CODEWITHSUNDEEP
azureazure-resource-managerazure-keyvaultazure-rm-template
Pawel Maga
Pawel Maga

Reputation: 5797

Create Batch Account and Key Vault in single ARM script

I'm trying to add a Batch Account (in User subscription mode) configuration to ARM script but I'm facing a problem with circular dependency.

In this situation I'm not able to create a fully configured services. Do you know how can I create both services from the same ARM script?

Please see the example below:

{
  "name": "[variables('keyVaultName')]",
  "type": "Microsoft.KeyVault/vaults",
  "location": "[resourceGroup().location]",
  "apiVersion": "2015-06-01",
  "properties": {
    "sku": {
      "family": "A",
      "name": "Standard"
    },
    "tenantId": "[subscription().tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[subscription().tenantId]",
        "objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]",
        "permissions": {
          "keys": [
            "Update"
          ]
        }
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]"
  ]
},
{
  "name": "[variables('batchAccountName')]",
  "type": "Microsoft.Batch/batchAccounts",
  "location": "[resourceGroup().location]",
  "apiVersion": "2017-05-01",
  "properties": {
    "poolAllocationMode": "UserSubscription",
    "autoStorage": {
      "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]"
    },
    "keyVaultReference": {
      "id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
      "url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]",
    "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
  ]
}

Upvotes: 1

Views: 536

Answers (1)

Shui shengbao
Shui shengbao

Reputation: 19205

Key Vault access policies require BatchAccount object id.

The object id is not related with batch account. The object id is the user's object id who you set that could access the key vault. The user could be a Azure AD account, Microsoft account or a service principal. For a Azure AD account, you could get the id with PowerShell cmdlet Get-AzureRmADUser. This blog maybe helpful.

Batch account requires KeyVaultReference.

As you did, you could add a depends on key vault when you create batch account. The following template works for me.

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "defaultValue": "eastus",
            "type": "string"
        },
        "batchAccountName": {
            "defaultValue": "shui568",
            "type": "string"
        },
        "storageAccountName": {
            "defaultValue": "shui41f",
            "type": "string"
        },
        "storageAccountType": {
            "defaultValue": "Standard_LRS",
            "type": "string"
        },
         "vaults_shuibatch_name": {
            "defaultValue": "shui225",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "name": "[parameters('batchAccountName')]",
            "type": "Microsoft.Batch/batchAccounts",
            "apiVersion": "2017-05-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
                "[concat('Microsoft.KeyVault/vaults/', parameters('vaults_shuibatch_name'))]"
            ],
            "properties": {
                "poolAllocationMode": "usersubscription",
                "KeyVaultReference": {

                    "id": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_shuibatch_name'))]",
                    "url": "[concat('https://',parameters('vaults_shuibatch_name'),'.vault.azure.net/')]"
                },
                "autoStorage": {
                    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
                }
            }
        },
        {
            "name": "[parameters('storageAccountName')]",
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2015-06-15",
            "location": "[parameters('location')]",
            "properties": {
                "accountType": "[parameters('storageAccountType')]"
            }
        },
            {
            "comments": "Generalized from resource: '/subscriptions/***************/resourceGroups/shuibatch/providers/Microsoft.KeyVault/vaults/shuibatch'.",
            "type": "Microsoft.KeyVault/vaults",
            "name": "[parameters('vaults_shuibatch_name')]",
            "apiVersion": "2015-06-01",
            "location": "eastus",
            "tags": {},
            "scale": null,
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "[subscription().tenantId]",
                "accessPolicies": [
                    {
                        "tenantId": "[subscription().tenantId]",
                        "objectId": "3ff89f78-2a60-4fef-8ee5-c249d03549d1",
                        "permissions": {
                            "secrets": [
                                "All"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": true
            },
            "dependsOn": []
        }
    ]
}

Upvotes: 1

Related Questions