azureazure-resource-managerazure-cliazure-bicepazure-log-analytics-workspace

How can I add a log analytics workspace to an existing ampls through bicep


Background

We have a hub-spoke topology. In the hub there is an ampls with already a log analytics workspace connected that also exists in the hub. This works. All resources are added through bicep.

New log analytics workspace

In a new spoke I've added a log analytics workspace. As the documentation says, you should add it to the existing ampls.

Bicep

I've created a new bicep module which should do that

resource law 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = {
  scope: resourceGroup(lawSubId, lawRg)
  name: lawName
}

resource ampls 'microsoft.insights/privatelinkscopes@2021-07-01-preview' existing = {
  scope: resourceGroup(amplsSubscriptionId, amplsRg)
  name: amplsName
}

// deploy ampls scoped resources
resource amplsScope 'microsoft.insights/privatelinkscopes/scopedresources@2021-07-01-preview' = {
  parent: ampls
  name: amplsScopeName
  properties: {
    linkedResourceId: law.id
  }
}

So the law and the ampls resources already exists, and I want to add a new scope so the ampls and the law are connected.

Error

With the above setup I get the following error:

Error BCP165: A resource's computed scope must match that of the Bicep file for it to be deployable. This resource's scope is computed from the "scope" property value assigned to ancestor resource "ampls". You must use modules to deploy resources to a different scope.

But when I tried to move the existing ampls resource so that the amplsScope now was the deploy in the module I got the error that the parent type was of string instead of "privatelinkscopes".

Request

Does anyone know how to achieve this in Bicep? As I'm deploying this through an Azure DevOps pipeline I would also be happy with an Azure CLI example, or powershell if there is no other option.

Let me know if there's any information missing.


Solution

  • the scope of your deployment needs to match the scope of the resource you are deploying: You can't specify the scope of the ampls in the module

    resource law 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = {
      scope: resourceGroup(lawSubId, lawRg)
      name: lawName
    }
    
    resource ampls 'microsoft.insights/privatelinkscopes@2021-07-01-preview' existing = {
      name: amplsName
    }
    
    // deploy ampls scoped resources
    resource amplsScope 'microsoft.insights/privatelinkscopes/scopedresources@2021-07-01-preview' = {
      parent: ampls
      name: amplsScopeName
      properties: {
        linkedResourceId: law.id
      }
    }
    

    Then you can invoke your module like that:

    az deployment group create --resource-group <ampls-rg>
    

    If this module is part of bigger deployment, you can specify a scope when invoking the module:

    // main.bicep
    
    module approvePrivateEndpoint 'modules/ampls-scoped-resource.bicep' = {
      name: 'ampls-scoped-resource'
      scope: resourceGroup(amplsSubscriptionId, amplsRg)
      params: {
        amplsName: ''
        amplsScopeName: ''
        lawName: ''
        lawRg: ''
        lawSubId: ''
      }
    }