Redis deployment error through Bicep: "The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'"

Chaitra Shivanand Kulkarni (INFOSYS LIMITED) 45 Reputation points Microsoft Vendor
2023-11-15T22:42:33.11+00:00

Redis deployment error through bicep is resulting the following error:
The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'

This is happening while enabling managed identity for redis, mainly whie executing this piece of code.

resource redisDataContributorAccessPolicyAssignments 'Microsoft.Cache/Redis/accessPolicyAssignments@2023-08-01' =  [ for servicePrincipalId in servicePrincipals: {
  parent: redisCache
  name: servicePrincipalId
  properties: {
    accessPolicyName: 'Data Contributor'
    objectId: servicePrincipalId
    objectIdAlias: 'AADApp-${servicePrincipalId}'
  }  
}]
Azure Cache for Redis
Azure Cache for Redis
An Azure service that provides access to a secure, dedicated Redis cache, managed by Microsoft.
252 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. GeethaThatipatri-MSFT 29,387 Reputation points Microsoft Employee
    2023-11-21T13:30:19.5233333+00:00

    Hi @Chaitra Shivanand Kulkarni (INFOSYS LIMITED)

    As our example bicep template suggests that every policy assignment needs to have dependency relationship with previous operation. i.e. one cannot initiate multiple policy assignments in one go, it needs to be sequential one by one using depdensOn property which make sure the 2<sup>nd</sup> policy assignment does not initiate until 1<sup>st</sup> one is completed.

    The bicep template you shared uses a for loop to assign all of the principal without any depdensOn relationship causes all policy assignment operation to start without waiting previous one to complete hence all subsequent after first assignment operation gets failed.
    User's image

    We recommend you to use dependency relationship among all assignment operations using depdensOn property in your bicep template.
    If you want to use existing for loop using dependsOn property may get tricky.
    Alternate approach is to use “batchSize” decorator with value 1 in such cases to make them sequential.
    This is the doc link for batchSize: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/loops#deploy-in-batches

    I hope this information helps.

    Regards

    Geetha

    1 person found this answer helpful.

  2. GeethaThatipatri-MSFT 29,387 Reputation points Microsoft Employee
    2023-11-16T01:04:01.3666667+00:00

    Hi @Chaitra Shivanand Kulkarni (INFOSYS LIMITED) Welcome to Microsoft Q&A thanks for posting your question.

    Can you please check this bicep sample we recently added if it helps: azure-quickstart-templates/quickstarts/microsoft.cache/redis-cache-microsoft-entra-authentication/azuredeploy.json at master · Azure/azure-quickstart-templates (github.com).

    Could you also confirm if that the value assigned to objectId is actually the object id for the service principal and not the app id.

    Regards

    Geetha

    0 comments No comments

  3. Chaitra Shivanand Kulkarni (INFOSYS LIMITED) 45 Reputation points Microsoft Vendor
    2023-11-16T15:06:54.4333333+00:00

    We have specified the access policy assignment as mentioned in the template.

    Also, the value assigned to the objectId is the object if for the service principal.

    User's image

    0 comments No comments

  4. Bryan Harvey-Smith 0 Reputation points
    2023-11-20T10:39:56.8566667+00:00

    I encountered a similar issue. If you look at the deployment history inside the resource group it shows a Conflict. I got past this issue by chaining multiple accessPolicyAssignment resources together using dependsOn. Ideally this resource would support the loop operation.

    The example bicep template that has been published only has a single policy assignment so works as expected.

    0 comments No comments

  5. Chaitra Shivanand Kulkarni (INFOSYS LIMITED) 45 Reputation points Microsoft Vendor
    2023-11-20T22:14:07.68+00:00

    I was wondering if it you could give an example for chaining the multiple accessPolicyAssignment resources together.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.