Closed dutysm closed 3 years ago
If you are trying to create an assignment, then you are using the wrong type. You should be using microsoft.blueprint/blueprintAssignments@2018-11-01-preview
. The current resource type you are using is to create a blueprint definition. In order to assign at the MG scope, you will need to add the targetScope
keyword to your bicep file and set it to a management group, then your deployment command should target an MG.
Also keep in mind that Management Group assignment still targets a subscription, though we allow you to store the blueprintAssignment resource at an MG scope so that subscription owners cannot remove the assignment.
In your assignment resource declaration, you'll need to set the scope
property, which is the subscription underneath the MG you are deploying to in which to apply the blueprint. Here's the relevant doc I am using for reference.
Your code will look something like the following:
targetScope = 'managementGroup'
// get a reference to the existing blueprint definition version
resource blueprint 'Microsoft.Blueprint/blueprints/versions@2018-11-01-preview' existing = {
name: 'blueprintName/v0.1'
scope: managementGroup('mgId') // I'm guessing this blueprint is stored in a different mg, but it may be the same as the target of the deployment
}
resource assignment 'Microsoft.Blueprint/blueprints@2018-11-01-preview' = {
name: blueprintAssignmentName
properties: {
scope: '/subscriptions/{targetSubscriptionId}'
blueprintId: blueprint.id
}
}
@alex-frankel
Sorry, I should have been more clear. What I provided before is the blueprint definition. I have the assignment definition as well as shown below. What I'm trying is this:
The problem I'm having is that I cannot seem to deploy a blueprint with targetscope property set to managmentGroup. When I do, I get the error I posted earlier.
If I try to assign the blueprint to a managmentGroup with targetScope set to subscription, I get the following error:
Deployment failed. Correlation ID: 9cdf7262-3dc4-4f8c-8125-abe3e106d0f0. {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"AssignmentInvalidScope\",\r\n \"message\": \"The assignment scope '/providers/Microsoft.Management/managementGroups/root-dutysm-mg' is of type 'ManagementGroup', which does not match the referenced blueprint's target scope type 'Subscription'.\"\r\n }\r\n}"
}
]
}
]
}
}
Blueprint assignment bicep. The scope value is '/providers/Microsoft.Management/managementGroups/root-dutysm-mg':
resource dutysmSubscription 'Microsoft.Blueprint/blueprintAssignments@2018-11-01-preview' = {
name: 'dutysmSubscription'
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
displayName: displayName
blueprintId: blueprintResourceId
scope: scope
parameters: {
membersToExcludeInLocalAdministratorsGroup : {
value: membersToExcludeInLocalAdministratorsGroup
}
membersToIncludeInLocalAdministratorsGroup : {
value: membersToIncludeInLocalAdministratorsGroup
}
logAnalyticsWorkspaceIDForVMAgents : {
value: logAnalyticsWorkspaceIDForVMAgents
}
listOfLocationsForNetworkWatcher : {
value: listOfLocationsForNetworkWatcher
}
}
resourceGroups: {}
locks: {
mode: 'AllResourcesReadOnly'
excludedPrincipals: bpLockExcludedPrincipals
excludedActions: [
]
}
}
}
@alex-frankel Let me know if you need additional information.
The scope
value needs to be a subscription ID, not a management group. The blueprint assignment resource will be created at the management group scope implicitly (assuming the bicep file targeted an MG), but it's going to target a subscription. There is no ability for a blueprintAssignment to target a management group with the properties.scope
property
So, "assigning" a blueprint to management group, is that possible at all? See definition of targetScope on this page: https://docs.microsoft.com/en-us/azure/templates/microsoft.blueprint/blueprints/versions?tabs=json
According to that, I should be able to set targetscope to managementGroup. I haven't been able to get this to work. I show the error I get in my first post.
Correct. A blueprint can only be assigned to a subscription. So you can PUT the assignment at a management group (store it there), but it is effectively only scoped to a single subscription (specified with the scope
property).
If it's easier, I'm happy to jump on a call and discuss your scenarios in more depth - seeing as we are talking about blueprints in two different threads :) Email me at alfran@microsoft.com if you would prefer that route, otherwise we can continue discussing in the GH threads.
I'll email you.
Trying to assign a blueprint to a management group and it errors out. Also, I cannot choose a managementgroup for assignment from portal. However, based on schema documentation, managementGroup is a valid targetScope.
Schema I reviewed:
https://github.com/Azure/azure-rest-api-specs/blob/2682c91af09e45f34b09d68aeaf6f03292d509a6/specification/blueprint/resource-manager/Microsoft.Blueprint/preview/2018-11-01-preview/blueprintDefinition.json
Bicep fragment I'm using:
resource blueprint 'Microsoft.Blueprint/blueprints@2018-11-01-preview' = { name : blueprintName properties : { targetScope :'managementGroup' ...
Error I'm getting if I use targetScope :'managementGroup' instead of targetScope :'subscription':
Deployment failed. Correlation ID: aef16601-80d1-4667-b96a-c9840b1f0d79. { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "DeploymentFailed", "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.", "details": [ { "code": "BadRequest", "message": "{\r\n \"error\": {\r\n \"code\": \"InvalidSchema\",\r\n \"message\": \"Path:properties.targetScope, Schema:#/definitions/SharedBlueprintProperties/properties/targetScope, Error: Value \\"managementGroup\\" is not defined in enum.\"\r\n }\r\n}" } ] } ] } }