Template validation fails in case of nested Sentinel deployment (due to dependsOn)

Question

I want to create an ARM template to deploy the following things:

1. Resource Group
2. Log Analytics Workspace in the Resource Group + enable Sentinel on it
3. Lighthouse code to enable access to the Sentinel for an MSSP

To do the third step I need to use the subscriptionDeploymentTemplate.json schema, but for two I need the resource group too, so I want to use the deploymentTemplate.json schema.

I have the codes to do these stuff separatly, but I want to put them together to create 1 big template file.

The problem is, when I put the LAW + Sentinel enable code into a Microsoft.Resources/deployment resource then my code does not work. I want to deploy this as a nested template, so I can use the deploymentTemplate.json schema. When I put the code into this resource it created an error during template validation. It says : "Deployment template validation failed: 'The resource 'Microsoft.OperationalInsights/workspaces/workspace_name' is not defined in the template. "

But the same code works when there is no nesting. So, is it normal that the dependson function is not working in case of nesting? For me it seemed like there is no issue with it in case of other type of resources. But here, when I try to deploy "Microsoft.OperationalInsights/workspaces" and then "Microsoft.OperationsManagement/solutions" it does not work.

The relevant part of the code:

"resources": [
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-10-01",
      "name": "sentinelDeployment",
      "resourceGroup": "[parameters('rgName')]",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {},
          "variables": {},
          "resources": [
            {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2018-05-01",
            "name": "rgAssignment",
            "resourceGroup": "[parameters('rgName')]",
            "properties":{
                "mode":"Incremental",
                "template":{
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {},
                    "resources": [
                      {
                        "type": "Microsoft.OperationalInsights/workspaces",
                        "apiVersion": "2020-08-01",
                        "name": "[parameters('workspaceName')]",
                        "location": "[parameters('location')]",
                        "properties": {
                          "retentionInDays": "[parameters('dataRetention')]",
                          "sku": {
                            "name": "PerGB2018"
                          },
                          "workspaceCapping": {
                              "dailyQuotaGb": "[parameters('dailyCap')]"
                          }
                        }
                      },
                      {
                        "type": "Microsoft.OperationsManagement/solutions",
                        "apiVersion": "2015-11-01-preview",
                        "name": "[format('SecurityInsights({0})', parameters('workspaceName'))]",
                        "location": "[parameters('location')]",
                        "properties": {
                          "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
                        },
                        "plan": {
                          "name": "[format('SecurityInsights({0})', parameters('workspaceName'))]",
                          "product": "OMSGallery/SecurityInsights",
                          "publisher": "Microsoft",
                          "promotionCode": ""
                        },
                        "dependsOn": [
                          "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
                        ]
                      }
                    ]
                }
            }
            }   
          ]
        }
      }
    }
  ]

So it seems like in case of these resources the dependsOn does not work during template validation if I put them in a "Microsoft.Resources/deployments" type.

Is it normal? If so, is there a workaround I could use to solve this problem? Or what would be the best way to implement these 3 things into 1 ARM template.

Answer 1

dependsOn works with the scope of a deployment and nesting creates a separate/distinct deployment.

When you take a resource from one deployment and nest it into another you need to change the dependsOn from depending on the resource, to depending on the deployment to which the resource was moved.

So where you have:

"dependsOn": [
   "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
]

Change that to:

"dependsOn": [
   "[resourceId(parameters('rgName'), 'Microsoft.Resources/deployments', 'name-of-the-deployment-where-you-create-the-workspace')]"
]

Note the exact syntax may be slightly different depending on how you organize things, but the main thing is to depend on the nested deployment, not the resource.

If that doesn't help - post your entire template and we can give more precise guidance.