I'm encountering an issue wherein new deployment for azure vmss (which has managed identity enabled) fails for the first time due to the following error -
Code: ResourceNotFound. Message: The Resource 'Microsoft.Compute/virtualMachineScaleSets/' under resource group '' was not found
Following are the relevant snippets of my arm template -
VMSS section-
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"sku": {
"name": "[parameters('vmNodeType0Size')]",
"capacity": "[parameters('defaultVMScaleSetSize')]",
"tier": "Standard"
},
"name": "[variables('vmNodeType0Name')]",
"apiVersion": "[variables('vmssApiVersion')]",
"location": "[parameters('computeLocation')]",
"tags": {
"resourceType": "Service Fabric",
"clusterName": "[variables('cloudClusterName')]"
},
"identity": {
"type": "systemAssigned"
},
"properties": {
...
}
}
Access policy section -
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(variables('KeyVaultName'), '/add')]",
"apiVersion": "2018-02-14",
"properties": {
"accessPolicies": [
{
"tenantId": "[reference(concat('Microsoft.Compute/virtualMachineScaleSets/', variables('vmNodeType0Name'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').tenantId]",
"objectId": "[reference(concat('Microsoft.Compute/virtualMachineScaleSets/', variables('vmNodeType0Name'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]",
"permissions": {
"keys": [
"get"
],
"secrets": [
"get",
"set"
],
"certificates": [
"get"
]
}
}
]
},
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
]
}
It seems that ARM tries to deploy managed identity for VMSS even before VMSS itself is created and hence it fails. I have found no way to add a dependency on VMSS creation for managed identity creation. Subsequent deployments succeed as VMSS is already created by that point.
