Hi Team,

Looks like a code issue to me. I get the following error when trying to deploy my DataFactory ARM Template.

Validating template...
Warning: ERROR: 'str' object has no attribute 'get'

Warning: Template validation failed.
Creating deployment...
Error: ERROR: 'str' object has no attribute 'get'

Error: Deployment failed.

I validated the ARMTemplate also, just to check, But all seems to be good.

Im using the azure-data-factory-utilities npm package method to create the ARMTemplate

Thank you for creating this action!

Is it possible to allow for Managed Identities executing within a Virtual Machine using a Self-Hosted run to deploy ARM Templates rather than specifying credentials in Github? From what I can see of the code the Credentials must be provided, however, we'd like to avoid that and have the permissions evaluated in Azure directly.

Cheers,
JD

Provide support for overrideParameters allowing you to combine parameter files with overrides per environment similar to https://github.com/marketplace/actions/azure-resource-manager-arm-template-deployment.

This is useful if you rely on parameter files, but for some scenarios you want to deviate from what is in the file.

The deployment using Az CLI works but fails when using the action. Maybe it's obvious but I don't see what I'm doing wrong...

So in my GitHub Action this will works perfectly

   - uses: azure/login@v1
      with:
        creds: ${{ secrets.GR_azUrlGitHubDev_CREDENTIALS }}

    - run: |
        az group deployment create -n github-dev -g UrlShortnerDEV --template-file deployment/azureDeploy.json --parameters "deployment/azureDeploy.params.dev.json"

but this fails (I'm using the same everything, paths, names, creds)

    - uses: azure/arm-deploy@v1
      with:
        resourceGroupName: UrlShortnerDEV
        deploymentName: github-dev
        template: deployment/azureDeploy.json
        parameters: deployment/azureDeploy.params.dev.json

Here the error message:

Run azure/arm-deploy@v1
  with:
    deploymentMode: Validate
    resourceGroupName: UrlShortnerDEV
    deploymentName: github-dev
    template: ./deployment/azureDeploy.json
    parameters: ./deployment/azureDeploy.params.dev.json
  env:
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
Changing subscription context...
Error: The process '/usr/bin/az' failed with exit code 2

Any Idea?

Hello,

Below is my github actions deployment, but still getting an error. Anybody can help me? Thank you!

deploy:
  name: Deploy
  runs-on: ubuntu-latest
  steps:
    - name: Checkout
      uses: actions/checkout@v3

    - name: Login to Azure Cloud
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: Run ARM deploy
      uses: azure/arm-deploy@v1
      with:
        resourceGroupName: group1
        template: azure/templates/armdeploy.json
        parameters: azure/templates/armdeploy.parameters.json 
        additionalArguments: "--what-if --rollback-on-error --what-if-exclude-change-types Create Ignore"

armdeploy.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
      "_artifactsLocation": {
          "type": "string",
          "defaultValue": "[deployment().properties.templateLink.uri]",
          "metadata": {
              "description": "The base URI where artifacts required by this template are located, including a trailing '/'"
          }
      },
      "_artifactsLocationSasToken": {
          "type": "securestring",
          "defaultValue": "",
          "metadata": {
              "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured."
          }
      },

error

ERROR: InvalidTemplate - Deployment template validation failed: 'The template resource '_artifactsLocation' at line '1' and column '182' is not valid: The language expression property 'templateLink' doesn't exist, available properties are 'template, templateHash, parameters, mode, provisioningState'.. Please see https://aka.ms/arm-template-expressions for usage details.'.

This action seems to only work if the resource group has been created previously.

As a workaround one has to either go to the azure portal and manually create the resource group or add a previous workflow step to automate the creation of the resource group (e.g. using azure cli to create the rg).

It would be nice to be able to create (assuming it's the first run) the resource group or update the resource group.

Example: See the Azure DevOps equivalent. See option 'Create or Update Resource Group'

https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#yaml-snippet

Please allow users to perform tenant deployments, similar to 'New-AzTenantDeployment'.
Current scopes: managementGroup, subscription, resourceGroup (tenant is missing).

Using arm-deploy@v1 to deploy a bicep ARM template:

on: [push]
name: AzureBicepSample

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}
    - uses: azure/arm-deploy@v1
      with:
        resourceGroupName: github-action-arm-rg
        template: ./main.bicep
        parameters: environmentType=Test

Task fails with following output:

Run azure/arm-deploy@v1
with:
resourceGroupName: github-action-arm-rg
template: ./main.bicep
parameters: environmentType=Test
failOnStdErr: true
env:
AZURE_HTTP_USER_AGENT:
AZUREPS_HOST_ENVIRONMENT:
Validating template...
Warning: WARNING: Build succeeded: 0 Warning(s), 0 Error(s)

Creating deployment...
Error: WARNING: Build succeeded: 0 Warning(s), 0 Error(s)

Error: Deployment process failed as some lines were written to stderr

This error seems to be similar to #48

When looking at deployments completed with this action in Azure portal, you only see the newest deployment. It seems that the deployment is overwritten each time with the latest, and the history is not kept.

I have done numerous deployments using this action to the resource group below, but the deployments panel only show the latest.

Please allow the workflow to create resource groups, if it doesn't exist.

Looking to migrate from Azure DevOps to GitHub Actions and it appears that when running the workflow the resource group doesn't get created and end up having to create it manually.

here is the option that I use on DevOps:

We have some ARM templates that try to get the aliasPrimaryConnectionString key from an EventHub that have DR enabled. The templates have been working fine for the past few months but around yesterday they all stopped working with the following error msg:

##[error]InvalidTemplate: Unable to process template language expressions for resource '/subscriptions/[SubscriptionId]/resourceGroups/[RG Name]/providers/Microsoft.Resources/deployments/[DeploymentName]' at line '1' and column '11619'. 'The language expression property 'aliasPrimaryConnectionString' doesn't exist, available properties are 'primaryConnectionString, secondaryConnectionString, primaryKey, secondaryKey, keyName'.'

Here's the problematic line:

"EventHubServiceSettings:EventHubConnectionString": {
    "value": "[listKeys(resourceId(parameters('eventHubResourceGroupName'),'Microsoft.EventHub/namespaces/eventhubs/authorizationRules', parameters('eventHubNamespace'), parameters('eventHubName'),  variables('eventHubAccessPolicies')),'2017-04-01').aliasPrimaryConnectionString]"
},

Anything have changed recently?

It would be nice to be able to provide a yaml file as input parameter, instead of only json.

Issue

We have an ARM template where we are creating App insight and cosmos db resource, once resources are created, in output section we are trying to fetch the connection strings for the cosmos db as well as app insights key but this results in failure of deployment.
Deployment fails when output section is defined in the ARM template file. Please find the sample repo where it is happening. It specifically fails on parsing output with below error.

Error: (e || "").replace is not a function

Please checkout this action for more detailed error message

• ARM template is validated on portal and it is getting deployed successfully.

Hi!

I have unknown error when trying to do "allowedValues": "[parameters('locationsAllowed')]". It works with "allowedValues": [ "southcentralus", ...] . So I wonder if this operation is even supported?

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "locationsAllowed": {
      "type": "array",
      "defaultValue": [
        "southcentralus",
        "westcentralus"
      ]
    },
    "location": {
      "type": "string",
      "metadata": {
        "description": "Specify a location for the resources."
      },
      "defaultValue": "southcentralus",
      "allowedValues": "[parameters('locationsAllowed')]"
      // NOR
      // "allowedValues": "[array(parameters('locationsAllowed'))]"
    },

Please note that this case works

    "location": {
      "type": "string",
      "metadata": {
        "description": "Specify a location for the resources."
      },
      "defaultValue": "eastus",
      "allowedValues": [
        "southcentralus",
        "westus",
        "centralus",
        "eastus",
        "northcentralus",
        "westcentralus"
      ]
    },

Hi,

The deployment seems to create all the resources, but still fails for the EndRequest when a filService is being created.

I am using a self-hosted github action runner with an official ubuntu focal image.

The template was generated by the azure portal. I just removed some of the circular dependencies to get it working.

Could this issue be due to incompatible Azure cli version?

arm-deploy: v1
Azure cli: (2.0.x) https://packages.ubuntu.com/source/focal/azure-cli

Azure cli Message:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"InvalidXmlDocument\",\r\n \"message\": \"XML specified is not syntactically valid.\\nRequestId:159c9e46-901a-0021-729b-1b5b5f000000\\nTime:2022-12-29T15:39:40.9681373Z\"\r\n }\r\n}"}]}}

Azure activity logs:

https://gist.github.com/sydseter/3e6b28becdec123bfd80cb956dd9c7d3

Github action workflow yml:

https://gist.github.com/sydseter/6ffc4f027852ca9e7fe32add6cf37de4

arm template.json:

https://gist.github.com/sydseter/3f27eb01f0cc6bd7287073f9a299912c

arm parameters.json:

https://gist.github.com/sydseter/b87f0d1135af5e21f9557737680b1988

When only validating templates I get the following error:

Validating template...
Warning: InvalidArgumentValueError: az deployment group validate: 'validate' is not a valid value for '--mode'.
Still stuck? Run 'az deployment group validate --help' to view all commands or go to 'https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest' to learn more

Warning: Template validation failed.
Creating deployment...
Warning: InvalidArgumentValueError: az deployment group create: 'validate' is not a valid value for '--mode'.
Try this: 'az deployment group create --resource-group testrg --name rollout01 --template-file azuredeploy.json --parameters '*** \"policyName\": *** \"value\": \"policy2\" *** ***''
Still stuck? Run 'az deployment group create --help' to view all commands or go to 'https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest' to learn more

Error: The process '/usr/bin/az' failed with exit code 2

Please see the screenshot for the details, you will get the context.

I'm using this step like this:

      - name: Analyze Bicep Template
        id: main-deploy-check

        uses: Azure/arm-deploy@v1
        with:
          resourceGroupName: ${{ env.AZURE_RESOURCE_GROUP_DEV }}
          template: ./bicep/main.bicep
          parameters: ./bicep/parameters.dev.json
          deploymentMode: Validate

and I get this error in the pipeline

C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account set --subscription 70b77cc4-67c1-4e40-bd7b-b4853065111a"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\azureclitaskscript1628109034773.ps1'"
**ERROR: 'NoEffect'**
##[error]Script failed with exit code: 1
C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account clear"

So, does this action support Bicep files with deploymentMode of Validate?

Because running this in incremental mode works simply fine.

Hello there,
I am trying to use your module to deploy an Azure Red Hat OpenShift. To deploy a cluster correctly the deployment requires the use of a pull secret from Red Hat which is in json format (structure below). Unforuntately I cannot seem to get the bicep module finish using github actions unless I hard code the pull secret in the bicep file itself. This is obviously not ideal. I have tried using github envs and github secrets but they result in the bicep file failing due to "an invalid secret", through troubleshooting this is because github actions places *** throughout the json.

pullSecret.json

{
  "auths": {
     "cloud.openshift.com" : {
         "auth": "XXXXXXX",
         "email": "[email protected]"
     },
     "quay.io" : {
         "auth": "XXXXXXX",
         "email": "[email protected]"
     },
     "registry.connect.redhat.com" : {
         "auth": "XXXXXXX",
         "email": "[email protected]"
     },
     "registry.redhat.com" : {
         "auth": "XXXXXXX",
         "email": "[email protected]"
     }
  }
}

The job from the github action workflow;

jobs:
   deploy_aro:
   runs_on: ubuntu-latest
   steps:
    - name: checkout code
      uses: actions/checkout@main

    - name: azure login
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: aro_cluster
      uses: azure/arm-deploy@v1
      with:
        scope: resourcegroup
        subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
        resourceGroupName: ${{ secrets.RG_NAME }}
        template: aro.bicep
        parameters: parameters.json pullSecret="${{ secrets.PULL_SECRET }}" location="${{ env.LOCATION }}" 

I have experimented writing the secret to a json file on the runner and then trying extract the contents to a parameter, but again no success. In the OpenShift documentation the pullsecret file is referenced using the "@" symbol[1], or as a parameter override with the pull secret contents in an environment file[2].

1. Using the @ symbol to reference the file

az aro create \
  --resource-group $RESOURCEGROUP \
  --name $CLUSTER \
  --vnet aro-vnet \
  --master-subnet master-subnet \
  --worker-subnet worker-subnet --pull-secret @pullSecret.json

2. Using the contents of the pullsecret as an override when deploying a bicep module.

az deployment group create \
    --name aroDeployment \
    --resource-group $RESOURCEGROUP \
    --template-file azuredeploy.json \
    --parameters location=$LOCATION \
    --parameters domain=$DOMAIN \
    --parameters pullSecret=$PULL_SECRET \
    --parameters clusterName=$ARO_CLUSTER_NAME \
    --parameters aadClientId=$SP_CLIENT_ID \
    --parameters aadObjectId=$SP_OBJECT_ID \
    --parameters aadClientSecret=$SP_CLIENT_SECRET \
    --parameters rpObjectId=$ARO_RP_SP_OBJECT_ID

Is there a way to use the contents of a json file as a parameter in this module?
Perhaps if this cannot be done then you could advise on another appropriate way using this module?

Reference links;
[1] https://docs.microsoft.com/en-au/azure/openshift/tutorial-create-cluster#get-a-red-hat-pull-secret-optional
[2] https://docs.microsoft.com/en-au/azure/openshift/quickstart-openshift-arm-bicep-template?pivots=aro-bicep#deploy-the-cluster---azure-cli

Looking at the code (https://github.com/Azure/arm-deploy/blob/main/src/utils/utils.ts), it seems that template outputs are always set using setOutput. However that means that all outputs are potentially visible in logs when used later.

For some more sensitive values (e.g. even AppInsights Instrumentation Key), it would be good to mask them in the logs.
This can be achieved by calling core.setSecret before core.setOutput.

This cannot be done after arm-deploy (see actions/runner#475), so it would be good if arm-deploy step could be configured to mark some outputs as secrets.

When setting bicepconfig.json to the following

{
  "experimentalFeaturesEnabled": {
    "userDefinedTypes": true
  }
}

Bicep will warn about using an experimental feature. However, the azure/arm-deploy action interprets this warning as an error and fails the whole run, even though the actual deployment went well:

Run azure/arm-deploy@v1
Changing subscription context...
Validating template...
Warning: WARNING: WARNING: Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!


Creating deployment...
Error: WARNING: WARNING: Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!


Error: Deployment process failed as some lines were written to stderr

Using failOnStdErr: false feels like a too harsh workaround because then there is no possibility anymore to distinguish between a warning and a real error.

ResourceGroupLocation: "Australia East" errors with

ERROR: unrecognized arguments: East

Correct reference

ResourceGroupLocation: "AustraliaEast"

In order to prevent the possible exposure of credentials in the Cloud, we need to use a User Managed Identity to run this action from a self-hosted agent deployed in Azure.
Is there a plan to implement that?

Is it possible to provide only folder path containing multiple files instead of specific JSON path to deploy?
For example:
template: ./templates/*/*.json
or:
template: templates

Hello 🙂 Since the new release (1. June 2021) of Azure CLI Version 2.24.1, our github actions deployment to azure fails on azure/arm-deploy@v1 with following error:

The process 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd' failed because one or more lines were written to the STDERR stream

Have you experienced similar problem or this is not related in your opinion?

Thanks

Having the following problem with using the Azure/arm-deploy@v1 action, namely how can I deploy without specifying a resourcegroup .

Using the task with a bicep file as the template parameter when bicep has warning outputs results in the message:

Deployment process failed as some lines were written to stderr

This is correct, bicep is writing lines to stderr, but they are warnings only, not errors.

The result is that the bicep deploy doesn't occur. If I use az deployment sub create locally, the bicep deployment completes successfully.

Is there a way to continue deployment even though these warnings are written to stderr?

I've tried setting continue-on-error: true but it seems the error occurs after bicep to arm compilation and before the arm deployment so the result of this setting doesn't effect the ARM stage of the deployment

I've opened an issue at Azure/bicep#2905 for the underlying issue as the warnings are incorrect compared to the ARM spec.

When using GitHub Actions to deploy infrastructure in Azure, specifically via Azure Bicep templates, even though the template may have outputs defined, this is not parsed correctly and therefore no information is returned to the console.

Sample Bicep Code

param accountPrefix string = 'test'
param location string = 'eastus'
param utc string = utcNow()

var storageAccountName_var = '${replace(replace(replace(accountPrefix, '.', ''), '_', ''), '-', '')}ghedata${utc}'
var storageAccountType = 'Premium_LRS'

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' = {
  name: toLower(take(storageAccountName_var, 24))
  location: location
  sku: {
    name: storageAccountType
  }
  kind: 'StorageV2'
}

output storageAccount_Name string = storageAccount.name
output storageAccount_Location string = storageAccount.location
output storageAccount_SKUName string = storageAccount.sku.name
output storageAccount_Kind string = storageAccount.kind

Sample GitHub Actions Workflow

name: Deploy GHES using Azure Bicep

on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      gh_handle:
        description: 'What is your GitHub handle?'
        required: true
      accountPrefix:
        description: 'Unique prefix for your Storage Account and VM name. Must be all lower case letters or numbers. No spaces or special characters.'
        required: true
      location:
        description: "What Azure region to deploy to (ie. 'eastus', 'canadacentral')"
        default: 'eastus'
        required: true
      ghes_version:
        description: "What version of GHES do you need (ie. 2.22.19, 3.0.13, 3.1.5)?"
        default: 'latest'
        required: true

jobs:
  create_resource_group:
    name: Create Resource Group
    runs-on: ubuntu-latest
    steps:
      # Log into Azure
      - name: Log into Azure
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Create Resource Group
        run:
          az group create --name 'GHES-${{ github.event.inputs.gh_handle }}' --location ${{ github.event.inputs.location }} --tags [Owner[= ${{ github.event.inputs.gh_handle }} ]]

  deploy_ghes:
    name: Deploy GHES
    runs-on: ubuntu-latest
    needs: [create_resource_group]
    steps:
      # Checkout code
      - name: Checkout code
        uses: actions/checkout@main

      # Log into Azure
      - name: Log into Azure
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      # Deploy Bicep file
      - name: Deploy GHES
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
          resourceGroupName: GHES-${{ github.event.inputs.gh_handle }}
          template: ./Bicep/main.bicep
          parameters: ./Bicep/bicep.parameters.json accountPrefix=${{ github.event.inputs.accountPrefix }} ghesversion=${{ github.event.inputs.ghes_version }}
          failOnStdErr: false

When using the Azure Login GitHub action with the creds parameter:

    - name: Login via Az module
      uses: azure/login@v1
      with:
        creds: ${{secrets.AZURE_CREDENTIALS}}

secrets.AZURE_CREDENTIALS:

{
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
    (...)
  }

and then deploying an ARM template with the arm-deploy action that returns a resourceId as a template output, GitHub sanitizes the step output due to the subscriptionId within the resourceId being present within the AZURE_CREDENTIALS secret.

When creating an ARM deployment, I would like to provide both a parameter file and override certain parameters through the arm-deploy action. This is handy when overall parameters exist in the parameter file, but you would like to override certain values during deploy in your pipeline.

One example is where I want to use this action twice, once for creating a resource group, where I determine the resourcegroup name in the workflow and then reuse that value for deploying the resources.

  # Deployment of resource group template    
  - name: Deploy ARM Template resourcegroup
    uses: azure/arm-deploy@v1
    with:
      # You can change these environment variables for your configuration:   AZURE_SUBSCRIPTION_ID
      scope: subscription
      subscriptionId: ${{ env.AZURE_SUBSCRIPTION_ID }}
      region: centralus # Set this to your target region
      template: repo/ARM/azuredeploy.resourcegroup.json  # Set this to the location of your template file
      parameters: repo/ARM/azuredeploy.resourcegroup.parameters.json # Set this to the location of your parameters file
      parameters: rgName=${{env.RESOURCEGROUP_NAME}} #override rgName in parameters file

  # Deployment of template    
  - name: Deploy ARM Template resources
    uses: azure/arm-deploy@v1
    with:
      # You can change these environment variables for your configuration:   AZURE_SUBSCRIPTION_ID
      scope: resourcegroup
      subscriptionId: ${{ env.AZURE_SUBSCRIPTION_ID }}
      resourcegroup: ${{env.RESOURCEGROUP_NAME}} # reuse resourcegroup name
      region: centralus # Set this to your target region
      template: repo/ARM/azuredeploy.json  # Set this to the location of your template file
      parameters: repo/ARM/azuredeploy.parameters.json # Set this to the location of your parameters file

While reviewing the README file, the example for "Another example which ensures the Azure Resource Group exists before ARM deployment" seems overly complex. Currently the code example shows:

        inlineScript: |
          #!/bin/bash
          if $(az group exists --name ${{ env.ResourceGroupName }}) ; then
            echo "Azure resource group already exists, skipping creation..."
          else
            az group create --name ${{ env.ResourceGroupName }} --location ${{ env.ResourceGroupLocation }}
            echo "Azure resource group created"
          fi

az group create is an idempotent command (it returns success even if the group already exists), so I don't think the conditional code is necessary at all. I believe you could simply run:

          #!/bin/bash
            az group create --name ${{ env.ResourceGroupName }} --location ${{ env.ResourceGroupLocation }}
            echo "Azure resource group created"

I realize this is a nitpick but simplicity should always be valued :)

Is there anyway to pass a git hub repo secret to the arm template being deployed? Would like to pass a secret to an app service to be used during deployment.

The Az CLI (and Az Powershell module) have a method of specifying the behavior of the deployment should an error happen during the run. In this case, we can either specify a deployment name to rollback to or simply use it as a flag to rollback to the latest successful deployment if there's an error. It'd be great if this parameter was exposed to the GH Action.

We use

      - name: Run ARM deploy
        uses: azure/arm-deploy@65ae74fb7aec7c680c88ef456811f353adae4d06
        with:
          resourceGroupName: ${{ secrets.PREVIEW_ENV_RESOURCE_GROUP }}
          subscriptionId: ${{ secrets.NONPROD_SUBSCRIPTION_ID }}
          template: ./azure-preview-env-template.json
          deploymentName: ${{ env.DEPLOYMENT_NAME }}
          parameters: appName="${{ env.APP_NAME }}"
            containerImage="${{ env.DOCKER_IMAGE }}"
            dockerRegistryUrl="${{ secrets.NONPROD_REGISTRY_SERVER }}"
            dockerRegistryUsername="${{ env.NONPROD_REGISTRY_USERNAME }}"
            dockerRegistryPassword="${{ secrets.NONPROD_REGISTRY_PASSWORD }}"

It's working great. We're starting up Azure Container Instances nicely based on our Docker registry.
But a couple of times, the web servers inside the Docker file has failed to start (and bind to a port).
If you were to run it locally with, like, docker run -t -i --rm -p 4000:4000 my-tag you'd see on your terminal the error message which most likely is a traceback/stacktrace from the application pointing out something obvious like an undefined environment variable or something like that.

What would be great is if we could have output from the azure/arm-deploy command somehow. Then we could print it as part of our GitHub Action workflow. I'm guessing, by default, underlying'ly it starts the container in some sort of background process.
But similar to the docker CLI you can do docker logs my-container (without the --follow) to get a glimpse of anything from stdout or stderr.

I noticed that you removed the Required tag from the scope parameter. Tho according to your action.yml this is a required parameter and there is no default to it.

I am currently developing functionality for deploying a bicep file to Azure. Since I am downloading the file from an artifact, I would like to know is it possible to indirectly refer to this file (as it is the only file in the working directory).

Is something like "*.bicep" or "." possible or considered for future versions?

Thank you in advance!

Hello,

I create a bicep file to create a resource group and other resources within this resource group
This bicep file works fine when I execute using az deployment sub create command

So, I create GitHub workflow to automate my bice file execution, as fallow:

     # Checkout code
      - name: Checkout aspnetcoreiac
        uses: actions/checkout@v3
        with:
          path: src/aspnetcoreiac
      
      # Log into Azure
      - name: Login
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      # Deploy Bicep file
      - name: Deploy Template
        uses: Azure/[email protected]
        with:
          scope: subscription
          region: ${{ env.AZ_RG_LOCATION }}
          template: src/aspnetcoreiac/main.bicep
          deploymentMode: Incremental
          deploymentName: 'gh-actions'
          parameters: rgName=${{ env.AZ_RG_NAME }} rgLocation=${{ env.AZ_RG_LOCATION }} acrName=${{ env.AZ_ACR_NAME }} clusterName=${{ env.AZ_AKS_NAME }} sqlserverName=${{ env.AZ_SQLSERVER_NAME }}
          failOnStdErr: false

But when the workflow run, result this warning:

Warning: This deployment mode is not supported for subscription scoped deployments, this parameter will be ignored!
Validating template...
Warning: ERROR: An error occurred reading file. Could not find file '/home/runner/work/dotnet-container-app/dotnet-container-app/src/aspnetcoreiac/main.bicep'.

So, my questions is: How I can automatically run my bicep files in the subscription scope?

Thank you

It would be great, if you could add a what-if deployment mode to understand changes that will be made before merging the changes into main. Please let me know, if you have more questions about the feature request.

For more details: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if?tabs=azure-powershell

The default deploymentName seems to be the base name of the template file. Could it be set to the repository name with a timestamp?

In Azure DevOps, date and random chars are added so that two deployments in the same resource group don't collide.
Here's an example where the last deployment was done using github:

This warning here should be removed from my point of view:

The warning does not even mention what parameter is affected and lastly this warning is not true. It very much is relevant whether you set the mode to validate or something else. Not sure why this warning is even presented to the user.

You should rather just add a warning that mentions that the mode "Complete" is not supported and therefore it will switch to "Incremental". However, this warning message does not make a whole lot of sense to me.

Hi there,

I try to deploy azure datafctory with multiple parameters including connection string of sql server.
I have this following issue when trying tu set connection string (store in a GitHub secret) to a parameter:

I think it's because the connection string contains white space ("[...]intial catalog=[...]")

With quotes(simple and double) i have this error :

In the ARM template the parameter is a "SecureString"

Hello.

Is it possible to use a JSON array as a parameter value in the parameters input?
For example
parameters: param1=

Thank you.

I'm really surprised no-one has logged this yet.

It's been mentioned over in AZURE/bicep Azure/bicep#3689

with:
    subscriptionId: ***
    resourceGroupName: shp-DataGateway-rg
    template: Deployments/Main.bicep
    scope: resourcegroup
    parameters: Deployments/prd.Main.parameters.json
    failOnStdErr: false
    deploymentName: shp-DataGateway-func-Deployment
  env:
    AZURE_FUNCTIONAPP_PACKAGE_PATH: .
    DOTNET_VERSION: 6.0.x
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
Changing subscription context...
Validating template...
Warning: ERROR: Error while attempting to retrieve the latest Bicep version: [4](https://github.com/StottHoare/DataGateway-func/actions/runs/3763393948/jobs/6396885352#step:4:4)03 Client Error: rate limit exceeded for url: https://api.github.com/repos/Azure/bicep/releases/latest.

Warning: Template validation failed.
Creating deployment...
Error: ERROR: Error while attempting to retrieve the latest Bicep version: 403 Client Error: rate limit exceeded for url: https://api.github.com/repos/Azure/bicep/releases/latest.

Error: Deployment failed.

I'm running about 1-3 actions per day.

The issue linked above should indicate the fix or workaround that needs to be applied here.

Similar to #114 GitHub is also warning about deprecating the use of the set-output command.

The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Their solution for action authors is to bump @actions/core to v1.10.0 or greater.

I note there is a PR from dependabot #111 to bump to 1.91, but that will not fix this issue.

For a resource group scoped deployment (incremental mode), the resource group should be created if it does not exist.

We try to implement CI/CD for Azure Data Factory (https://docs.microsoft.com/en-us/azure/data-factory/continuous-integration-deployment) using Github Action. In Actions, we use azure/arm-deploy@v1 for ARM deployment.
It was working fine last month, and then a few weeks ago, it started to failed without error message.

According to Microsoft Support, there is nothing wrong with the ARM template itself and they asked us to open an issue here.

When using arm-deploy @v1, there is no output of the validate or deployment steps - only these messages.

To validate the deployment or validation steps, it would be nice to know the general deployment output by just writing the output from the -o json to standard output.

This will also help with history keeping when looking back at the logs.

I'm not sure if this belongs here, but I'll give it a try.

I've created a bicep template to deploy a vnet resource with a Bastion resource. The first time deploying this template works as expected and all resources are created.

But when redeploying the template, I get the error "Subnet AzureBastionSubnet is in use by /subscriptions/..../resourceGroups/rg-test/providers/Microsoft.Network/bastionHosts/avd-vnet-bastion/bastionHostIp
Configurations/IpConf and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet."

What I'm expecting is that when redeploying the template, it would detected that the resources exist and no changes are made to the resources. This is how other templates work when deploying other resources. I don't understand why it's trying to delete the AzureBastionSubnet.

See attached file that is the bicep template.
bastion.txt

It seems that GitHub is deprecating nodejs12 which gives warnings when using this action in a workflow:

Warning in text:

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: azure/arm-deploy, azure/functions-action

The arm-deploy action skips Parsing Ouputs.. during the step execution. The outputs are populated in the Azure deployments. When we enabled logs to the runner, we could see the output object is pointing to a null value.

Note: The arm-deploy step is part of a reusable workflow and the same workflow works for other bicep deployments