7

When deploying KeyVault service that has Access Policy to Managed Identity on enabled Logic App it fails because it doesn't exist yet. I did add dependson for the logic app.

Wierd thing is this template was working for weeks now it fails every single time so I'm a bit confused. I copied this from quickstart templates from MS. But this isn't the issue since if you look at the error it's pointing to the correct target resource. Also this template works if I click redeploy after it fails since at that time managed identity already exists. I tested it and it fails anyway.

Here is my ARM template

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "logicAppName": {
            "type": "string",
            "minLength": 1,
            "metadata": {
                "description": "Describes the name of the Logic App resource"
            },
            "defaultValue": "demo"
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Specifies the Azure location where the key vault should be created."
            }
        }
    },
    "variables": {
        "keyVaultName": "[concat('eakeyvault', uniquestring(resourceGroup().id))]",
        "logicAppName": "[parameters('logicAppName')]"
    },
    "resources": [
        {
            "type": "Microsoft.KeyVault/vaults",
            "name": "[variables('keyVaultName')]",
            "apiVersion": "2018-02-14",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
            ],
            "properties": {
                "enabledForDeployment": false,
                "enabledForDiskEncryption": false,
                "enabledForTemplateDeployment": false,
                "tenantId": "[subscription().tenantId]",
                "accessPolicies": [
                    {
                        "objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows/', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId]",
                        "tenantId": "[subscription().tenantId]",
                        "permissions": {
                            "secrets": ["get"]
                        }
                    }
                ],
                "sku": {
                    "name": "standard",
                    "family": "A"
                },
                "networkAcls": {
                    "value": {
                        "defaultAction": "Allow",
                        "bypass": "AzureServices"
                    }
                }
            }
        },
        {
            "type": "Microsoft.Logic/workflows",
            "apiVersion": "2017-07-01",
            "name": "[variables('logicAppName')]",
            "location": "[resourceGroup().location]",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "state": "Disabled",
                "definition": {
                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
                    "actions": {

                    },
                    "contentVersion": "1.0.0.0",
                    "outputs": {},
                    "parameters": {
                        "$connections": {
                            "defaultValue": {},
                            "type": "Object"
                        }
                    },
                    "triggers": {
                        "Recurrence": {
                            "recurrence": {
                                "frequency": "Day",
                                "interval": 1,
                                "schedule": {
                                    "hours": [
                                        "3"
                                    ]
                                }
                            },
                            "type": "Recurrence"
                        }
                    }
                },
                "parameters": {

                }
            }
        }
    ]
}

And error

enter image description here

{
   "id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Resources/deployments/Microsoft.Template/operations/272BE07B42936635",
   "operationId":"272BE07B42936635",
   "properties":{
      "provisioningOperation":"Read",
      "provisioningState":"Failed",
      "timestamp":"2019-10-06T15:09:38.8112774Z",
      "duration":"PT1.3818083S",
      "trackingId":"faf54706-3f6f-469a-9917-a65bdba9768f",
      "statusCode":"NotFound",
      "statusMessage":{
         "error":{
            "code":"ResourceNotFound",
            "message":"The Resource 'Microsoft.Logic/workflows/demo' under resource group 'demo6' was not found."
         }
      },
      "targetResource":{
         "id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Logic/workflows/demo/providers/Microsoft.ManagedIdentity/Identities/default",
         "resourceType":"Microsoft.ManagedIdentity/Identities",
         "resourceName":"default",
         "apiVersion":"2018-11-30"
      }
   }
}
oderibas
  • 1,575
  • 12
  • 20
Adam Marczak
  • 2,257
  • 9
  • 20

4 Answers4

6

I've used this as the reference with an App Service:

[reference(resourceId('Microsoft.Web/sites', variables('webAppName')), '2016-08-01', 'Full').identity.principalId]

and the dependsOn of course:

[resourceId('Microsoft.Web/sites', variables('webAppName'))]
juunas
  • 54,244
  • 13
  • 113
  • 149
  • this might actually work, seems like reference to the identity provider doesnt work properly. also, you do not need a dependsOn when using a reference function. its redundant – 4c74356b41 Oct 07 '19 at 07:37
  • Yeah it should not be necessary. I've just found some cases where it was not redundant and there were issues without it :( – juunas Oct 07 '19 at 07:42
  • you got any examples? i never saw anything like that. not being mean, just interested in those cases – 4c74356b41 Oct 07 '19 at 07:46
  • Nope :\ It was quite some time ago and I've done the dependsOn workarounds already – juunas Oct 07 '19 at 08:48
  • Unfortunately I'm working with Logic Apps but I did use the exactly same logic as you. Reference to logic apps principal and depends on logic app. Maybe it's just Azure bug? – Adam Marczak Oct 07 '19 at 10:45
  • thanks this works but there is clearly a bug introduced with 2018-11-30 as it was working fine before – emp Oct 10 '19 at 19:30
  • there might be a timing bug : when I deploy the template for the first time, I got the same error, but when deploying again, it works ! (it works when the KeyVault and the WebApp are created) the dependency should not be on the website resource but on the Identity, but how to write that ? – Dargos May 28 '20 at 15:32
1

you have a typo in your resourceId() function:

reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId

notice the extra / after workflows.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • True, I copied this from quickstart templates from MS. But this isn't the issue since if you look at the error it's pointing to the correct target resource. Also this template works if I click redeploy after it fails since at that time managed identity already exists. I tested it and it fails anyway ;( – Adam Marczak Oct 07 '19 at 01:30
  • now I wonder why do you think not specifying all of this in the question was a good idea? after some poking around this looks like a bug, tbh. you can work around with nested deployment, most likely – 4c74356b41 Oct 07 '19 at 05:54
  • Yep it's important info. I will add this to original question. It wasn't intentional i just forgot to add it while writing. – Adam Marczak Oct 07 '19 at 10:44
0

This a theory, but try updating your access policy with an additional dependsOn:

"dependsOn:" [
"[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
]

The thought being access policy components are different then the actual Key Vault creation.

Both planes use Azure Active Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access control (RBAC) and the data plane uses a Key Vault access policy

This makes sense with the error as the Access Policy can't be assigned if the workflow isn't created yet.

DreadedFrost
  • 2,602
  • 1
  • 11
  • 29
0

Something very important that I wanted to add, is what is stated in the official documentation over here:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/error-not-found#solution-1---set-dependencies

The reference function and list* functions creates an implicit dependency on the referenced resource, when that resource is deployed in the same template and is referenced by its name (not resource ID).

I had the issue that I was stating my "dependsOn" with a resource ID like this:

"dependsOn": [
                "[resourceId('Microsoft.Web/sites', parameters('serv_webjobs_as_name'))]"
            ],

Which still made the creation fail and let the creation process ignore my dependency. However when I put the dependency on a "name" basis and not ID, it starte to work:

"dependsOn": [
                "[parameters('serv_webjobs_as_name')]"
            ],
Mathieu
  • 367
  • 3
  • 11
  • Documentation also says that you should NOT add dependsOn if you have implicit dependency.I know original question here had it and it was mistake but not relevant to the issue in this case. "Use the reference function and pass in the resource name to set an implicit dependency between resources that need to share a property. Don't add an explicit dependsOn element when you've already defined an implicit dependency. This approach reduces the risk of having unnecessary dependencies." – Adam Marczak Mar 24 '20 at 15:37