Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id

See original GitHub issue

Describe the bug

Command Name az deployment group create

Errors:

InvalidTemplateDeployment - The template deployment 'api-deployment' is not valid according to the validation procedure. The tracking id is 'f1c7b947-7f69-4a85-910a-a182fc481255'. See inner errors for details.
PreflightValidationCheckFailed - Preflight validation failed. Please refer to the details for the specific errors.
InvalidValuesForRequestParameters - Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id. For more information, see - https://aka.ms/storagenetworkruleset

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

az deployment group create --name "api-deployment" --resource-group "api" --template-file "api.json" --parameters "api.parameters.json"

Expected Behavior

deploy template to resource group “api”

Environment Summary

Windows-10-10.0.18362-SP0
Python 3.6.6
Installer: MSI

azure-cli 2.9.1

Additional Context

I have three ARM templates: “network”, “database” and “api”. In the first step, I create a virtual network (VNET) with a subnet with the “network” template. Then I create a cosmosdb database with the “database” template with VNET integration and it works fine. In the third step I want to run the “api” template, but I get this error.

Here are some excerpts:

network:

...
"outputs": {
  ...
  "subnet1ResourceId": {
    "type": "string",
    "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), parameters('subnet1Name'))]"
  }
}

database: (works fine)

...
"variables": {
  "networkDeploymentResourceId": "[resourceId(parameters('networkGroupName'), 'Microsoft.Resources/deployments', parameters('networkDeploymentName'))]",
...
},
...
"resources":{
  "type": "Microsoft.DocumentDB/databaseAccounts",
  ...
  "properties": {
    "isVirtualNetworkFilterEnabled": true,
    "virtualNetworkRules": [
      {
        "id": "[reference(variables('networkDeploymentResourceId'), '2020-06-01').outputs.subnet1ResourceId.value]"
      }
    ],
    ...
  }
  ...
}

...
"variables": {
  "networkDeploymentResourceId": "[resourceId(parameters('networkGroupName'), 'Microsoft.Resources/deployments', parameters('networkDeploymentName'))]",
...
},
...
"resources":{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2019-06-01",
  ...
  "properties": {
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "virtualNetworkRules": [
        {
          "id": "[reference(variables('networkDeploymentResourceId'), '2020-06-01').outputs.subnet1ResourceId.value]",
          "action": "Allow"
        }
      ]
    },
    "supportsHttpsTrafficOnly": true
  }
  ...
}

And here’s the strange thing: If I use the reference statement somewhere else, it works.

"[reference(variables('networkDeploymentResourceId'), '2020-06-01').outputs.subnet1ResourceId.value]"

And if I pass the resourceId directly, it also works:

"virtualNetworkRules": [
  {
    "id": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Network/virtualNetworks/.../subnets/...",
    "action": "Allow"
  }
]

Edit: I think it’s a problem with the CLI because it worked well with an older version of the CLI. But I don’t remember which version.

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:12 (4 by maintainers)

Top GitHub Comments

3reactions

Nikashcommented, Mar 3, 2021

Just started running into the same error using [concat(parameters('vnetId'), parameters('subnetId'))] for the storage account networkAcls.virtualNetworkRules.id.

Seems like the field does not accept any functions and needs a hardcoded value. Is there an update on this?

1reaction

robertparker9commented, Jun 14, 2022

I too was hitting “invalid: networkAcls.virtualNetworkRules” error when run from the bash terminal in VScode. What fixed it for me was [https://stackoverflow.com/questions/7250130/how-to-stop-mingw-and-msys-from-mangling-path-names-given-at-the-command-line#34386471] i.e. ensure MSYS_NO_PATHCONV=1 is one of the environment variables.

The link was provided by Microsoft support when I raised the issue. Other tips to pass on;

the az command worked fine in the Portal CLI
you can add “–debug” to the command, which in my case revealed that part of my filesystem path was being added into the parameter value and so creating an invalid resource id

Top Results From Across the Web

Azure Remediation Policy to restrict storage accounts without ...

Message Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id. For more information, see - https://aka.ms/ ...

Add virtualNetworkRules in ARM template for Azure KeyVault

I would like to add virtualNetworkRules in ARM Template. But unfortunately it is not able to get the parameter and activate the Firewall...

Azure CLI Command for Deleting all the files in Blob storage ...

ERROR: BadRequestError: (InvalidValuesForRequestParameters) Values for request parameters are invalid: networkAcls.ipRule[*].value. For more information ...

Microsoft.Azure.Management.Storage.xml - PowerShell Gallery

Azure.Management.Storage.IStorageManagementClient.GenerateClientRequestId"> <summary> When set to true a unique x-ms-client-request-id value is generated

Managing Azure firewall and virtual networks with PowerShell

Contains(“networkAcls.virtualNetworkRules[*].id(unique)”)) { Msgbox “Storage Account (Public IPs Action): ” “There are duplicated entries on ...