0

I have the below as the bicep template, I want to use the identity based connection, how can I build the template accordingly.

https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference#connecting-to-host-storage-with-an-identity

I used the guidance here https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code?tabs=PowerShell , for deployment.

New-AzResourceGroup -Name exampleRG -Location eastus

New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -storageName "{your-unique-name}"

But, I am getting error while addressing the template file - Code=InvalidTemplateDeployment; Message=The template deployment 'bicepeg' is not valid according to the validation procedure

var baseName = uniqueString('identityRepro', subscription().id)
var location = 'uksouth'

resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: baseName
  location: location 
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

resource asp 'Microsoft.Web/serverfarms@2019-08-01' = {
  name: baseName
  location: location
  sku: {
    name: 'Y1'
    tier: 'Dynamic'
  }
}

resource ai 'Microsoft.Insights/components@2015-05-01' = {
  name: baseName
  location: location
  kind: 'web'
  properties: {
    Application_Type: 'web'
  }
}

resource fa 'Microsoft.Web/sites@2019-08-01' = {
  name: baseName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: asp.id
  }
  kind: 'functionapp'

  resource appSettings 'config@2018-11-01' = {
    name: 'appsettings'
    properties: {
      'AzureWebJobsStorage__accountName': stg.name
      'FUNCTIONS_WORKER_RUNTIME': 'powershell'
      'FUNCTIONS_WORKER_RUNTIME_VERSION': '~7'
      'APPINSIGHTS_INSTRUMENTATIONKEY': ai.properties.InstrumentationKey
    }
  }
}

resource blobContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(fa.name, stg.name, 'ba92f.........d-a403-e96b0029c9fe')
  properties: {
    principalId: fa.identity.principalId
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'ba92f.......-a403-e96b0029c9fe')
    principalType: 'ServicePrincipal'
  }
  scope: stg
}
Anusri_Varier
  • 1
  • Did you check the Deployments tab in the resource group? It usually has more detailed errors. – juunas Jun 24 '21 at 11:27
  • Validation errors are in Access Log tab, check there. – Miq Jun 24 '21 at 14:23
  • I am unable to deploy it from the visual studio code. Error: Code=InvalidTemplateDeployment; Message=The template deployment 'bicepeg' is not valid according to the validation procedure. – Anusri_Varier Jun 25 '21 at 12:34
  • It does not matter from where you deploy. In Azure portal, on Activity Log you will se your validation attempt and there could be more detailed error, why validation failed. – Miq Jun 25 '21 at 21:17

1 Answers1

1

I think your problem is the id of the role. Roles are defined at subscription level, not in resource group. In your code instead resourceId function use subscriptionResourceId.

Update: as you clarified more on github issue, your additional problem was how the name is being constructed. uniqueString function generate an pseudo-random string (a hash) based on the seed - the parameters you provide to the function. when you give exactly this same values - you will get this same result.

Below code is working for me

var baseName = uniqueString(resourceGroup().id)
var location = 'uksouth'

resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: baseName
  location: location 
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

resource asp 'Microsoft.Web/serverfarms@2019-08-01' = {
  name: baseName
  location: location
  sku: {
    name: 'Y1'
    tier: 'Dynamic'
  }
}

resource ai 'Microsoft.Insights/components@2015-05-01' = {
  name: baseName
  location: location
  kind: 'web'
  properties: {
    Application_Type: 'web'
  }
}

resource fa 'Microsoft.Web/sites@2019-08-01' = {
  name: baseName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: asp.id
  }
  kind: 'functionapp'

  resource appSettings 'config@2018-11-01' = {
    name: 'appsettings'
    properties: {
      'AzureWebJobsStorage__accountName': stg.name
      'FUNCTIONS_WORKER_RUNTIME': 'powershell'
      'FUNCTIONS_WORKER_RUNTIME_VERSION': '~7'
      'APPINSIGHTS_INSTRUMENTATIONKEY': ai.properties.InstrumentationKey
    }
  }
}

resource blobContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(fa.name, stg.name, 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
  properties: {
    principalId: fa.identity.principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
    principalType: 'ServicePrincipal'
  }
  scope: stg
}

In your code use resourceGroup().id as uniqueString parameter - as it contains unique guid of your subscription and a resource group name, which has to be unique in the subscription - your hash also should be unique. providing only subscription().id will generate same string for all deployments to that subscription and resource group in it.

Miq
  • 3,931
  • 2
  • 18
  • 32
  • Thank you for the comment. But, I am still getting the same errors. – Anusri_Varier Jun 25 '21 at 12:33
  • I've took your code and I deployed it to a RG - and it went fine. However - are you deploying to a clean resource group or do you have some resources in it? – Miq Jun 25 '21 at 21:06
  • I am deploying to a new RG – Anusri_Varier Jun 28 '21 at 09:27
  • see my updated answer, based on the input you provided on github. – Miq Jun 28 '21 at 19:54
  • I am not sure about templates, I reached out as a part of a users issue regarding the warning, I will have to find a way to uderstand what is custom role. here the Id im using is the subscription id – Anusri_Varier Jun 29 '21 at 10:04
  • Subscription id will be added automatically by subscriptionResourceId function. The guid you need to provide is the guid of the role - either built in or custom. – Miq Jun 29 '21 at 14:19