0

I'm currently facing an issue with writing an Azure Bicep template to deploy an Event Grid Namespace and an Event Grid Topic through an Azure DevOps pipeline. The goal is to establish a connection between them so that MQTT messages arriving at the Event Grid can be forwarded to the Topic.

Here's my current configuration:

I have the Topic and the Namespace each in a seperate file:

resource eventGridTopic 'Microsoft.EventGrid/topics@2022-06-15' = {
  name: 'eventGridTopic'
  location: location

  properties: {
    inputSchema: 'CloudEventSchemaV1_0'
  }
}

output id string = eventGridTopic.id

resource eventGrid 'Microsoft.EventGrid/namespaces@2023-06-01-preview' = {
  name: 'eventGridNamespace'
  location: location

  sku: {
    name: 'Standard'
    capacity: 1
  }

  properties: {
    isZoneRedundant: true

    topicSpacesConfiguration: {
      state: 'Enabled'
      routeTopicResourceId: eventGridTopicId
      maximumSessionExpiryInHours: 1
      maximumClientSessionsPerAuthenticationName: 1
    }
  }
}

And import them as modules and try to connect them as follows:

module eventGridTopic 'grid/evenGridTopic.bicep' = {
  scope: GridRG
  name: 'gridTopicDeployment'
  params: {
    location: 'westeurope'
    projectName: projectName
  }
}

module eventGrid 'grid/eventGrid.bicep' = {
  scope: GridRG
  name: 'gridDeployment'
  params: {
    location: location
    projectName: projectName
    eventGridTopicId: eventGridTopic.outputs.id
  }
  dependsOn: [
    eventGridTopic
  ]
}

But I get the following error each time I try to deploy the Bicep file:

"code": "DeploymentFailed",
            "target": "X",
            "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
            "details": [
              {
                "code": "InvalidRequest",
                "message": "Insufficient permission encountered to publish events to route topic eventGridTopic under namespace eventGridNamespace."
              }
            ]
Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
CUiD8pdQJh
  • 25
  • 6

1 Answers1

1

Please make sure that service principal or managed identity used by the pipeline has EventGrid Contributor and EventGrid EventSubscription Contrinbutor roles.

enter image description here

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
  • Holy lord, I added the roles and it worked! I thought the Contributor role alone would suffice, but who would've thought. Thank you so much, now I can finally continue. – CUiD8pdQJh Jul 07 '23 at 13:17
  • May I ask, how you came to the idea / solution? – CUiD8pdQJh Jul 07 '23 at 13:23
  • I came to the idea based on the error message `Insufficient permission encountered`. With experience, you will also learn that usually, you have to type of permissions. Data and control plane. Here you were missing the control plane. – Krzysztof Madej Jul 07 '23 at 13:29