I am trying to create EMR-5.30.1 clusters with applications such as Hadoop, livy, Spark, ZooKeeper, and Hive with the help of the CloudFormation template. But the issue is with this template is I am able the cluster with only one application from the above list of applications.
below is the CloudFormation Template
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Best Practice EMR Cluster for Spark or S3 backed Hbase",
"Parameters": {
"EMRClusterName": {
"Description": "Name of the cluster",
"Type": "String",
"Default": "emrcluster"
},
"KeyName": {
"Description": "Must be an existing Keyname",
"Type": "String",
"Default": "keyfilename"
},
"MasterInstanceType": {
"Description": "Instance type to be used for the master instance.",
"Type": "String",
"Default": "m5.xlarge"
},
"CoreInstanceType": {
"Description": "Instance type to be used for core instances.",
"Type": "String",
"Default": "m5.xlarge"
},
"NumberOfCoreInstances": {
"Description": "Must be a valid number",
"Type": "Number",
"Default": 1
},
"SubnetID": {
"Description": "Must be Valid public subnet ID",
"Default": "subnet-ee15b3e0",
"Type": "String"
},
"LogUri": {
"Description": "Must be a valid S3 URL",
"Default": "s3://aws/elasticmapreduce/",
"Type": "String"
},
"S3DataUri": {
"Description": "Must be a valid S3 bucket URL ",
"Default": "s3://aws/elasticmapreduce/",
"Type": "String"
},
"ReleaseLabel": {
"Description": "Must be a valid EMR release version",
"Default": "emr-5.30.1",
"Type": "String"
},
"Applications": {
"Description": "Please select which application will be installed on the cluster this would be either Ganglia and spark, or Ganglia and s3 backed Hbase",
"Type": "String",
"AllowedValues": [
"Spark",
"Hbase",
"Hive",
"Livy",
"ZooKeeper"
]
}
},
"Mappings": {},
"Conditions": {
"Spark": {
"Fn::Equals": [
{
"Ref": "Applications"
},
"Spark"
]
},
"Hbase": {
"Fn::Equals": [
{
"Ref": "Applications"
},
"Hbase"
]
},
"Hive": {
"Fn::Equals": [
{
"Ref": "Applications"
},
"Hive"
]
},
"Livy": {
"Fn::Equals": [
{
"Ref": "Applications"
},
"Livy"
]
},
"ZooKeeper": {
"Fn::Equals": [
{
"Ref": "Applications"
},
"ZooKeeper"
]
}
},
"Resources": {
"EMRCluster": {
"DependsOn": [
"EMRClusterServiceRole",
"EMRClusterinstanceProfileRole",
"EMRClusterinstanceProfile"
],
"Type": "AWS::EMR::Cluster",
"Properties": {
"Applications": [
{
"Name": "Ganglia"
},
{
"Fn::If": [
"Spark",
{
"Name": "Spark"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"Hbase",
{
"Name": "Hbase"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"Hive",
{
"Name": "Hive"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"Livy",
{
"Name": "Livy"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"ZooKeeper",
{
"Name": "ZooKeeper"
},
{
"Ref": "AWS::NoValue"
}
]
}
],
"Configurations": [
{
"Classification": "hbase-site",
"ConfigurationProperties": {
"hbase.rootdir":{"Ref":"S3DataUri"}
}
},
{
"Classification": "hbase",
"ConfigurationProperties": {
"hbase.emr.storageMode": "s3"
}
}
],
"Instances": {
"Ec2KeyName": {
"Ref": "KeyName"
},
"Ec2SubnetId": {
"Ref": "SubnetID"
},
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {
"Ref": "MasterInstanceType"
},
"Market": "ON_DEMAND",
"Name": "Master"
},
"CoreInstanceGroup": {
"InstanceCount": {
"Ref": "NumberOfCoreInstances"
},
"InstanceType": {
"Ref": "CoreInstanceType"
},
"Market": "ON_DEMAND",
"Name": "Core"
},
"TerminationProtected": false
},
"VisibleToAllUsers": true,
"JobFlowRole": {
"Ref": "EMRClusterinstanceProfile"
},
"ReleaseLabel": {
"Ref": "ReleaseLabel"
},
"LogUri": {
"Ref": "LogUri"
},
"Name": {
"Ref": "EMRClusterName"
},
"AutoScalingRole": "EMR_AutoScaling_DefaultRole",
"ServiceRole": {
"Ref": "EMRClusterServiceRole"
}
}
},
"EMRClusterServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"elasticmapreduce.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"
],
"Path": "/"
}
},
"EMRClusterinstanceProfileRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
],
"Path": "/"
}
},
"EMRClusterinstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "EMRClusterinstanceProfileRole"
}
]
}
}
},
"Outputs": {}
}
Also, I want to add a bootstrap script in this template as well, Can anyone please help me with the issue.
As per my knoweldge and understanding, Applications in your case should be an array like below, as mentioned in documentation
"Applications" : [ Application, ... ],
In you case, you can list applications like
"Applications" : [
{"Name" : "Spark"},
{"Name" : "Hbase"},
{"Name" : "Hive"},
{"Name" : "Livy"},
{"Name" : "Zookeeper"},
]
For more arguments other than Name to individual application dictionary , see detail here, you can pass Args, Additional_info etc
You can use following way:-
If you set "ReleaseLabel" then there is no need to mention versions of applications
"Applications": [{
"Name": "Hive"
},
{
"Name": "Presto"
},
{
"Name": "Spark"
}
]
For bootstrap:-
"BootstrapActions": [{
"Name": "setup",
"ScriptBootstrapAction": {
"Path": "s3://bucket/key/Bootstrap.sh"
}
}]
Define like this to create all applications at once.
{
"Type": "AWS::EMR::Cluster",
"Properties": {
"Applications": [
{
"Name": "Ganglia"
},
{
"Name": "Spark"
},
{
"Name": "Livy"
},
{
"Name": "ZooKeeper"
},
{
"Name": "JupyterHub"
}
]
}
}
Related
I have a problem with Visual Studio Code custom syntax highlighting.
I have made a extension using yo code, put it in %userprofile%/.vscode/extensions, restarted Visual Studio Code, but it's not highlighting any words, but at the bottom it says it's using my syntax highlighter.
This is my tmLanguage.json:
{
"$schema": "https://raw.githubusercontent.com/martinring/tmlanguage/master/tmlanguage.json",
"name": "Instructions ASM",
"patterns": [
{
"include": "#keywords"
},
{
"include": "#typewords"
},
{
"include": "#strings"
},
{
"include": "#numbers"
},
{
"include": "#variables"
},
{
"include": "#comments"
},
{
"include": "#sections"
}
],
"repository": {
"keywords":{
"patterns": [
{
"name": "keyword",
"match": "(mov|xor|and|or|int|jmp|con)"
}
]
},
"typewords": {
"patterns": [
{
"name": "keyword.control",
"match": "(db|dw|dd|resb|resw|resd|eq|byte|word|doubleword)"
}
]
},
"strings": {
"patterns": [
{
"name": "string",
"match": "(\".*\")|('.')"
}
]
},
"numbers": {
"patterns": [
{
"name": "constant.numeric",
"match": "(0[xX][a-fA-F0-9]{1,8})|(\\d+)|(0[bB][0-1]{1,64})"
}
]
},
"variables": {
"patterns": [
{
"name": "variable",
"match": "$[a-zA-Z0-9_-.]{1,255}"
}
]
},
"comments": {
"patterns": [
{
"name": "comment",
"match": ";.*"
}
]
},
"sections": {
"patterns": [
{
"name": "entity.name.class",
"match": "(\\.DATA|\\.TEXT|\\.BSS)"
}
]
}
},
"scopeName": "source.1"
}
This is my package.json:
{
"name": "instruction-assembly",
"displayName": "Instruction assembly",
"description": "Code only in instructions - Assembly readable version",
"version": "0.0.1",
"engines": {
"vscode": "^1.54.0"
},
"categories": [
"Programming Languages"
],
"contributes": {
"languages": [{
"id": "instructions-asm",
"aliases": ["Instructions ASM", "instructions-asm"],
"extensions": [".1"],
"configuration": "./language-configuration.json"
}],
"grammars": [{
"language": "instructions-asm",
"scopeName": "source.1",
"path": "./syntaxes/instructions-asm.tmLanguage.json"
}]
}
}
Thanks!
I was trying to run a code and i had this error but cant identify the problem. i got the error message The CIDR '10.0.1.0/24' conflicts with another subnet (Service: AmazonEC2; Status Code: 400; Error Code: InvalidSubnet.Conflict; Request ID: e0de23a8-d921-475f-aadd-84dac3109664; Proxy: null)
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This is a network with one Vpc, 4 Subnet; 2 private, 2 public",
"Metadata": {},
"Parameters": {
"MyVpcCidr": {
"Description": "This is the cidr for appVpc",
"Type": "String",
"Default": "10.0.0.0/16"
},
"AZ1": {
"Description": "AZ 1 for my network",
"Type": "AWS::EC2::AvailabilityZone::Name"
},
"Priv1Cidr": {
"Description": "This is the cidr for my appPriv1Subnet",
"Type": "String",
"Default": "10.0.1.0/24"
},
"Priv2Cidr": {
"Description": "This is the cidr for my appPriv2Subnet",
"Type": "String",
"Default": "10.0.3.0/24"
},
"AZ2": {
"Description": "AZ 2 for my network",
"Type": "AWS::EC2::AvailabilityZone::Name"
},
"Pub1Cidr": {
"Description": "Cidr for my appPubSN1",
"Type": "String",
"Default": "10.0.2.0/24"
},
"Pub2Cidr": {
"Description": "Cidr for appPubSN2",
"Type": "String",
"Default": "10.0.4.0/16"
}
},
"Mappings": {},
"Conditions": {},
"Resources": {
"appVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "MyVpcCidr"
},
"Tags": [
{
"Key": "Name",
"Value": "AppVpc"
}
]
}
},
"appPriv1Subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Ref": "AZ1"
},
"VpcId": {
"Ref": "appVpc"
},
"CidrBlock": {
"Ref": "Priv1Cidr"
},
"Tags": [
{
"Key": "Name",
"Value": "Apppriv1subnet"
}
]
}
},
"appPriv2Subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Ref": "AZ2"
},
"VpcId": {
"Ref": "appVpc"
},
"CidrBlock": {
"Ref": "Priv2Cidr"
},
"Tags": [
{
"Key": "Name",
"Value": "AppPriv2Subnet"
}
]
}
},
"appPubSN1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Ref": "AZ1"
},
"VpcId": {
"Ref": "appVpc"
},
"CidrBlock": {
"Ref": "Pub1Cidr"
},
"Tags": [
{
"Key": "Name",
"Value": "AppPubsn1"
}
]
}
},
"appPubSN2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Ref": "AZ2"
},
"VpcId": {
"Ref": "appVpc"
},
"CidrBlock": {
"Ref": "Pub2Cidr"
},
"Tags": [
{
"Key": "Name",
"Value": "AppPubsn2"
}
]
}
},
"appIG": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "AppIG"
}
]
}
},
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "appVpc"
},
"InternetGatewayId": {
"Ref": "appIG"
}
}
},
"appPrivRT": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "appVpc"
},
"Tags": [
{
"Key": "Name",
"Value": "AppPrivRt"
}
]
}
},
"PrivRTA1": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "appPriv1Subnet"
},
"RouteTableId": {
"Ref": "appPrivRT"
}
}
},
"PrivRTA2": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "appPriv2Subnet"
},
"RouteTableId": {
"Ref": "appPrivRT"
}
}
},
"appEIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"appNatgw": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"appEIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "appPubSN1"
},
"Tags": [
{
"Key": "Name",
"Value": "Appnatgw"
}
]
}
},
"appPrivRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "appPrivRT"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "appNatgw"
}
}
},
"appPubRT": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "appVpc"
},
"Tags": [
{
"Key": "Name",
"Value": "AppPubRT"
}
]
}
},
"PubRTA1": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "appPubSN1"
},
"RouteTableId": {
"Ref": "appPubRT"
}
}
},
"PubRTA2": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "appPubSN2"
},
"RouteTableId": {
"Ref": "appPubRT"
}
}
},
"appPubRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "appPubRT"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "appIG"
}
}
},
"appSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow ssh port 22 and port 80",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
],
"VpcId": {
"Ref": "appVpc"
},
"Tags": [
{
"Key": "Name",
"Value": "AppSG"
}
]
}
},
"internalSG": {
"DependsOn": "appSG",
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow traffic from appSG",
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "appSG"
}
}
],
"VpcId": {
"Ref": "appVpc"
},
"Tags": [
{
"Key": "Name",
"Value": "appinternalSG"
}
]
}
}
},
"Outputs": {
"appVpcId": {
"Description": "Id for my vpc ",
"Value": {
"Ref": "appVpc"
},
"Export": {
"Name": "appVpcid"
}
},
"appPrivSN1Id": {
"Description": "Id for my private SN1",
"Value": {
"Ref": "appPriv1Subnet"
},
"Export": {
"Name": "appPrivSNID1"
}
},
"appPrivSN2Id": {
"Description": "Id for my subnet 2 private",
"Value": {
"Ref": "appPriv2Subnet"
},
"Export": {
"Name": "appPrivSNID2"
}
},
"appPubSN1Id": {
"Description": "Id for Public subnet 1",
"Value": {
"Ref": "appPubSN1"
},
"Export": {
"Name": "appPubSNID1"
}
},
"appPubSN2Id": {
"Description": "Id for Public subnet 2",
"Value": {
"Ref": "appPubSN2"
},
"Export": {
"Name": "appPubSNID2"
}
},
"externalSgid": {
"Description": "Id for external security group",
"Value": {
"Ref": "appSG"
},
"Export": {
"Name": "appSGID"
}
},
"internalSGId": {
"Description": "Id for internal security group",
"Value": {
"Ref": "internalSG"
},
"Export": {
"Name": "internalSGID"
}
}
}
}
I suspect 10.0.4.0/16 is a typo that was meant to be 10.0.4.0/24.
The reason is that the cidr 10.0.4.0/16, which you have set for Pub2Cidr starts at 10.0.0.0 and ends at 10.0.255.255, which overlaps with 10.0.1.0/24 which starts at 10.0.1.0 and ends at 10.0.1.255.
I am trying to deploy a MySQL Flexible server cluster using ARM Templates and terraform (since terraform doesn't have any resource for mysql_flexible) but it gives me the following "Internal Server Error" without any meaningful information.
Please provide string value for 'version' (? for help): 5.7
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"Conflict","message":"{\r\n "status": "Failed",\r\n "error": {\r\n "code": "ResourceDeploymentFailure",\r\n "message": "The resource operation completed with terminal provisioning state 'Failed'.",\r\n "details": [\r\n {\r\n "code": "InternalServerError",\r\n "message": "An unexpected error occured while processing the request. Tracking ID: 'b8ab3a01-d4f2-40d5-92cf-2c9a239bdac3'"\r\n }\r\n ]\r\n }\r\n}"}]}}
There's not much information when I paste this tracking ID in Azure Activity Log.
Here's my sample template.json file which I am using.
{
"$schema" : "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"parameters" : {
"administratorLogin" : {
"type" : "String"
},
"administratorLoginPassword" : {
"type" : "SecureString"
},
"availabilityZone" : {
"type" : "String"
},
"location" : {
"type" : "String"
},
"name" : {
"type" : "String"
},
"version" : {
"type" : "String"
}
},
"resources" : [
{
"apiVersion" : "2021-05-01-preview",
"identity" : {
"type" : "SystemAssigned"
},
"location" : "eastus",
"name" : "mysql-abcd-eastus",
"properties" : {
"administratorLogin" : "randomuser",
"administratorLoginPassword" : "randompasswd",
"availabilityZone" : "1",
"backup" : {
"backupRetentionDays" : "7",
"geoRedundantBackup" : "Disabled"
},
"createMode" : "Default",
"highAvailability" : {
"mode" : "Enabled",
"standbyAvailabilityZone" : "2"
},
"network" : {
"delegatedSubnetResourceId" : "myactualsubnetid",
"privateDnsZoneResourceId" : "myactualprivatednszoneid"
},
"version" : "[parameters('version')]"
},
"sku" : {
"name" : "Standard_E4ds_v4",
"tier" : "MemoryOptimized"
},
"type" : "Microsoft.DBforMySQL/flexibleServers"
}
]
}
I tested your code and faced the same issue . So, as a solution you can try with below Code :
provider "azurerm" {
features {}
}
data "azurerm_resource_group" "example" {
name = "yourresourcegroup"
}
resource "azurerm_resource_group_template_deployment" "example" {
name = "acctesttemplate-01"
resource_group_name = data.azurerm_resource_group.example.name
parameters_content = jsonencode({
"administratorLogin"= {
"value"= "sqladmin"
},
"administratorLoginPassword"= {
"value": "password"
},
"location"= {
"value": "eastus"
},
"serverName"= {
"value"= "ansumantestsql1234"
},
"serverEdition"= {
"value"= "GeneralPurpose"
},
"vCores"= {
"value"= 2
},
"storageSizeGB"= {
"value"= 64
},
"haEnabled"= {
"value"= "ZoneRedundant"
},
"availabilityZone"= {
"value"= "1"
},
"standbyAvailabilityZone"= {
"value"= "2"
},
"version"= {
"value"= "5.7"
},
"tags"= {
"value"= {}
},
"firewallRules"= {
"value"= {
"rules"= []
}
},
"backupRetentionDays"= {
"value"= 7
},
"geoRedundantBackup"= {
"value"= "Disabled"
},
"vmName"= {
"value"= "Standard_D2ds_v4"
},
"publicNetworkAccess"= {
"value"= "Enabled"
},
"storageIops"= {
"value": 1000
},
"storageAutogrow"= {
"value"= "Enabled"
},
"vnetData"= {
"value"= {
"virtualNetworkName"= "testVnet",
"subnetName"= "testSubnet",
"virtualNetworkAddressPrefix"= "10.0.0.0/16",
"virtualNetworkResourceGroupName"= "[resourceGroup().name]",
"location"= "eastus2",
"subscriptionId"= "[subscription().subscriptionId]",
"subnetProperties"= {},
"isNewVnet"= false,
"subnetNeedsUpdate"= false,
"Network"= {}
}
},
"infrastructureEncryption"= {
"value"= "Disabled"
}
})
template_content = <<DEPLOY
{
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"administratorLogin": {
"type": "string"
},
"administratorLoginPassword": {
"type": "securestring"
},
"location": {
"type": "string"
},
"serverName": {
"type": "string"
},
"serverEdition": {
"type": "string"
},
"vCores": {
"type": "int",
"defaultValue": 4
},
"storageSizeGB": {
"type": "int"
},
"haEnabled": {
"type": "string",
"defaultValue": "Disabled"
},
"availabilityZone": {
"type": "string"
},
"standbyAvailabilityZone": {
"type": "string"
},
"version": {
"type": "string"
},
"tags": {
"type": "object",
"defaultValue": {}
},
"firewallRules": {
"type": "object",
"defaultValue": {}
},
"backupRetentionDays": {
"type": "int"
},
"geoRedundantBackup": {
"type": "string"
},
"vmName": {
"type": "string",
"defaultValue": "Standard_B1ms"
},
"publicNetworkAccess": {
"type": "string",
"metadata": {
"description": "Value should be either Enabled or Disabled"
}
},
"storageIops": {
"type": "int"
},
"storageAutogrow": {
"type": "string",
"defaultValue": "Enabled"
},
"vnetData": {
"type": "object",
"metadata": {
"description": "Vnet data is an object which contains all parameters pertaining to vnet and subnet"
},
"defaultValue": {
"virtualNetworkName": "testVnet",
"subnetName": "testSubnet",
"virtualNetworkAddressPrefix": "10.0.0.0/16",
"virtualNetworkResourceGroupName": "[resourceGroup().name]",
"location": "westus2",
"subscriptionId": "[subscription().subscriptionId]",
"subnetProperties": {},
"isNewVnet": false,
"subnetNeedsUpdate": false,
"Network": {}
}
},
"infrastructureEncryption": {
"type": "string"
}
},
"variables": {
"api": "2021-05-01-preview",
"firewallRules": "[parameters('firewallRules').rules]"
},
"resources": [
{
"apiVersion": "[variables('api')]",
"location": "[parameters('location')]",
"name": "[parameters('serverName')]",
"properties": {
"version": "[parameters('version')]",
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"publicNetworkAccess": "[parameters('publicNetworkAccess')]",
"Network": "[if(empty(parameters('vnetData').Network), json('null'), parameters('vnetData').Network)]",
"Storage": {
"StorageSizeGB": "[parameters('storageSizeGB')]",
"Iops": "[parameters('storageIops')]",
"Autogrow": "[parameters('storageAutogrow')]"
},
"Backup": {
"backupRetentionDays": "[parameters('backupRetentionDays')]",
"geoRedundantBackup": "[parameters('geoRedundantBackup')]"
},
"availabilityZone": "[parameters('availabilityZone')]",
"highAvailability": {
"mode": "[parameters('haEnabled')]",
"standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]"
},
"dataencryption": {
"infrastructureEncryption": "[parameters('infrastructureEncryption')]"
}
},
"sku": {
"name": "[parameters('vmName')]",
"tier": "[parameters('serverEdition')]",
"capacity": "[parameters('vCores')]"
},
"tags": "[parameters('tags')]",
"type": "Microsoft.DBforMySQL/flexibleServers"
},
{
"condition": "[greater(length(variables('firewallRules')), 0)]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"name": "[concat('firewallRules-', copyIndex())]",
"copy": {
"count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]",
"mode": "Serial",
"name": "firewallRulesIterator"
}
}
]
}
DEPLOY
deployment_mode = "Incremental"
}
Output:
Trying to create a DeployIfNotExists policy that will automatically set the "networkACLs" properties on all key vaults but after battling with that for a couple of weeks, I decided to try to manipulate a simpler boolean property instead of a complex object property. The property I chose is "enabledForDeployment". The policy does properly find the non-compliant key vaults but the deployment is not working.
Once I get this "easy" policy working, I will go back and attempt to set the "networkACLs" property to the following:
"networkAcls": {
"defaultAction": "Deny",
"bypass": "None",
"ipRules": [
{"value": "1.1.1.0/24"},
{"value":"2.2.2.0/24"}
],
"virtualNetworkRules": []
}
The policy code is below...
{
"mode": "All",
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"not": {
"field": "Microsoft.KeyVault/vaults/enabledForDeployment",
"equals": true
}
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.KeyVault/vaults",
"name": "[field('name')]",
"existenceCondition": {
"field": "Microsoft.KeyVault/vaults/enabledForDeployment",
"equals": "true"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "[field('location')]",
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Name": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2018-02-14",
"name": "[parameters('Name')]",
"location": "[parameters('location')]",
"properties": {
"enabledForDeployment": true
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "done"
}
}
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"Name": {
"value": "[field('name')]"
}
}
}
}
}
}
},
"parameters": {}
}
I'm currently getting an "internalServerError" message. Any ideas?
#Kemley you are correct. My ARM template was incorrect. It was missing a few required fields (Sku, Access Policies, etc). Below is the final policy that updates the NetworkACLs if the default network allow all is set.
{
"properties": {
"displayName": "Vzn Deploy Key Vault NetworkAcls defaultAction",
"policyType": "Custom",
"mode": "All",
"description": "Removes the default allow all networks. Manually sets 2 firewall rules",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"deployIfNotExists",
"disabled"
],
"defaultValue": "deployIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.KeyVault/vaults",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"existenceCondition": {
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"equals": "Deny"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyvaultname": {
"type": "string"
},
"locationname": {
"type": "string"
},
"skuname": {
"type": "string"
},
"accessPoliciesname": {
"type": "array"
}
},
"resources": [
{
"name": "[parameters('keyvaultname')]",
"location": "[parameters('locationname')]",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2018-02-14",
"properties": {
"tenantId": "be42d65b-eb64-4a64-8aa3-ae47eef3af3e",
"accessPolicies": "[parameters('accessPoliciesname')]",
"sku": {
"name": "[parameters('skuname')]",
"family": "A"
},
"networkAcls": {
"defaultAction": "Deny",
"bypass": "None",
"ipRules": [
{
"value": "1.2.3.0/27"
},
{
"value": "1.5.6.0/24"
}
]
}
}
}
]
},
"parameters": {
"keyvaultname": {
"value": "[field('name')]"
},
"locationname": {
"value": "[field('location')]"
},
"skuname": {
"value": "[field('Microsoft.KeyVault/vaults/sku.name')]"
},
"accessPoliciesname": {
"value": "[field('Microsoft.KeyVault/vaults/accessPolicies')]"
}
}
}
},
"name": "[field('name')]"
}
}
}
}
}
I would recommend checking your ARM template to make sure that it is correct. Sometimes when you use the export a template function the ARM template might not work without testing. If you have an issue with the ARM template, I would direct your questions to them
I keep getting this issue in the Webserversinstance.
*Paramaters*
VPCSelection": {
"Description": "VPC",
"Type": "String",
"Default": "vpc-xxxxxxx"
*Webserver Security group*
"Resources": {
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VPCSelection"
},
*WebServer Instance*
{
"Resources": {
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VPCSelection"
},
When i run this template, i get this issue:
12:45:52 UTC+0000 ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack Test13 The following resource(s) failed to create: [WebServerInstance]. . Rollback requested by user.
12:45:51 UTC+0000 CREATE_FAILED AWS::EC2::Instance WebServerInstance Encountered unsupported property VpcId
When i remove this VPCid from the webserver instance i get a different error saying: AWS::EC2::Instance WebServerInstance No default VPC for this user
I put this into Bisque and got the below. Does this help?
{
"Resources": {
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Metadata": {
"YadaYada::Bisque::DotnetType": {
"Type": "Bisque.EC2.Networking.SecurityGroup, Bisque.Aws, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
}
},
"Properties": {
"GroupDescription": {
"Ref": "WebServerSecurityGroupGroupDescription"
},
"VpcId": {
"Ref": "VPCSelection"
},
"Tags": [
{
"Key": "Name",
"Value": "WebServerSecurityGroup"
}
]
}
},
"WebServerInstance": {
"Type": "AWS::EC2::Instance",
"Metadata": {
"YadaYada::Bisque::DotnetType": {
"Type": "Bisque.EC2.Instances.Instance, Bisque.Aws, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
},
"AWS::CloudFormation::Init": {
"configSets": {
"Bootstrap": [
"Bootstrap"
]
},
"Bootstrap": {
"services": {
"windows": {
"cfn-hup": {
"ensureRunning": true,
"enabled": true,
"files": [
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf",
"c:\\cfn\\cfn-hup.conf"
]
}
}
},
"files": {
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"\n",
[
"[cfn-auto-reloader-hook]",
"triggers=post.update",
"path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init",
{
"Fn::Join": [
"",
[
"action=",
{
"Fn::Join": [
"",
[
"cfn-init.exe -v -c \"",
"Bootstrap",
"\" -s ",
{
"Ref": "AWS::StackId"
},
" -r WebServerInstance --region ",
{
"Ref": "AWS::Region"
}
]
]
}
]
]
}
]
]
}
},
"c:\\cfn\\cfn-hup.conf": {
"content": {
"Fn::Join": [
"\n",
[
"[main]",
{
"Fn::Join": [
"",
[
"stack=",
{
"Ref": "AWS::StackName"
}
]
]
},
{
"Fn::Join": [
"",
[
"region=",
{
"Ref": "AWS::Region"
}
]
]
},
"interval=1",
"verbose=true"
]
]
}
}
}
}
}
},
"Properties": {
"SecurityGroupIds": [
{
"Ref": "WebServerSecurityGroup"
}
],
"Tags": [
{
"Key": "Name",
"Value": "WebServerInstance"
}
],
"ImageId": {
"Ref": "WebServerInstanceImageId"
},
"InstanceType": {
"Ref": "WebServerInstanceInstanceType"
},
"KeyName": {
"Ref": "WebServerInstanceKeyName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"<script>",
{
"Fn::Join": [
"",
[
"cfn-init.exe -v -c \"",
"Bootstrap",
"\" -s ",
{
"Ref": "AWS::StackId"
},
" -r WebServerInstance --region ",
{
"Ref": "AWS::Region"
}
]
]
},
"</script>"
]
]
}
}
}
}
},
"Parameters": {
"VPCSelection": {
"Type": "AWS::EC2::VPC::Id"
},
"WebServerSecurityGroupGroupDescription": {
"Type": "String"
},
"WebServerInstanceImageId": {
"Type": "AWS::EC2::Image::Id"
},
"WebServerInstanceInstanceType": {
"Type": "String",
"Default": "t2.micro",
"AllowedValues": [
"",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"t2.xlarge",
"t2.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c1.medium",
"c1.xlarge",
"cc2.8xlarge",
"cc1.4xlarge",
"g2.2xlarge",
"g2.8xlarge",
"cg1.4xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"x1.32xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"cr1.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"t1.micro"
]
},
"WebServerInstanceKeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Default": "default"
}
},
"Metadata": {
"AWS::CloudFormation::Interface": {
"Key": "AWS::CloudFormation::Interface",
"ParameterGroups": [
{
"Label": {
"default": "WebServerSecurityGroup Properties"
},
"Parameters": [
"WebServerSecurityGroupGroupDescription"
]
},
{
"Label": {
"default": "WebServerInstance Properties"
},
"Parameters": [
"WebServerInstanceImageId",
"WebServerInstanceInstanceType",
"WebServerInstanceKeyName"
]
}
],
"ParameterLabels": {
"WebServerSecurityGroupGroupDescription": {
"default": "Description"
},
"WebServerInstanceImageId": {
"default": "Image Id (AMI)"
},
"WebServerInstanceInstanceType": {
"default": "Instance Size"
},
"WebServerInstanceKeyName": {
"default": "Key Name"
}
}
}
}
}