Comments (7)
If you are trying to create an assignment, then you are using the wrong type. You should be using microsoft.blueprint/blueprintAssignments@2018-11-01-preview
. The current resource type you are using is to create a blueprint definition. In order to assign at the MG scope, you will need to add the targetScope
keyword to your bicep file and set it to a management group, then your deployment command should target an MG.
Also keep in mind that Management Group assignment still targets a subscription, though we allow you to store the blueprintAssignment resource at an MG scope so that subscription owners cannot remove the assignment.
In your assignment resource declaration, you'll need to set the scope
property, which is the subscription underneath the MG you are deploying to in which to apply the blueprint. Here's the relevant doc I am using for reference.
Your code will look something like the following:
targetScope = 'managementGroup'
// get a reference to the existing blueprint definition version
resource blueprint 'Microsoft.Blueprint/blueprints/versions@2018-11-01-preview' existing = {
name: 'blueprintName/v0.1'
scope: managementGroup('mgId') // I'm guessing this blueprint is stored in a different mg, but it may be the same as the target of the deployment
}
resource assignment 'Microsoft.Blueprint/blueprints@2018-11-01-preview' = {
name: blueprintAssignmentName
properties: {
scope: '/subscriptions/{targetSubscriptionId}'
blueprintId: blueprint.id
}
}
from azure-blueprints.
Sorry, I should have been more clear. What I provided before is the blueprint definition. I have the assignment definition as well as shown below. What I'm trying is this:
- Create and store blueprint under a managementgroup
- Then assign that blueprint to the managementgroup it is stored in or a child managmentgroup.
The problem I'm having is that I cannot seem to deploy a blueprint with targetscope property set to managmentGroup. When I do, I get the error I posted earlier.
If I try to assign the blueprint to a managmentGroup with targetScope set to subscription, I get the following error:
Deployment failed. Correlation ID: 9cdf7262-3dc4-4f8c-8125-abe3e106d0f0. {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"AssignmentInvalidScope\",\r\n \"message\": \"The assignment scope '/providers/Microsoft.Management/managementGroups/root-dutysm-mg' is of type 'ManagementGroup', which does not match the referenced blueprint's target scope type 'Subscription'.\"\r\n }\r\n}"
}
]
}
]
}
}
Blueprint assignment bicep. The scope value is '/providers/Microsoft.Management/managementGroups/root-dutysm-mg':
resource dutysmSubscription 'Microsoft.Blueprint/blueprintAssignments@2018-11-01-preview' = {
name: 'dutysmSubscription'
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
displayName: displayName
blueprintId: blueprintResourceId
scope: scope
parameters: {
membersToExcludeInLocalAdministratorsGroup : {
value: membersToExcludeInLocalAdministratorsGroup
}
membersToIncludeInLocalAdministratorsGroup : {
value: membersToIncludeInLocalAdministratorsGroup
}
logAnalyticsWorkspaceIDForVMAgents : {
value: logAnalyticsWorkspaceIDForVMAgents
}
listOfLocationsForNetworkWatcher : {
value: listOfLocationsForNetworkWatcher
}
}
resourceGroups: {}
locks: {
mode: 'AllResourcesReadOnly'
excludedPrincipals: bpLockExcludedPrincipals
excludedActions: [
]
}
}
}
from azure-blueprints.
@alex-frankel
Let me know if you need additional information.
from azure-blueprints.
The scope
value needs to be a subscription ID, not a management group. The blueprint assignment resource will be created at the management group scope implicitly (assuming the bicep file targeted an MG), but it's going to target a subscription. There is no ability for a blueprintAssignment to target a management group with the properties.scope
property
from azure-blueprints.
So, "assigning" a blueprint to management group, is that possible at all? See definition of targetScope on this page: https://docs.microsoft.com/en-us/azure/templates/microsoft.blueprint/blueprints/versions?tabs=json
According to that, I should be able to set targetscope to managementGroup. I haven't been able to get this to work. I show the error I get in my first post.
from azure-blueprints.
Correct. A blueprint can only be assigned to a subscription. So you can PUT the assignment at a management group (store it there), but it is effectively only scoped to a single subscription (specified with the scope
property).
If it's easier, I'm happy to jump on a call and discuss your scenarios in more depth - seeing as we are talking about blueprints in two different threads :) Email me at [email protected] if you would prefer that route, otherwise we can continue discussing in the GH threads.
from azure-blueprints.
I'll email you.
from azure-blueprints.
Related Issues (20)
- Parameter Names are Case Sensitive
- Blueprint as arm template deployment [for your example]
- Need guidance on properly formatted default access policy for keyvault in CAF Foundation HOT 1
- BluePrint configure resourceGroup tags from parameter HOT 3
- ARM-Template Sample for Full Blueprint definition HOT 1
- Deleting assignments using REST API HOT 2
- Creating or updating an assignment using REST API HOT 3
- Blueprint Assignment IaC Issue HOT 1
- Unable to use artifacts function to specify roleDefinitionId. HOT 3
- Authentication via managed identity for assign blueprint with rest api
- Need apiVersion on fw to ip reference in ASBF & ASBF_Gov
- Linter for azure blueprints HOT 1
- Set-AzBlueprintAssignment using earlier published version of the definition HOT 5
- Creating a blueprint of target scope 'managementGroup' fails HOT 1
- delegated subnet, created by blueprint, does not allow actions of service; blocked by deny assignment
- Assignment with user-assigned managed identity at management group scope : The request did not have a subscription or a valid tenant level resource provider HOT 2
- Blueprints HOT 3
- Deny assignment using blueprint for particular Management group HOT 1
- This repo is missing important files
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-blueprints.