How to get the parameter file of Powershell Script and use the same parameter in ARM template deployment task in the same Release Pipeline

Murali R 245

Hi Team,

Iam using the below Powershell script to get the Parameter file and using the same file in ARM template deployment task in Azure Devops Release pipeline. Both the task runs in Release Pipeline.
First Task - Azure Powershell task

param (
  $FilePath,
  $ResourceGroupName,
  $NetworkWatcherName,
  $location,
  $workspaceRegion,
  $workspaceResourceId,
  $workspaceId
)

# Get all network security groups in the resource group
$nsgs = Get-AzNetworkSecurityGroup -ResourceGroupName $ResourceGroupName

$nsgIds = @()
$nsgNames = @()
$nsgRgNames = @()

foreach ($nsg in $nsgs) {
  $nsgIds += $nsg.Id
  $nsgNames += $nsg.Name
  $nsgRgNames += $nsg.ResourceGroupName
}

# Get all storage accounts in the resource group
$storageAccounts = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName

# Get the storage account
$storageAccount = $storageAccounts[0]

$data = @{
  "`$schema" = "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#"
  "contentVersion" = "1.0.0.0"
  "parameters" = @{
    "nsgIds" = @{
      "value" = $nsgIds
    }
    "nsgNames" = @{
      "value" = $nsgNames
    }
    "nsgRgNames" = @{
      "value" = $nsgRgNames
    }
    "NetworkWatcherName" = @{
      "value" = $NetworkWatcherName
    }
    "location" = @{
      "value" = $location
    }
    "workspaceRegion" = @{
      "value" = $workspaceRegion
    }
    "workspaceResourceId" = @{
      "value" = $workspaceResourceId
    }
    "workspaceId" = @{
      "value" = $workspaceId
    }
    "storageId" = @{
      "value" = $storageAccount.Id
    }
  }
} | ConvertTo-Json -Depth 100 

$data | Out-File -FilePath $FilePath

All the values has been passed in Script Argument and release pipeline variable
Script Arguments:
-FilePath $(System.DefaultWorkingDirectory)/VSS_WESTEUROPE_NSG.parameters.json -ResourceGroupName VSS_WESTEUROPE_NSG -NetworkWatcherName $(NetworkWatcherName) -location $(location) -workspaceRegion $(workspaceRegion) -workspaceResourceId $(workspaceResourceId) -workspaceId $(workspaceId)

In Arm Template deployment task, iam using the below in Template parameters
$(System.DefaultWorkingDirectory)/VSS_WESTEUROPE_NSG.parameters.json

Release pipeline gets succeeded of both the tasks, but the NSG Flow log is not created in the Azure Portal. Kindly help on this.

Murali R 245 Reputation points

2023-12-19T20:08:17.4233333+00:00

Also when i see the output of the parameter file i see that storage id value is null
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-12-19T23:08:25.4766667+00:00
@Murali R

Thank you for reaching out.

Based on the Storage Account considerations for NSG Flow logs here

Location: The storage account must be in the same region as the network security group.

Subscription: The storage account must be in the same subscription of the network security group or in a subscription associated with the same Microsoft Entra tenant of the network security group's subscription.

Performance tier: The storage account must be standard. Premium storage accounts aren't supported.

Can you please confirm if the above is true for the storage account fetched from your resource group?

Maybe you can run a for loop for the storage accounts fetched and validate the location and the SKU and the pass on the storage Id as shown below:

foreach($strg in $storageAccounts){ if (($strg.location -eq $location) -and ($strg.sku.Name -like "Standard*" )) { $strg.Id }}

Thank you!
Murali R 245 Reputation points

2023-12-20T09:45:17.1866667+00:00

Hi @ChaitanyaNaykodi-MSFT As per the above the location, subscription and performance tier belong to the same NSG Resource Group Name and the storage account is also present in the same NSG Resource Group only.

Murali R 245

Hi @ChaitanyaNaykodi-MSFT Instead of running the above ps script for receiving storageId, i have entered the value manually in Pipeline variable its executing perfectly fine for Single RG's in a subscription.
But for some subscriptions i have multiple RG's, so i have used the below BICEP template and ps script. But iam receiving the following error

##[error]Unterminated string passed in. (2): '[

BICEP TEMPLATE

param nsgRgNames array = []
param nsgIds array = []
param nsgNames array = []
param networkWatcherNames array = [] // This is now an array of Network Watcher names
param locations array = [] // This is now an array of locations
param storageIds array = [] // This is now an array of storage account IDs

@description('Log analytics workspace resource Guid')
param workspaceId string = ''

@description('Log analytics workspace region')
param workspaceRegion string = ''

@description('Log analytics workspace resource id')
param workspaceResourceId string = ''

resource flowLogs 'Microsoft.Network/networkWatchers/flowLogs@2020-11-01' = [for i in range(0, length(nsgIds)): {
  name: '${networkWatcherNames[i]}/Microsoft.Network${nsgRgNames[i]}${nsgNames[i]}'
  location: locations[i]
  properties: {
    targetResourceId: nsgIds[i]
    storageId: storageIds[i]
    enabled: true
    format: {
      type: 'JSON'
      version: 2
    }
    retentionPolicy: {
      days: 0
      enabled: true
    }
    flowAnalyticsConfiguration: {
      networkWatcherFlowAnalyticsConfiguration: {
      enabled: true
      workspaceId: workspaceId
      workspaceRegion: workspaceRegion
      workspaceResourceId: workspaceResourceId
    }
  }
  }
}]

Ps script

param (
  $FilePath1,
  $FilePath2,
  [string]$ResourceGroupNames, # This should be a string
  [string]$networkWatcherNames, # This should be a string
  [string]$locations, # This should be a string
  [string]$storageIds, # This should be a string
  $workspaceRegion,
  $workspaceResourceId,
  $workspaceId
)

# Convert the JSON strings to arrays
$ResourceGroupNames = $ResourceGroupNames | ConvertFrom-Json
$networkWatcherNames = $networkWatcherNames | ConvertFrom-Json
$locations = $locations | ConvertFrom-Json
$storageIds = $storageIds | ConvertFrom-Json

# Print the ResourceGroupNames to the console
Write-Host "ResourceGroupNames: $ResourceGroupNames"

for ($i=0; $i -lt $ResourceGroupNames.Length; $i++) {
  # Get all network security groups in the current resource group
  $nsgs = Get-AzNetworkSecurityGroup -ResourceGroupName $ResourceGroupNames[$i]

  $nsgIds = @()
  $nsgNames = @()
  $nsgRgNames = @()

  foreach ($nsg in $nsgs) {
    $nsgIds += $nsg.Id
    $nsgNames += $nsg.Name
    $nsgRgNames += $nsg.ResourceGroupName
  }

  $data = @{
    "`$schema" = "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#"
    "contentVersion" = "1.0.0.0"
    "parameters" = @{
      "nsgIds" = @{
        "value" = $nsgIds
      }
      "nsgNames" = @{
        "value" = $nsgNames
      }
      "nsgRgNames" = @{
        "value" = $nsgRgNames
      }
      "networkWatcherNames" = @{
        "value" = $networkWatcherNames[$i]
      }
      "locations" = @{
        "value" = $locations[$i]
      }
      "workspaceRegion" = @{
        "value" = $workspaceRegion
      }
      "workspaceResourceId" = @{
        "value" = $workspaceResourceId
      }
      "workspaceId" = @{
        "value" = $workspaceId
      }
      "storageIds" = @{
        "value" = $storageIds[$i]
      }
    }
  }

  # Convert the data to JSON and write it to the file
  if ($i -eq 0) {
    $FilePath = $FilePath1
  } else {
    $FilePath = $FilePath2
  }
  $data | ConvertTo-Json -Depth 100 | Out-File -FilePath $FilePath
}

Script Arguments in Release pipeline for Azure Powershell task
-FilePath1 $(System.DefaultWorkingDirectory)/file1.parameters.json -FilePath2 $(System.DefaultWorkingDirectory)/file2.parameters.json -ResourceGroupNames "$(ResourceGroupNames)" -NetworkWatcherNames $(NetworkWatcherNames) -locations $(locations) -storageIds $(storageIds) -workspaceRegion $(workspaceRegion) -workspaceResourceId $(workspaceResourceId) -workspaceId $(workspaceId)

Pipeline variables
locations '["xxx", "xxx"]'
networkWatcherNames '["xxx", "xxx"]'
ResourceGroupNames '["file1", "file2"]'
storageIds '["/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx", "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx"]'
workspaceId 'xxx'
workspaceRegion 'xxx'
workspaceResourceId '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.OperationalInsights/workspaces/xxx'

Kindly help me to resolve this issue

Murali R 245 Reputation points

2023-12-21T15:28:10.7866667+00:00

HI @ChaitanyaNaykodi-MSFT I have resolved the error, Thank u
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-12-21T18:36:55.9966667+00:00

@Murali R

Glad to know the issue was reolved. Can you please share the resolution here? so that anyone form the community can benefit from it. Thank you!
Murali R 245 Reputation points

2023-12-22T09:48:38.26+00:00
Sure @ChaitanyaNaykodi-MSFT . The below is code i have modified for the getting the value of storage account

# Get all storage accounts in the resource group $storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName | Select-Object -First 1 # Extract the Storage ID $storageId = $storageAccount.Id

Also i was not having the below role to get the value of storageId

Microsoft.Storage/storageAccounts/read

Accepted answer

ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-12-28T04:28:41.3466667+00:00
@Murali R

Thank you for sharing the solution achieved above.

I am just summarizing the issue and the solution above for community benefit. As current limitations in Microsoft Q&A you can only accept answers from other users. It will be helpful if you could accept the answer for community benefit.

Solution achieved:

You modified the code as shown below to get the storage ID.

# Get all storage accounts in the resource group $storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName | Select-Object -First 1 # Extract the Storage ID $storageId = $storageAccount.Id

You also had to set the RBAC role below to be able to fetch the correct data.

Microsoft.Storage/storageAccounts/read

Thank you!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

How to get the parameter file of Powershell Script and use the same parameter in ARM template deployment task in the same Release Pipeline

0 additional answers