Nested ARM template and dependsOn

5
votes

I am creating set of NSG rules with my ARM template and trying to update subnets to use these NSG rules in nested ARM template. Template deployments fails with "Another operation on this or dependent resource is in progress". I tried to use the "dependsOn" feature within the nested template but that does not do the trick. I have tried to give the NSG name and the resourceId()

"[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]",

to dependsOn without luck. Is there better way for waiting for the NSG rules to be ready before trying to update the subnets?

Template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "virtualNetName": {
      "type": "string",
    },
    "subnetName": {
      "type": "string",
    }
  },
  "variables": {
    "NSGName": parameters('subnetName')
    "ResourceGroupName": "[resourceGroup().name]"
  },
  "resources": [
    {
      "apiVersion": "2017-11-01",
      "type": "Microsoft.Network/networkSecurityGroups",
      "name": "[variables('NSGName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "securityRules": [
          {
            "name": "Allow-Inbound-RDP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "3389",
              "sourceAddressPrefix": "192.168.0.1/24",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 4050,
              "direction": "Inbound"
            }
          }
        ]
      }
    },
    {
      "apiVersion": "2017-08-01",
      "name": "apply-nsg-to-subnet",
      "type": "Microsoft.Resources/deployments",
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]"
      ],
      "properties": {
        "mode" : "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "apiVersion" : "2018-03-01",
              "type": "Microsoft.Network/virtualNetworks/subnets",
              "name": "[concat(parameters('virtualNetName'), '/', parameters('subnetName'))]",
              "properties": {
                "addressPrefix": "[reference(resourceId(variables('ResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
                "networkSecurityGroup": {
                  "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]"
                }
              }
            }
          ]
        }
      }
    }
  ]
}

I believe that one NSG and one subnet update would go fine through but it does not when I did it with eight.

1
azurearm-template
can you post that other template for me, please? meanwhile,here's the example paste.ee/p/1t3Ci. its using AV set, but it doesnt matter, just make NESTED deployment depend on the NSG4c74356b41
well, your template worked for me without issues, apart from a bunch of typos everywhere4c74356b41
I have to admit it took about 7 minutes for something this small, which is weird, can you try tomorrow, might be a temporary problem. But I dont see anything wrong with your approach. unless you have a bunch of Microsoft.Network/virtualNetworks/subnets in the nested template. in this case they shouldn't run in parallel. one must depend on the other to form a sequence4c74356b41
ok that might be the problem since I have quite many time that "Microsoft.Network/virtualNetworks/subnets" as I am updating those subnets one by one.Kamsiinov

1 Answers

5
votes

your nested deployment itself needs to depend on that ( the other nested deployment), this means that you need to add:

[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))].

Inside deployment resources can NOT depend on anything outside of deployment (and since its nested everything in the parent is outside of it).