Frequently Asked Questions - Azure/AzOps GitHub Wiki

AzOps FAQ

This article answers frequently asked questions relating to AzOps.

In this Section

Subscriptions or resources not showing up in repository

If there are invalid characters in the resource path, discovery of subscriptions, resource groups or resources will fail during push or pull operations.

To confirm if this applies to you, check the pipeline logs for any of the following messages:

[ConvertTo-AzOpsState] The specified AzOpsState file contains invalid characters (remove any "[" or "]" characters)! <PathToResource>
[New-AzOpsScope] Path not found: <PathToResource>

Remove the invalid resource or character and retry the operation.

A common example of invalid characters preventing successful operations in AzOps is with Visual Studio Enterprise based subscriptions. The default resource name of said subscriptions contains the "" EN DASH character. Example: visual studio enterprise subscription – mpn.

Management groups not showing up in repository

If the Microsoft.Management resource provider is not registered in the subscription where AzOps is initialized, AzOps is unable to list and create the folder structure for the management group hierarchy.

To confirm if this applies to you, check the pipeline logs for the following message:

[Initialize-AzOpsEnvironment] No management group access

Resolve this by registering the Microsoft.Management resource provider in the Azure Subscription or assign AzOps the permissions to perform the /register/action operation for the resource provider.

Push fail with deployment already exists in location error

If you have changed "Core.DefaultDeploymentRegion": from the default northeurope post initial setup, subsequent Push/Deployments might fail with an error as below:

Invalid deployment location 'westeurope'. The deployment 'AzOps-microsoft.management_managementgroups-nested' already exists in location 'northeurope'

This happens because it is unsupported in ARM to create a deployment in one location when there's an existing deployment with the same name in a different location.

To resolve the error, remove the failed deployment(s) from the target scope and re-run the failed Push pipeline. This can be done either under 'Deployments' at the particular scope in the Azure portal or with PowerShell/Azure CLI/REST. Delete Deployments at scope

Does AzOps use Temporary Files

Yes, during runtime AzOps identifies the systems temporary directory [System.IO.Path]::GetTempPath().

AzOps utilizes the temporary directory for storing temporary information either used at processing time by AzOps (e.g. export and conversion of child resources) or information that is intended to be picked up by pipeline after AzOps module execution (e.g. OUTPUT.md / OUTPUT.json).

Due to the different usage patterns of temporary files they are either created and deleted during module invocation or created and left for further processing at a later stage. As a part of AzOps invocation the initialize procedure looks for lingering temporary files (e.g. OUTPUT.md / OUTPUT.json) and removes them to ensure a clean execution.

Pull fail with active pull request already exists error

Pull pipeline failed during Create Pull Request to automerge task with an error as below:

ERROR: TF401179: An active pull request for the source and target branch already exists.

This happens because it is not supported in Azure DevOps to create a pull request when there's an existing pull request created for the same source and target branch.

Error

To resolve the error, complete or abandon the existing pull request (PR) first and then rerun the pipeline.

PR

Discovery scenarios and settings

I want to discover all resources across all resource groups in one specific subscription

Can AzOps settings be configured to enable this?

Yes, ensure the following setting combinations are applied (replace SubscriptionId with your specific information)

    "Core.IncludeResourcesInResourceGroup": ["*"]

    "Core.IncludeResourceType": ["*"]

    "Core.SkipResource": false

    "Core.SkipResourceGroup": false

    "Core.SubscriptionsToIncludeResourceGroups": ["SubscriptionId"]

I want to discover all resources in specific resource groups in one specific subscription

Can AzOps settings be configured to enable this?

Yes, ensure the following setting combinations are applied (replace rgname1, rgname2, rgname3 and SubscriptionId with your specific information)

    "Core.IncludeResourcesInResourceGroup": ["rgname1","rgname2","rgname3"]

    "Core.IncludeResourceType": ["*"]

    "Core.SkipResource": false

    "Core.SkipResourceGroup": false

    "Core.SubscriptionsToIncludeResourceGroups": ["SubscriptionId"]

I want to discover a specific resource type in specific resource group in one specific subscription

Can AzOps settings be configured to enable this?

Yes, ensure the following setting combinations are applied (replace rgname1, resource-provider/resource-type and SubscriptionId with your specific information)

    "Core.IncludeResourcesInResourceGroup": ["rgname1"]

    "Core.IncludeResourceType": ["resource-provider/resource-type"]

    "Core.SkipResource": false

    "Core.SkipResourceGroup": false

    "Core.SubscriptionsToIncludeResourceGroups": ["SubscriptionId"]

I want to discover and manage several Azure Firewall Policy's and rule collections spread out across several resource groups and subscriptions

Can AzOps settings be configured to enable this?

Yes, ensure the following setting combinations are applied (replace rgname1, rgname2, Microsoft.Network/firewallPolicies and SubscriptionId1, SubscriptionId2 with your specific information)

    "Core.IncludeResourcesInResourceGroup": ["rgname1","rgname2"]

    "Core.IncludeResourceType": ["Microsoft.Network/firewallPolicies"]

    "Core.SkipResource": false

    "Core.SkipChildResource": false

    "Core.SkipResourceGroup": false

    "Core.SubscriptionsToIncludeChildResource": ["SubscriptionId1","SubscriptionId2"]

    "Core.SubscriptionsToIncludeResourceGroups": ["SubscriptionId1","SubscriptionId2"]

I want to deploy a set of templates in a specific order

Can AzOps settings be configured to enable this?

Yes, ensure that the variable AZOPS_CUSTOM_SORT_ORDER is set to true and create a file named .order in the same folder as your template files. Template files listed in the order file will be deployed in the order specified in the file and before any other templates.

Push scenarios and settings

I want to have multiple different deployments at scope using the same template file but different parameter files

When using custom deployment templates, can I avoid the pattern of duplicating the .bicep file for each parameter file below?

scope/
├── template-a.bicep
├── template-a.bicepparam
├── template-b.bicep
├── template-b.bicepparam
├── template-c.bicep
└── template-c.parameters.json

Yes, ensure the following setting combinations are applied (replace x with your specific pattern identifier)

    "Core.AllowMultipleTemplateParameterFiles": true

    "Core.MultipleTemplateParameterFileSuffix": ".x"

AzOps module will evaluate each parameter file individually and try to find base template by matching (regular expression) according to MultipleTemplateParameterFileSuffix pattern identifier.

scope/
├── template.x1.bicepparam
├── template.x2.bicepparam
├── template.x3.parameters.json
└── template.bicep

Note: To avoid having AzOps deploy the base template.bicep unintentionally, ensure you have at least one parameter without default value in template.bicep and no lingering 1:1 matching parameter file.

I have AllowMultipleTemplateParameterFiles set to true and want deployments performed in parallel

Can AzOps perform parallel deployments of the below 3 separate parameter files?

scope/
├── template.x1.bicepparam
├── template.x2.bicepparam
├── template.x3.parameters.json
└── template.bicep

Yes, ensure the following setting combinations are applied

    "Core.AllowMultipleTemplateParameterFiles": true

    "Core.ParallelDeployMultipleTemplateParameterFiles": true

Note: By default, AzOps performs serial deployments.

I have AllowMultipleTemplateParameterFiles set to true and when changes are made to a template no deployment is performed

When using a custom deployment templates with multiple corresponding parameter files, can I ensure that changes made to the template triggers AzOps to create separate deployments for each corresponding parameter file?

Yes, ensure the following setting Core.DeployAllMultipleTemplateParameterFiles is set to true.

Note: By default, AzOps does not try to identify and deploy files that have not changed, by changing this setting AzOps will attempt to resolve matching parameter files for deployment based on deployment template.

I am getting: Missing defaultValue and no parameter file found, skip deployment

To confirm if this applies to you, check the pipeline logs for the following message:

[Resolve-ArmFileAssociation] Template <filepath> with parameter: <missingparam>, missing defaultValue and no parameter file found, skip deployment

What does this mean?

AzOps have detected that parameters used in the template do not have defaultValues, no 1:1 parameter file mapped and that Core.AllowMultipleTemplateParameterFiles is set to true.

To avoid exiting with error or attempt to deploy the updated base template unintentionally AzOps skips the file and logs it.

The following must be true for this to happen:

  • Core.AllowMultipleTemplateParameterFiles is set to true
  • A template file is a part of the changeset sent to AzOps
  • Template file contains parameters with no defaultValue
  • Template file does not have 1:1 mapping to parameter file
⚠️ **GitHub.com Fallback** ⚠️