ARM template not able to run in ADO pipeline
I am trying to create a ADLS using ARM template in ADO pipeline, but im failing to do so. I was able to create the ADLS storage manually. There is a policy restricting the creation of storage, the error suggests that public access to storage should be disabled. I already added that part, im not sure whats failing.
storage.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"containerName": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "westus2"
},
"resourceGroupName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-09-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS"
},
"properties": {
"accessTier": "Hot",
"publicNetworkAccess": "Disabled",
"isHnsEnabled": true
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-04-01",
"name": "[concat(parameters('storageAccountName'), '/default/', parameters('containerName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"properties": {
"publicAccess": "None"
}
}
]
}
parameters.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"value": "adlscrscrs"
},
"containerName": {
"value": "test"
},
"location": {
"value": "eastus"
},
"resourceGroupName": {
"value": "**"
}
}
}
Error while creation
There were errors in your deployment. Error code: InvalidTemplateDeployment.
2025-03-05T16:21:23.9969916Z ##[error]The template deployment failed because of policy violation. Please see details for more information.
2025-03-05T16:21:23.9983670Z ##[error]Details:
2025-03-05T16:21:23.9985377Z ##[error]Resource 'adlscrscrs' was disallowed by policy. Error Type: PolicyViolation, Policy Definition Name : Blob public network access should be disabled for the Storage Account, Policy Assignment Name : **.
2025-03-05T16:21:23.9988639Z ##[error][More information on Azure Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/EditAssignmentBlade/id/%2Fproviders%2FMicrosoft.Management%2FmanagementGroups%2Fspgi%2Fproviders%2FMicrosoft.Authorization%2FpolicyAssignments%**)
2025-03-05T16:21:23.9990493Z ##[warning]Validation errors were found in the Azure Resource Manager template. This can potentially cause template deployment to fail. Task failed while creating or updating the template deployment.. Please follow https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax
Solution
Based on the error message, you should set to disallow public access to all blobs on the Storage Account level.
Resource 'xxxx' was disallowed by policy. Error Type: PolicyViolation, Policy Definition Name : Blob public network access should be disabled for the Storage Account, Policy Assignment Name : xxxx.
In Microsoft.Storage/storageAccounts 2021-09-01, there is a properties parameter 'allowBlobPublicAccess' can be used to set to allow or disallow public access to all blobs or containers in the storage account. The default value is true for this parameter if you do not explicitly set it in the template.
For your case, you can set the property "allowBlobPublicAccess": false in the template storage.json.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
. . .
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
. . .
"properties": {
"accessTier": "Hot",
"publicNetworkAccess": "Disabled", // Disallow public network access to Storage Account.
"allowBlobPublicAccess": false, // Disallow public access to all blobs or containers in the storage account.
"isHnsEnabled": true
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
. . .
}
]
}
- Build pipeline does not delete
- Linux docker container on windows build pipeline
- Azure Devops Artifacts: Can't find unlisted packages to delete them
- how can I use IF ELSE in variables of azure DevOps yaml pipeline with variable group?
- ##[error]EXEC(0,0): Error information: "Error: SignerSign() failed." (-2146893779/0x8009002d)
- Preserving line breaks and tabs when sending data using JSON via HTTP PUT
- Is there a way to replace a YAML variable in a PowerShell replace script?
- Pull request NO_CI, [skip ci] not working
- InvalidContentLink ARM template deployment
- Azure DevOps environment to display app version in environment
- Azure DevOps: User lacks permission to complete this action. You need to have 'AddPackage'
- How can you insert suggestions on a PR in Azure Devops?
- How to trigger Azure DevOps Classic release pipelines monthly?
- How do I get and download the contents of a file in GitHub using the REST API?
- Syntax checker for Azure Pipeline YAML file
- How to trigger a middle stage in yaml pipeline in Azure Devops after another pipeline's completion?
- How to get Role Definition using Azure CLI
- Permalink to a comment on azure dev ops (within a pull request)
- Azure DevOps Pull Request SonarQube Quality Gate Stuck in "Waiting" Status
- How can I set the diff algorithm for a git diff on Azure Devops?
- How to turn on GitHub Advanced Security (GHAS) for Azure DevOps for all the repositories and projects with the help of PowerShell or CLI code.?
- Parameterize Azure Data Factory trigger start date
- Error: XML transformation error in Azure Pipelines
- Azure DevOps agent pool creating using Terraform
- CalledProcessError when running dbt in Databricks
- How to mount an Azure file share in an Azure DevOps container job?
- Renovate Bot fails to resolve private npm packages from Azure Artifacts
- How to authenticate Firebase using GOOGLE_APPLICATION_CREDENTIALS in Azure pipelines
- Install Mono for Nuget Deployment in Azure DevOps
- How to detect events in an Azure Devops Board extension