Blue Print Deployment through ARM Template for Custom Role Key Vault

0
votes

We are deploying the Custom Role for Key Vault using ARM template from using the Blueprint. When We try to upload the ARM template to the Blue print and give a Publish & Assign. The deployment fails at-last with the below error message -

Error Message:- 1.Message: Deployment template validation failed: 'The template resource,at line '1' and column '2008' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name."

2.The artifact 'f87238e1-28d5-45fa-8ad9-176d07e79a81' of type 'Template' failed to deploy due to the following error: Template deployment failed with error [ { "code": "LocationRequired", "message": "The location property is required for this definition." } ]

Someone Please can you correct this and what might be wrong.

If you need code please let me know.

Code for reference -

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.KeyVault/vaults", "apiVersion": "2019-09-01", "name": "Key Vault resource manager template deployment operator", "properties": { "Name": "Reader for KeyVault", "location": "West US", "IsCustom": true, "Description": "Allows only reader access to KeyVault.", "Actions": [ "Microsoft.KeyVault/vaults/*/read" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/000000/resourceGroups/RG-SK" ] } } ] }`

1
azurerolesazure-keyvaultarm-templateblueprint
I request please to share the sample code if you have.Anirudh Bragadeesan

1 Answers

0
votes

You are providing incorrect definition for "Custom Role". To create a Microsoft.Authorization/roleDefinitions resource follow this documentation.

A sample ARM Template to create a Custom role, you can make changes according to your custom role:

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "actions": {
      "type": "array",
      "defaultValue": [
         "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "metadata": {
        "description": "Array of actions for the roleDefinition"
      }
    },
    "notActions": {
      "type": "array",
      "defaultValue": [ ],
      "metadata": {
        "description": "Array of notActions for the roleDefinition"
      }
    },
    "roleName": {
      "type": "string",
      "defaultValue": "Custom Role - RG Reader",
      "metadata": {
        "description": "Friendly name of the role definition"
      }
    },
    "roleDescription": {
      "type": "string",
      "defaultValue": "Subscription Level Deployment of a Role Definition",
      "metadata": {
        "description": "Detailed description of the role definition"
      }
    }
  },
  "variables":{
    "roleDefName": "[guid(subscription().id, string(parameters('actions')), string(parameters('notActions')))]"
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/roleDefinitions",
      "apiVersion": "2018-07-01",
      "name": "[variables('roleDefName')]",
      "properties": {
        "roleName": "[parameters('roleName')]",
        "description": "[parameters('roleDescription')]",
        "type": "customRole",
        "isCustom": true,
        "permissions": [
          {
            "actions": "[parameters('actions')]",
            "notActions": "[parameters('notActions')]"
          }
        ],
        "assignableScopes": [
          "[subscription().id]"
        ]
      }
    }
  ]
}

For more details please refer this documentation.