Create Batch Account and Key Vault in single ARM script

Question

I'm trying to add a Batch Account (in User subscription mode) configuration to ARM script but I'm facing a problem with circular dependency.

• Batch account requires KeyVaultReference.
• Key Vault access policies require BatchAccount object id.

In this situation I'm not able to create a fully configured services. Do you know how can I create both services from the same ARM script?

Please see the example below:

{
  "name": "[variables('keyVaultName')]",
  "type": "Microsoft.KeyVault/vaults",
  "location": "[resourceGroup().location]",
  "apiVersion": "2015-06-01",
  "properties": {
    "sku": {
      "family": "A",
      "name": "Standard"
    },
    "tenantId": "[subscription().tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[subscription().tenantId]",
        "objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]",
        "permissions": {
          "keys": [
            "Update"
          ]
        }
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]"
  ]
},
{
  "name": "[variables('batchAccountName')]",
  "type": "Microsoft.Batch/batchAccounts",
  "location": "[resourceGroup().location]",
  "apiVersion": "2017-05-01",
  "properties": {
    "poolAllocationMode": "UserSubscription",
    "autoStorage": {
      "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]"
    },
    "keyVaultReference": {
      "id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
      "url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]",
    "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
  ]
}

Answer 1

Key Vault access policies require BatchAccount object id.

The object id is not related with batch account. The object id is the user's object id who you set that could access the key vault. The user could be a Azure AD account, Microsoft account or a service principal. For a Azure AD account, you could get the id with PowerShell cmdlet Get-AzureRmADUser. This blog maybe helpful.

Batch account requires KeyVaultReference.

As you did, you could add a depends on key vault when you create batch account. The following template works for me.

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "defaultValue": "eastus",
            "type": "string"
        },
        "batchAccountName": {
            "defaultValue": "shui568",
            "type": "string"
        },
        "storageAccountName": {
            "defaultValue": "shui41f",
            "type": "string"
        },
        "storageAccountType": {
            "defaultValue": "Standard_LRS",
            "type": "string"
        },
         "vaults_shuibatch_name": {
            "defaultValue": "shui225",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "name": "[parameters('batchAccountName')]",
            "type": "Microsoft.Batch/batchAccounts",
            "apiVersion": "2017-05-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
                "[concat('Microsoft.KeyVault/vaults/', parameters('vaults_shuibatch_name'))]"
            ],
            "properties": {
                "poolAllocationMode": "usersubscription",
                "KeyVaultReference": {

                    "id": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_shuibatch_name'))]",
                    "url": "[concat('https://',parameters('vaults_shuibatch_name'),'.vault.azure.net/')]"
                },
                "autoStorage": {
                    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
                }
            }
        },
        {
            "name": "[parameters('storageAccountName')]",
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2015-06-15",
            "location": "[parameters('location')]",
            "properties": {
                "accountType": "[parameters('storageAccountType')]"
            }
        },
            {
            "comments": "Generalized from resource: '/subscriptions/***************/resourceGroups/shuibatch/providers/Microsoft.KeyVault/vaults/shuibatch'.",
            "type": "Microsoft.KeyVault/vaults",
            "name": "[parameters('vaults_shuibatch_name')]",
            "apiVersion": "2015-06-01",
            "location": "eastus",
            "tags": {},
            "scale": null,
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "[subscription().tenantId]",
                "accessPolicies": [
                    {
                        "tenantId": "[subscription().tenantId]",
                        "objectId": "3ff89f78-2a60-4fef-8ee5-c249d03549d1",
                        "permissions": {
                            "secrets": [
                                "All"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": true
            },
            "dependsOn": []
        }
    ]
}