The template deployment failed - Any Mistake in the bicep template code or it's really policy violation
// Creates an Azure Bastion Subnet and host in the specified virtual network
@description('The Azure region where the Bastion should be deployed')
param location string = resourceGroup().location
@description('Virtual network name')
param vnetName string
@description('The address prefix to use for the Bastion subnet')
param addressPrefix string = '192.168.250.0/27'
@description('The name of the Bastion public IP address')
param publicIpName string = 'pip-bastion'
@description('The name of the Bastion host')
param bastionHostName string = 'bastion-jumpbox-dev'
// The Bastion Subnet is required to be named 'AzureBastionSubnet'
var subnetName = 'AzureBastionSubnet'
resource bastionSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-01-01'= {
name: '${vnetName}/${uniqueString(subnetName)}'
properties: {
addressPrefix: addressPrefix
privateEndpointNetworkPolicies: 'Disabled'
privateLinkServiceNetworkPolicies: 'Disabled'
}
}
resource publicIpAddressForBastion 'Microsoft.Network/publicIPAddresses@2022-01-01' = {
name: publicIpName
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Static'
}
}
resource bastionHost 'Microsoft.Network/bastionHosts@2022-01-01' = {
name: bastionHostName
location: location
properties: {
ipConfigurations: [
{
name: 'IpConf'
properties: {
subnet: {
id: bastionSubnet.id
}
publicIPAddress: {
id: publicIpAddressForBastion.id
}
}
}
]
}
}
output bastionId string = bastionHost.id
Above Bicep is modified a bit and taken from the GitHub Source.
I am using Microsoft Learn Sandbox for the above experiment and got the below result:
az deployment group create --resource-group $resourceGroup --template-file bastionhost.bicep --what-if
Please provide string value for 'vnetName' (? for help): vnet-dev-forbastion
InvalidTemplateDeployment - The template deployment failed because of policy violation.
Please see details for more information.
RequestDisallowedByPolicy - Resource 'bastion-jumpbox-dev' was disallowed by policy. Policy identifiers: '[{"policyAssignment":
{"name":"webapps-assignment","id":"/providers/Microsoft.Management/managementGroups/<guid_id>/providers/Microsoft.Authorization/policyAssignments/webapps-assignment"},"policyDefinition":
{"name":"Allowed resource types","id":"/providers/Microsoft.Authorization/policyDefinitions/<guid_id>"},"policySetDefinition":{"name":"webapps-initiative",
"id":"/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/webapps-initiative"}}]'.
Does above result mean Only Web Apps Creation is allowed in the management group level?
Note:
- I cannot check the policy details as I does not have authorization to perform action '
Microsoft.PolicyInsights/policyStates/summarize/read' or 'Microsoft.PolicyInsights/policyStates/read' over scope of Subscription level? - For doing the above, you have to activate Sandbox Environment valid for 3 hours with your Azure Account (MS Reference)
This happens if there is any default policy existed inside the management group or subscription with which you're working, and it is restricting the creation of resources other than Web Apps.
It seems like You do not have sufficient permissions to view policy information at the subscription level.
You need to contact the subscription administrator and change the policies accordingly. And if it is not possible to remove the particular policy, then there is a possibility of adding the exceptions to the restricted policies as given in MSDoc.
In the error message, it retrieves the names of the policy definition and policy assignment. You can review the resource policy details by using
az policy definition show for policy definition and
az policy assignment show for policy assignment for more details.
After checking all the policy violations in my subscription environment, I tried the similar script with few modifications and was able to deploy a bastion host in a virtual network with the required IP address prefixes as follows.
Bicep code:
@description('Name of new or existing vnet to which Azure Bastion should be deployed')
param vnet string = ''
param vnetPrefix string = '10.1.0.0/16'
param bastionIpPrefix string = '10.1.1.0/26'
param bastionHostName string
param location string = resourceGroup().location
var publicIpAddress = '${bastionHostName}-pip'
var bastionSubnet = 'AzureBastionSubnet'
resource publicIp 'Microsoft.Network/publicIPAddresses@2022-01-01' = {
name: publicIpAddress
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Static'
}
}
resource VirtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
name: vnet
location: location
properties: {
addressSpace: {
addressPrefixes: [
vnetPrefix
]
}
subnets: [
{
name: bastionSubnet
properties: {
addressPrefix: bastionIpPrefix
}
}
]
}
}
resource Subnet 'Microsoft.Network/virtualNetworks/subnets@2022-01-01'= {
name: ''
properties: {
addressPrefix: vnetPrefix
privateEndpointNetworkPolicies: 'Disabled'
privateLinkServiceNetworkPolicies: 'Disabled'
}
}
resource bastionHost 'Microsoft.Network/bastionHosts@2022-01-01' = {
name: bastionHostName
location: location
properties: {
ipConfigurations: [
{
name: 'IpConf'
properties: {
subnet: {
id: subnet.id
}
publicIPAddress: {
id: publicIp.id
}
}
}
]
}
}
Deployed successfully in portal:
Refer MSDoc for more relevant information.
Update:
The MS Sandbox reference you have given is a part of Azure Bicep - Conditions & Loops Module Learning. For this, Microsoft Provides the free sandbox environment for 3 to 4 hours and 10 sandboxes per day where the least privileged access role is assigned with your logged-in account.
You'll be able to do only specific set of activities mentioned in that Microsoft Learn Modules and it is clearly mentioned in the introduction doc.
As @Thomas Said, you can provision the SQL Database servers that requires a storage account for running the bicep templates using either Azure CLI or Azure PowerShell.