Errors when Deploying ARM Template

1
votes

I am attempting to deploy new resources and update to existing using my original ARM Templates that I deployed with a few months ago. Unfortunately, the deployment does not get to Azure, as I do not see a deployment entry in my resource group. The error that is presented is local before things start calling into Azure.

I am deploying using the Visual Studio 2017 Arm Template Deployment Context menu.

Here is the error that is output. I get this and a nearly identical one when running the validation command as well.

08:58:22 - VERBOSE: Performing the operation "Creating Deployment" on target "MigrationPlaybook_Prod".
08:58:23 - New-AzureRmResourceGroupDeployment : Multiple error occurred: Forbidden,Forbidden. Please see details.
08:58:23 - At C:\workspaces\Migration Playbook\MigrationPlaybookRegion\ProductionResourceGroup\bin\Debug\staging\ProductionResourc
08:58:23 - eGroup\Deploy-AzureResourceGroup.ps1:108 char:5
08:58:23 - +     New-AzureRmResourceGroupDeployment -Name ((Get-ChildItem $Templat ...
08:58:23 - +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
08:58:23 -     + CategoryInfo          : CloseError: (:) [New-AzureRmResourceGroupDeployment], CloudException
08:58:23 -     + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep 
08:58:23 -    loymentCmdlet
08:58:23 -  
08:58:24 - 
08:58:24 - Template deployment returned the following errors:
08:58:24 - Multiple error occurred: Forbidden,Forbidden. Please see details.

Mitigations:

  • The template involves a KeyVault - I made sure that the ARM Template permission was Enabled
  • The project is several months old - I generated a new project to make sure that the PowerShell script, that is generated into the project at creation time, did not have any significant change
  • Account permissions - I have verified that my account permissions on the subscription has not changed in a way to prevent me from adding/modifying resources

While the mitigations address issues that arise when the ARM Template is being deployed the error, and its resulting records, suggest that there is an issue before it gets to Azure.

What could be the issue here and what can I do to remedy this?

2
azure-resource-managerarm-template
Have you tried deploying the ARM template from a PowerShell command line with -Verbose and -DeploymentDebugLogLevel 'All'? docs.microsoft.com/en-us/azure/azure-resource-manager/…Stringfellow
I get the exact same error output. :(Itanex
Do those command arguments provide any more detail about the error? I expected the debug arguments would provide information about the PUT/POST request and response. azure.microsoft.com/nl-nl/blog/…Stringfellow
I am not getting the output with the Request and Response. The error is the same, the output is slightly different but nothing is different about the error output.Itanex
Try using these arguments: -Verbose -Debug. They will also give output for DEBUG: ============================ HTTP REQUEST ============================ ... and DEBUG: ============================ HTTP RESPONSE ============================ ...Stringfellow

2 Answers

0
votes

I have seen the same error message when using a Key Vault to store username and password secrets but forgot to 'Enable for template deployment' on the Key Vault resource, and then referencing those secrets to pass credentials in the deployment of SQL server. Have you ensured that the Key Vault section in the ARM template has the option enabled where "enabledForTemplateDeployment": true?

Mine looks something like:

    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "name": "[variables('keyVaultName')]",
      "location": "[resourceGroup().location]",
      "tags": "[parameters('baseParameters').tagValues]",
      "scale": null,
      "dependsOn": [],
      "properties": {
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [],
        "enabledForDeployment": true,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": true
      }
    },

When enabled, it will look like the following in the portal: enter image description here

Just to check, I intentionally removed (disabled) the setting and the result looks similar to your error. Using the arguments -Verbose -Debug helped me to see the details. enter image description here

0
votes

I know that this isn't a real answer, but I don't have enough reputation yet to just comment. I've seen similar error messages in a subscription that had a limited number of cores and when I was trying to deploy more VMs. However I also am not convinced that this is your problem ...

what I wanted to ask was what happens when you try and deploy the ARM template from the Azure portal using the "Deploy a Custom Template"? This might give you some better hints as to what exactly is going wrong.