search

Azure / azure-blueprints

A library of sample Blueprints that can be easily imported via API or PowerShell
MIT License
258 stars 152 forks source link

Assigning a Blueprint to a ManagementGroup #56

Closed dutysm closed 3 years ago

dutysm commented 3 years ago

Trying to assign a blueprint to a management group and it errors out. Also, I cannot choose a managementgroup for assignment from portal. However, based on schema documentation, managementGroup is a valid targetScope.

Schema I reviewed:

https://github.com/Azure/azure-rest-api-specs/blob/2682c91af09e45f34b09d68aeaf6f03292d509a6/specification/blueprint/resource-manager/Microsoft.Blueprint/preview/2018-11-01-preview/blueprintDefinition.json

Bicep fragment I'm using:

resource blueprint 'Microsoft.Blueprint/blueprints@2018-11-01-preview' = { name : blueprintName properties : { targetScope :'managementGroup' ...

Error I'm getting if I use targetScope :'managementGroup' instead of targetScope :'subscription':

Deployment failed. Correlation ID: aef16601-80d1-4667-b96a-c9840b1f0d79. { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "DeploymentFailed", "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.", "details": [ { "code": "BadRequest", "message": "{\r\n \"error\": {\r\n \"code\": \"InvalidSchema\",\r\n \"message\": \"Path:properties.targetScope, Schema:#/definitions/SharedBlueprintProperties/properties/targetScope, Error: Value \\"managementGroup\\" is not defined in enum.\"\r\n }\r\n}" } ] } ] } }

alex-frankel commented 3 years ago

If you are trying to create an assignment, then you are using the wrong type. You should be using microsoft.blueprint/blueprintAssignments@2018-11-01-preview. The current resource type you are using is to create a blueprint definition. In order to assign at the MG scope, you will need to add the targetScope keyword to your bicep file and set it to a management group, then your deployment command should target an MG.

Also keep in mind that Management Group assignment still targets a subscription, though we allow you to store the blueprintAssignment resource at an MG scope so that subscription owners cannot remove the assignment.

In your assignment resource declaration, you'll need to set the scope property, which is the subscription underneath the MG you are deploying to in which to apply the blueprint. Here's the relevant doc I am using for reference.

Your code will look something like the following:

targetScope = 'managementGroup'

// get a reference to the existing blueprint definition version
resource blueprint 'Microsoft.Blueprint/blueprints/versions@2018-11-01-preview' existing = {
  name: 'blueprintName/v0.1'
  scope: managementGroup('mgId') // I'm guessing this blueprint is stored in a different mg, but it may be the same as the target of the deployment
}

resource assignment 'Microsoft.Blueprint/blueprints@2018-11-01-preview' = {
  name: blueprintAssignmentName
  properties: {
    scope: '/subscriptions/{targetSubscriptionId}'
    blueprintId: blueprint.id
  }
}
dutysm commented 3 years ago

@alex-frankel

Sorry, I should have been more clear. What I provided before is the blueprint definition. I have the assignment definition as well as shown below. What I'm trying is this:

  1. Create and store blueprint under a managementgroup
  2. Then assign that blueprint to the managementgroup it is stored in or a child managmentgroup.

The problem I'm having is that I cannot seem to deploy a blueprint with targetscope property set to managmentGroup. When I do, I get the error I posted earlier.

If I try to assign the blueprint to a managmentGroup with targetScope set to subscription, I get the following error:

Deployment failed. Correlation ID: 9cdf7262-3dc4-4f8c-8125-abe3e106d0f0. {
  "status": "Failed",
  "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "DeploymentFailed",
        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
        "details": [
          {
            "code": "BadRequest",
            "message": "{\r\n  \"error\": {\r\n    \"code\": \"AssignmentInvalidScope\",\r\n    \"message\": \"The assignment scope '/providers/Microsoft.Management/managementGroups/root-dutysm-mg' is of type 'ManagementGroup', which does not match the referenced blueprint's target scope type 'Subscription'.\"\r\n  }\r\n}" 
          }
        ]
      }
    ]
  }
}

Blueprint assignment bicep. The scope value is '/providers/Microsoft.Management/managementGroups/root-dutysm-mg':

resource dutysmSubscription 'Microsoft.Blueprint/blueprintAssignments@2018-11-01-preview' = {
  name: 'dutysmSubscription'
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    displayName: displayName
    blueprintId: blueprintResourceId
    scope: scope
    parameters: {
      membersToExcludeInLocalAdministratorsGroup : {
        value: membersToExcludeInLocalAdministratorsGroup
      }
      membersToIncludeInLocalAdministratorsGroup : {
        value: membersToIncludeInLocalAdministratorsGroup
      }
      logAnalyticsWorkspaceIDForVMAgents : {
        value: logAnalyticsWorkspaceIDForVMAgents
      }
      listOfLocationsForNetworkWatcher : {
        value: listOfLocationsForNetworkWatcher
      }    
    }
    resourceGroups: {}
    locks: {
      mode: 'AllResourcesReadOnly'
      excludedPrincipals: bpLockExcludedPrincipals
      excludedActions: [
      ]
    }
  }
}
dutysm commented 3 years ago

@alex-frankel Let me know if you need additional information.

alex-frankel commented 3 years ago

The scope value needs to be a subscription ID, not a management group. The blueprint assignment resource will be created at the management group scope implicitly (assuming the bicep file targeted an MG), but it's going to target a subscription. There is no ability for a blueprintAssignment to target a management group with the properties.scope property

dutysm commented 3 years ago

So, "assigning" a blueprint to management group, is that possible at all? See definition of targetScope on this page: https://docs.microsoft.com/en-us/azure/templates/microsoft.blueprint/blueprints/versions?tabs=json

According to that, I should be able to set targetscope to managementGroup. I haven't been able to get this to work. I show the error I get in my first post.

alex-frankel commented 3 years ago

Correct. A blueprint can only be assigned to a subscription. So you can PUT the assignment at a management group (store it there), but it is effectively only scoped to a single subscription (specified with the scope property).

If it's easier, I'm happy to jump on a call and discuss your scenarios in more depth - seeing as we are talking about blueprints in two different threads :) Email me at alfran@microsoft.com if you would prefer that route, otherwise we can continue discussing in the GH threads.

dutysm commented 3 years ago

I'll email you.