminPassword": {
"type": "securestring"
},
"location": {
"type": "string"
}
},
"variables": {
"sqlServerName": "[concat('sql-', uniqueString(resourceGroup().id, 'sql'))]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2018-06-01-preview",
"name": "[variables('sqlServerName')]",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]"
}
}
],
"outputs": {
"sqlFQDN": {
"type": "string",
"value": "[reference(variables('sqlServerName')).fullyQualifiedDomainName]"
}
}
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"adminLogin": {
"value": "ghuser"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "[concat(parameters('secretName'),copyIndex('VMsLoop'))]"
}
}
}
}
}
],
"outputs": {
}
}


The template you have provided actually works (except for one tiny typo - missing closing quote after DynamicSecret at "[concat('DynamicSecret,copyIndex('VMsLoop'))]" ).
However, since the uniquestring function that is used to generate the sql server name is deterministic (i.e. generated using the passed parameters of resoure group name and 'sql' string - uniqueString(resourceGroup().id, 'sql'). So the loop is hitting the same server instance just changing the password to the next secret in the list.
You can either promote the sqlServerName to parameter and suffix it with the loop index, or keep it as a variable and expand the uniqueString function with the deployment (i.e. uniqueString(resourceGroup().id, deployment().name, 'sql') ).

Related

Azure ARM copy Index not working in Json

I am trying to deploy multiple Azure VNETs using the code below,it
it gives error below
{
"error": {
"code": "InvalidTemplate",
"details": null,
"message": "Deployment template validation failed: 'The template resource '[concat(variables('namePrefix'), parameters('VNetSettings').vnets.name, [copyIndex(1)])]' at line '1' and column '923' is not valid: The language expression property 'name' has an invalid array index.. Please see https://aka.ms/arm-template-expressions for usage details.'.",
"target": null
},
"properties": null
}
This is my Code below. I want to use coyIndex to loop through multiple instances of azure virtual networks. Based on number of vnet names provided i want it get number of instances to be created.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"VNetSettings": {
"type": "object"
},
"namingSettings": {
"type": "object"
}
},
"variables": {
"namePrefix": "[concat(parameters('namingSettings').name.org,'-',parameters('namingSettings').name.accountEnv,'-',parameters('namingSettings').name.sdlcEnv,'-',parameters('namingSettings').name.region,'-',parameters('namingSettings').name.appname,'-')]"
},
"resources": [
{
"apiVersion": "2018-04-01",
"type": "Microsoft.Network/virtualNetworks",
"name": "[concat(variables('namePrefix'), parameters('VNetSettings').vnets.name, [copyIndex(1)])]",
"location": "[resourceGroup().location]",
"copy": {
"name": "vnetcopy",
"count": "[length(parameters('VNetSettings').vnets.name)]"
},
"scale": null,
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('VNetSettings').vnets.cidr]"
]
}
}
}
]
}
Update
Parameter fileenter code here
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters":{
"namingSettings": {
"value": {
"name": {
"org": "it",
"accountEnv": "nonprod",
"sdlcEnv": "it-test",
"region": "eastus2",
"tier": "",
"object": "",
"networkbuild": "network",
"auditbuild": "audit",
"automationbuild": "automation",
"dnsbuild": "dns",
"appname": "network"
}
}
},
"VNetSettings": {
"value": {
"vnets": [
{
"name": "vnet0",
"cidr": "10.10.10.0/24",
}
],
}
}
}
}

Your concat() input is wrong. copyIndex() should not be inside []. Try this:
"[concat(variables('namePrefix'), parameters('VNetSettings').vnets.name, copyIndex(1))]"
copyIndex() is just another function, you only wrap the string with [] once no matter how many functions are inside
you need to adjust your template to reflect the fact you are iterating over an array (right now you iterate over the name, and vnets.name is not a valid construct in the ARM Templates).
you need to do something like this:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"VNetSettings": {
"type": "object"
},
"namingSettings": {
"type": "object"
}
},
"variables": {
"namePrefix": "[concat(parameters('namingSettings').name.org,'-',parameters('namingSettings').name.accountEnv,'-',parameters('namingSettings').name.sdlcEnv,'-',parameters('namingSettings').name.region,'-',parameters('namingSettings').name.appname,'-')]"
},
"resources": [
{
"apiVersion": "2018-04-01",
"type": "Microsoft.Network/virtualNetworks",
"name": "[concat(variables('namePrefix'), parameters('VNetSettings').vnets[copyIndex()].name)]",
"location": "[resourceGroup().location]",
"copy": {
"name": "vnetcopy",
"count": "[length(parameters('VNetSettings').vnets)]"
},
"scale": null,
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('VNetSettings').vnets[copyIndex()].cidr]"
]
}
}
}
]
}
notice you need to use copyIndex() to get to the current vnet in your array and you need to use the .vnet to determine length

Create Storage Service Encryption ARM template with Customer managed key

We're trying to create an ARM template which will allow us to specify our own encryption key. I have the script below, this encrypts the storage account, however this doesn't allow us to add our own key.
Is there a way to add it programatically, I know it can be done using the portal.
The script I have is
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageNamePrefix": {
"type": "string",
"metadata": {
"description": "The prefix string to add to a generated name."
}
},
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_RAGRS",
"Standard_ZRS",
"Premium_LRS"
],
"metadata": {
"description": "Storage Account type."
}
},
"blobEncryptionEnabled": {
"type": "bool",
"defaultValue": true,
"allowedValues": [
true,
false
],
"metadata": {
"description": "Enable or disable Blob encryption."
}
}
},
"variables": {
"storageAccountName": "[tolower( concat( parameters('storageNamePrefix'), uniqueString(subscription().id, resourceGroup().id) ))]",
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"apiVersion": "2016-01-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "[parameters('storageAccountType')]"
},
"kind": "Storage",
"properties": {
"encryption": {
"keySource": "Microsoft.Storage",
"services": {
"blob": {
"enabled": "[parameters('blobEncryptionEnabled')]"
}
}
}
}
}
],
"outputs": {
"storageAccountName": {
"type": "string",
"value": "[variables('storageAccountName')]"
}
}
}
I've seen this on Azure Quickstart Templates, which seems to have the title of what I need, but I can't see where or how to add the key I would like to use..
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_RAGRS",
"Standard_ZRS",
"Premium_LRS"
],
"metadata": {
"description": "Storage Account type."
}
},
"blobEncryptionEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Enable or disable Blob encryption at Rest."
}
}
},
"variables": {
"storageAccountName": "[tolower( concat('sawithsse', substring(parameters('storageAccountType'), 0, 2), uniqueString(subscription().id, resourceGroup().id) ))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"apiVersion": "2016-12-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "[parameters('storageAccountType')]"
},
"kind": "Storage",
"properties": {
"encryption": {
"keySource": "Microsoft.Storage",
"services": {
"blob": {
"enabled": "[parameters('blobEncryptionEnabled')]"
}
}
}
}
}
],
"outputs": {
"storageAccountName": {
"type": "string",
"value": "[variables('storageAccountName')]"
}
}
}
The portal way of enabling customer key for encryption is outlined in the below link:
https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys
This link mentions the ability to use Powershell, but I can't find any reference for it.
Hope this makes sense.
Thanks in advance.. :)

Something like this:
"properties": {
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyname": xxx,
"keyvaulturi": xxx,
"keyversion": xxx
}
}
}
Source: https://learn.microsoft.com/en-us/rest/api/storagerp/storageaccounts/create#keyvaultproperties
another way, do it with powershell, add -debug and capture the rest call, port it to template.

Multiple values for a property on resource in Azure ARM Template

According to https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple#property-iteration it should be possible to create multiple values on a resource using copy but I can't make it work. Here is my code...
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appServiceName": {
"type": "string",
"metadata": {
"description": "Name of app service to apply SSL to."
}
},
"certificateName": {
"type": "string",
"metadata": {
"description": "User friendly certificate resource name"
}
},
"appServicePlan": {
"type": "string",
"metadata": {
"description": "App Service Plan Name"
}
},
"keyVaultId": {
"type": "string",
"metadata": {
"description": "Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)"
}
},
"hostname": {
"type": "array",
"metadata": {
"description": "Custom hostname for creating SSL binding. This hostname should already be assigned to the Web App"
}
}
},
"resources": [
{
"apiVersion": "2017-03-30",
"type": "Microsoft.Web/sites",
"name": "[parameters('appServiceName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/certificates', parameters('certificateName'))]"
],
"properties": {
"copy": [
{
"name": "hostnames",
"count": "[length(parameters('hostname'))]",
"input": {
"name": "[copyIndex('hostnames')]",
"properties": {
"hostNameSslStates": [
{
"name": "[[copyIndex(hostname)]]",
"sslState": "SniEnabled",
"thumbprint": "[reference(resourceId('Microsoft.Web/certificates', parameters('certificateName'))).Thumbprint]",
"toUpdate": true
}
]
}
}
}
]
}
},
{
"type": "Microsoft.Web/certificates",
"name": "[parameters('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[parameters('keyVaultId')]",
"keyVaultSecretName": "[parameters('certificateName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms',parameters('appServicePlan'))]"
}
}
]
}
And it returns Error: Code=InvalidTemplate; Message=Deployment template l
anguage expression evaluation failed: 'Unable to parse language expression 'copyIndex(hostname)]': expecte
d token 'LeftParenthesis' and actual 'RightParenthesis'.'. Please see https://aka.ms/arm-template-expressi
ons for usage details.
Any ideas what am I doing wrong?
Thanks in advance!

the error gives is away:
change "[[copyIndex(hostname)]]", to "[copyIndex('hostname')]"
you even have it right in other places, why not here?
and you probably want to do this:
"[parameters('hostname')[copyIndex('hostname')]]"

How can I choose a different ClearDb MySQL database type within an ARM template?

I am trying to manually code a ClearDB MySQL database resource within an ARM template to be of the 'Dedicated' type and of the 'Jupiter' tier, but I can't seem to find any documentation that shows how to do so within a template.
I know the ARM resource would look something like this:
{
"apiVersion": "2014-01-01",
"name": "[variables('databaseName')]",
"type": "SuccessBricks.ClearDB/databases",
"plan": {
"name": "Jupiter",
"product": "databases",
"publisher": "cleardb"
},
"location": "[resourceGroup().location]",
"tags": {}
}
but where is the property that defines whether the database is shared or dedicated?

I create the ClearDB MySQL database with different Database Types (Shared and Dedicated), and I check and compare the templates via Automation options.
Templates:
Database Type: Shared
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"cdbName": {
"type": "string"
},
"cdbLocation": {
"type": "string"
},
"cdbSku": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2014-04-01",
"name": "[parameters('cdbName')]",
"location": "[parameters('cdbLocation')]",
"tags": {
"provision_source": "RMS"
},
"type": "SuccessBricks.ClearDB/databases",
"plan": {
"name": "[parameters('cdbSku')]",
"product": "databases",
"publisher": "cleardb"
}
}
]
}
Database Type: Dedicated
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"cdbName": {
"type": "string"
},
"cdbLocation": {
"type": "string"
},
"cdbSku": {
"type": "string"
},
"clusterName": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2014-04-01",
"name": "[parameters('clusterName')]",
"location": "[parameters('cdbLocation')]",
"tags": {
"provision_source": "RMS"
},
"type": "SuccessBricks.ClearDB/clusters",
"plan": {
"name": "[parameters('cdbSku')]",
"product": "cluster",
"publisher": "cleardb_clusters"
}
},
{
"apiVersion": "2014-04-01",
"name": "xxxcleardbtest",
"location": "[parameters('cdbLocation')]",
"tags": {
"provision_source": "RMS"
},
"type": "SuccessBricks.ClearDB/databases",
"plan": {
"name": "Free"
},
"dependsOn": [
"[concat('SuccessBricks.ClearDB/clusters/', parameters('clusterName'))]"
],
"properties": {
"cluster": "/subscriptions/[object Object]/resourcegroups/xxxxxxxx/providers/SuccessBricks.ClearDB/clusters/DefaultCluster"
}
}
]
}
In Database Type: Dedicated template, we can find the resource SuccessBricks.ClearDB/databases is defined with a dependent (SuccessBricks.ClearDB/clusters) via dependsOn element. According to the template you provide, your database type is Shared.

How to create multiple Service Bus topics using ARM template?

I've looked at the https://github.com/Azure/azure-quickstart-templates/tree/master/101-servicebus-topic example. Now I'm trying to figure out how to create several topics when running the deploy script using nested resource looping (https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-multiple/#looping-on-a-nested-resource).
It would be nice to just define an array in the value for serviceBusTopicName and then somehow creating topics by looping through it, instead of doing it manually.
I am getting the following error when trying to deploy.
Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The template resource '[parameters('serviceBusTopicName')[copyIndex()]]' at line '72' column '14' is not valid.
Copying nested resources is not supported. Please see https://aka.ms/arm-copy/#looping-on-a-nested-resource for usage details.'.
This is the template.json that I have tried to get to work.
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"serviceBusTopicName": {
"type": "array",
"metadata": {
"description": "Name of the Topic"
}
},
"serviceBusApiVersion": {
"type": "string",
"defaultValue": "2015-08-01",
"metadata": {
"description": "Service Bus ApiVersion used by the template"
},
"resources": [
{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/Namespaces",
"location": "[variables('location')]",
"kind": "Messaging",
"sku": {
"name": "StandardSku",
"tier": "Standard"
},
"resources": [
{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusTopicName')]",
"type": "Topics",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"path": "[parameters('serviceBusTopicName')]"
},
"copy": {
"name": "datasetcopy",
"count": "[length(parameters('serviceBusTopicName'))]"
}
}
]
},
parameters.json
{"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"value": "ServiceBus"
},
"serviceBusTopicName": {
"value": [
"Person",
"Stadium",
"Team"
]
},
"serviceBusApiVersion": {
"value": "2015-08-01"
}
}

As #Lain said, copying nested resource isn't supported as of now Check Here. For deploying multiple resource you have to move it to root. I just finished my POC for deploying multiple topics (Just topics assuming Namespace already exists) here is the code. I am passing topic names as a comma separated string:
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"serviceBusTopicName": {
"type": "string",
"metadata": {
"description": "Comma seperated Topic Names"
}
},
"serviceBusApiVersion": {
"type": "string",
"defaultValue": "2015-08-01",
"metadata": {
"description": "Service Bus ApiVersion used by the template"
}
}
},
"variables": {
"location": "[resourceGroup().location]",
"sbVersion": "[parameters('serviceBusApiVersion')]",
"TopicNames": "[split(parameters('serviceBusTopicName'), ',')]"
},
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[concat(parameters('serviceBusNamespaceName'), '/', variables('TopicNames')[copyIndex()])]",
"type": "Microsoft.ServiceBus/Namespaces/Topics",
"copy": {
"name": "TopicNameCopy",
"count": "[length(variables('TopicNames'))]"
},
"properties": {
"path": "[variables('TopicNames')[copyIndex()]]"
}
}]
}

The link in the error message goes through this pretty well, but you can't have loops in nested resources, you need to push the resource up to the top level, and then link the resources together using names. This template will do what you seem to be trying to do:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus Namespace"
}
},
"serviceBusTopicNames": {
"type": "array",
"metadata": {
"description": "Name of the Service Bus Topic"
}
}
},
"variables": {
"sbVersion": "2015-08-01"
},
"resources": [
{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/namespaces",
"location": "[resourceGroup().location]",
"properties": {
}
},
{
"apiVersion": "[variables('sbVersion')]",
"name": "[concat(parameters('serviceBusNamespaceName'), '/', parameters('serviceBusTopicNames')[copyIndex()])]",
"type": "Microsoft.ServiceBus/namespaces/Topics",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"copy": {
"name": "datasetcopy",
"count": "[length(parameters('serviceBusTopicNames'))]"
},
"properties": {
"path": "[parameters('serviceBusTopicNames')[copyIndex()]]"
},
"resources": [
]
}
]
}