Validate deployment failed deny policy in SQL managed instance Azure

dba.stackexchange https://dba.stackexchange.com/questions/252189

  •  16-02-2021
  •  | 
  •  

Question

I am trying to create a manged instance within an existing subnet in Azure. I have configured the subnet with the script provided by Microsoft which tells me the subnet is prepared.

When I create the managed instance I get

'Deployment validation failed. Additional details from the underlying API that might be helpful: The template deployment failed because of policy violation. Please see details for more information.'

If I check the activity log I see

'InvalidTemplateDeployment' and 'Operation name 'deny' Policy action' with some further infiormation under the JSON tab e.g. ' eventTimestamp": "2019-10-30T10:22:16.9421982Z", "id": "/subscriptions/xx/resourceGroups/xx/providers/Microsoft.Sql/managedInstances/xx-sqlmi/events/23572bf7-dbbb-4ba0-a13e-075a8ae58652/ticks/637080277369421982", "level": "Error", "operationId": "a12adf73-dd1b-4216-80df-dea57d514ba1", "operationName": { "value": "Microsoft.Authorization/policies/deny/action", "localizedValue": "'deny' Policy action." '

None of this seems to me very helpful, how do i diagnose and fix this error? Is it that my network/subnet configuration is wrong? Permissions? A policy which needs to specify managed instances can be created?

Was it helpful?

Solution

Figured out the solution:

Go to the resource group you want to create the managed instance in > Policies > Assignments > Allowed resource types (with the scope subscription/resourcegroupname) parameters > then from the allowed resource types dropdown select Microsoft.Sql.managedInstances

Sign out and into your account, then managed instance will deploy.

When I got the 'Validate Deployment - 'deny' Policy action' error I went to the Activity log, clicked the Validate Deployment error dropown, clicked the 'deny' Policy action, then looked at the JSON tab - if I looked sequntially to see where the error originated I found this section

"category": {
    "value": "Policy",
    "localizedValue": "Policy"
},
"eventTimestamp": "2019-10-30T13:04:54.8516173Z",
"id": "/subscriptions/XXXXXXX/resourceGroups/XXXXXXXXXXXXX/providers/Microsoft.Sql/managedInstances/minamehere/events/77999a0f-d551-45e0-9b3b-1156b246b50d/ticks/637080374948516173",

"resourceId": "/subscriptions/XXXXXXXXX/resourceGroups/XXXXXXX/providers/Microsoft.Sql/managedInstances/minamehere", "status": { "value": "Failed", "localizedValue": "Failed"

Which is what led me to policies and allowed me to troubleshoot and fix the issue - somewhere I knew I needed to add 'Microsoft.Sql/managedInstances' to the Policy category, which fits with the deny policy error I was experiencing.

Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
scroll top