| title | description | ms.topic | ms.date |
|---|---|---|---|
Template functions - resources |
Describes the functions to use in an Azure Resource Manager template (ARM template) to retrieve values about resources. |
conceptual |
11/18/2020 |
Resource Manager provides the following functions for getting resource values in your Azure Resource Manager template (ARM template):
- extensionResourceId
- list*
- pickZones
- providers
- reference
- resourceGroup
- resourceId
- subscription
- subscriptionResourceId
- tenantResourceId
To get values from parameters, variables, or the current deployment, see Deployment value functions.
[!INCLUDE Bicep preview]
extensionResourceId(resourceId, resourceType, resourceName1, [resourceName2], ...)
Returns the resource ID for an extension resource, which is a resource type that is applied to another resource to add to its capabilities.
| Parameter | Required | Type | Description |
|---|---|---|---|
| resourceId | Yes | string | The resource ID for the resource that the extension resource is applied to. |
| resourceType | Yes | string | Type of resource including resource provider namespace. |
| resourceName1 | Yes | string | Name of resource. |
| resourceName2 | No | string | Next resource name segment, if needed. |
Continue adding resource names as parameters when the resource type includes more segments.
The basic format of the resource ID returned by this function is:
{scope}/providers/{extensionResourceProviderNamespace}/{extensionResourceType}/{extensionResourceName}The scope segment varies by the resource being extended.
When the extension resource is applied to a resource, the resource ID is returned in the following format:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{baseResourceProviderNamespace}/{baseResourceType}/{baseResourceName}/providers/{extensionResourceProviderNamespace}/{extensionResourceType}/{extensionResourceName}When the extension resource is applied to a resource group, the format is:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{extensionResourceProviderNamespace}/{extensionResourceType}/{extensionResourceName}When the extension resource is applied to a subscription, the format is:
/subscriptions/{subscriptionId}/providers/{extensionResourceProviderNamespace}/{extensionResourceType}/{extensionResourceName}When the extension resource is applied to a management group, the format is:
/providers/Microsoft.Management/managementGroups/{managementGroupName}/providers/{extensionResourceProviderNamespace}/{extensionResourceType}/{extensionResourceName}The following example returns the resource ID for a resource group lock.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"lockName": {
"type": "string"
}
},
"variables": {},
"resources": [],
"outputs": {
"lockResourceId": {
"type": "string",
"value": "[extensionResourceId(resourceGroup().Id , 'Microsoft.Authorization/locks', parameters('lockName'))]"
}
}
}param lockName string
output lockResourceId string = extensionResourceId(resourceGroup().Id, 'Microsoft.Authorization/locks', lockName)A custom policy definition deployed to a management group is implemented as an extension resource. To create and assign a policy, deploy the following template to a management group.
:::code language="json" source="~/quickstart-templates/managementgroup-deployments/mg-policy/azuredeploy.json":::
param targetMG string
param allowedLocations array = [
'australiaeast'
'australiasoutheast'
'australiacentral'
]
var mgScope = tenantResourceId('Microsoft.Management/managementGroups', targetMG)
var policyDefinition = 'LocationRestriction'
resource myDefinition 'Microsoft.Authorization/policyDefinitions@2019-09-01' = {
name: policyDefinition
properties: {
policyType: 'Custom'
mode: 'All'
parameters: {}
policyRule: {
'if': {
'not': {
'field': 'location'
'in': allowedLocations
}
}
'then': {
'effect': 'deny'
}
}
}
}
resource myAssignment 'Microsoft.Authorization/policyAssignments@2019-09-01' = {
name: 'location-lock'
properties: {
scope: mgScope
policyDefinitionId: extensionResourceId(mgScope, 'Microsoft.Authorization/policyDefinitions', policyDefinition)
}
}Built-in policy definitions are tenant level resources. For an example of deploying a built-in policy definition, see tenantResourceId.
list{Value}(resourceName or resourceIdentifier, apiVersion, functionValues)
The syntax for this function varies by name of the list operations. Each implementation returns values for the resource type that supports a list operation. The operation name must start with list. Some common usages are listKeys, listKeyValue, and listSecrets.
| Parameter | Required | Type | Description |
|---|---|---|---|
| resourceName or resourceIdentifier | Yes | string | Unique identifier for the resource. |
| apiVersion | Yes | string | API version of resource runtime state. Typically, in the format, yyyy-mm-dd. |
| functionValues | No | object | An object that has values for the function. Only provide this object for functions that support receiving an object with parameter values, such as listAccountSas on a storage account. An example of passing function values is shown in this article. |
The list functions can be used in the properties of a resource definition. Don't use a list function that exposes sensitive information in the outputs section of a template. Output values are stored in the deployment history and could be retrieved by a malicious user.
When used with property iteration, you can use the list functions for input because the expression is assigned to the resource property. You can't use them with count because the count must be determined before the list function is resolved.
The possible uses of list* are shown in the following table.
| Resource type | Function name |
|---|---|
| Microsoft.Addons/supportProviders | listsupportplaninfo |
| Microsoft.AnalysisServices/servers | listGatewayStatus |
| Microsoft.ApiManagement/service/authorizationServers | listSecrets |
| Microsoft.ApiManagement/service/gateways | listKeys |
| Microsoft.ApiManagement/service/identityProviders | listSecrets |
| Microsoft.ApiManagement/service/namedValues | listValue |
| Microsoft.ApiManagement/service/openidConnectProviders | listSecrets |
| Microsoft.AppConfiguration/configurationStores | ListKeys |
| Microsoft.AppPlatform/Spring | listTestKeys |
| Microsoft.Automation/automationAccounts | listKeys |
| Microsoft.Batch/batchAccounts | listkeys |
| Microsoft.BatchAI/workspaces/experiments/jobs | listoutputfiles |
| Microsoft.Blockchain/blockchainMembers | listApiKeys |
| Microsoft.Blockchain/blockchainMembers/transactionNodes | listApiKeys |
| Microsoft.BotService/botServices/channels | listChannelWithKeys |
| Microsoft.Cache/redis | listKeys |
| Microsoft.CognitiveServices/accounts | listKeys |
| Microsoft.ContainerRegistry/registries | listBuildSourceUploadUrl |
| Microsoft.ContainerRegistry/registries | listCredentials |
| Microsoft.ContainerRegistry/registries | listUsages |
| Microsoft.ContainerRegistry/registries/agentpools | listQueueStatus |
| Microsoft.ContainerRegistry/registries/buildTasks | listSourceRepositoryProperties |
| Microsoft.ContainerRegistry/registries/buildTasks/steps | listBuildArguments |
| Microsoft.ContainerRegistry/registries/taskruns | listDetails |
| Microsoft.ContainerRegistry/registries/webhooks | listEvents |
| Microsoft.ContainerRegistry/registries/runs | listLogSasUrl |
| Microsoft.ContainerRegistry/registries/tasks | listDetails |
| Microsoft.ContainerService/managedClusters | listClusterAdminCredential |
| Microsoft.ContainerService/managedClusters | listClusterMonitoringUserCredential |
| Microsoft.ContainerService/managedClusters | listClusterUserCredential |
| Microsoft.ContainerService/managedClusters/accessProfiles | listCredential |
| Microsoft.DataBox/jobs | listCredentials |
| Microsoft.DataFactory/datafactories/gateways | listauthkeys |
| Microsoft.DataFactory/factories/integrationruntimes | listauthkeys |
| Microsoft.DataLakeAnalytics/accounts/storageAccounts/Containers | listSasTokens |
| Microsoft.DataShare/accounts/shares | listSynchronizations |
| Microsoft.DataShare/accounts/shareSubscriptions | listSourceShareSynchronizationSettings |
| Microsoft.DataShare/accounts/shareSubscriptions | listSynchronizationDetails |
| Microsoft.DataShare/accounts/shareSubscriptions | listSynchronizations |
| Microsoft.Devices/iotHubs | listkeys |
| Microsoft.Devices/iotHubs/iotHubKeys | listkeys |
| Microsoft.Devices/provisioningServices/keys | listkeys |
| Microsoft.Devices/provisioningServices | listkeys |
| Microsoft.DevTestLab/labs | ListVhds |
| Microsoft.DevTestLab/labs/schedules | ListApplicable |
| Microsoft.DevTestLab/labs/users/serviceFabrics | ListApplicableSchedules |
| Microsoft.DevTestLab/labs/virtualMachines | ListApplicableSchedules |
| Microsoft.DocumentDB/databaseAccounts | listConnectionStrings |
| Microsoft.DocumentDB/databaseAccounts | listKeys |
| Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces | listConnectionInfo |
| Microsoft.DomainRegistration | listDomainRecommendations |
| Microsoft.DomainRegistration/topLevelDomains | listAgreements |
| Microsoft.EventGrid/domains | listKeys |
| Microsoft.EventGrid/topics | listKeys |
| Microsoft.EventHub/namespaces/authorizationRules | listkeys |
| Microsoft.EventHub/namespaces/disasterRecoveryConfigs/authorizationRules | listkeys |
| Microsoft.EventHub/namespaces/eventhubs/authorizationRules | listkeys |
| Microsoft.ImportExport/jobs | listBitLockerKeys |
| Microsoft.Kusto/Clusters/Databases | ListPrincipals |
| Microsoft.LabServices/users | ListEnvironments |
| Microsoft.LabServices/users | ListLabs |
| Microsoft.Logic/integrationAccounts/agreements | listContentCallbackUrl |
| Microsoft.Logic/integrationAccounts/assemblies | listContentCallbackUrl |
| Microsoft.Logic/integrationAccounts | listCallbackUrl |
| Microsoft.Logic/integrationAccounts | listKeyVaultKeys |
| Microsoft.Logic/integrationAccounts/maps | listContentCallbackUrl |
| Microsoft.Logic/integrationAccounts/partners | listContentCallbackUrl |
| Microsoft.Logic/integrationAccounts/schemas | listContentCallbackUrl |
| Microsoft.Logic/workflows | listCallbackUrl |
| Microsoft.Logic/workflows | listSwagger |
| Microsoft.Logic/workflows/runs/actions | listExpressionTraces |
| Microsoft.Logic/workflows/runs/actions/repetitions | listExpressionTraces |
| Microsoft.Logic/workflows/triggers | listCallbackUrl |
| Microsoft.Logic/workflows/versions/triggers | listCallbackUrl |
| Microsoft.MachineLearning/webServices | listkeys |
| Microsoft.MachineLearning/Workspaces | listworkspacekeys |
| Microsoft.MachineLearningServices/workspaces/computes | listKeys |
| Microsoft.MachineLearningServices/workspaces/computes | listNodes |
| Microsoft.MachineLearningServices/workspaces | listKeys |
| Microsoft.Maps/accounts | listKeys |
| Microsoft.Media/mediaservices/assets | listContainerSas |
| Microsoft.Media/mediaservices/assets | listStreamingLocators |
| Microsoft.Media/mediaservices/streamingLocators | listContentKeys |
| Microsoft.Media/mediaservices/streamingLocators | listPaths |
| Microsoft.Network/applicationSecurityGroups | listIpConfigurations |
| Microsoft.NotificationHubs/Namespaces/authorizationRules | listkeys |
| Microsoft.NotificationHubs/Namespaces/NotificationHubs/authorizationRules | listkeys |
| Microsoft.OperationalInsights/workspaces | list |
| Microsoft.OperationalInsights/workspaces | listKeys |
| Microsoft.PolicyInsights/remediations | listDeployments |
| Microsoft.RedHatOpenShift/openShiftClusters | listCredentials |
| Microsoft.Relay/namespaces/authorizationRules | listkeys |
| Microsoft.Relay/namespaces/disasterRecoveryConfigs/authorizationRules | listkeys |
| Microsoft.Relay/namespaces/HybridConnections/authorizationRules | listkeys |
| Microsoft.Relay/namespaces/WcfRelays/authorizationRules | listkeys |
| Microsoft.Search/searchServices | listAdminKeys |
| Microsoft.Search/searchServices | listQueryKeys |
| Microsoft.ServiceBus/namespaces/authorizationRules | listkeys |
| Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/authorizationRules | listkeys |
| Microsoft.ServiceBus/namespaces/queues/authorizationRules | listkeys |
| Microsoft.ServiceBus/namespaces/topics/authorizationRules | listkeys |
| Microsoft.SignalRService/SignalR | listkeys |
| Microsoft.Storage/storageAccounts | listAccountSas |
| Microsoft.Storage/storageAccounts | listkeys |
| Microsoft.Storage/storageAccounts | listServiceSas |
| Microsoft.StorSimple/managers/devices | listFailoverSets |
| Microsoft.StorSimple/managers/devices | listFailoverTargets |
| Microsoft.StorSimple/managers | listActivationKey |
| Microsoft.StorSimple/managers | listPublicEncryptionKey |
| Microsoft.Synapse/workspaces/integrationRuntimes | listAuthKeys |
| Microsoft.Web/connectionGateways | ListStatus |
| microsoft.web/connections | listconsentlinks |
| Microsoft.Web/customApis | listWsdlInterfaces |
| microsoft.web/locations | listwsdlinterfaces |
| microsoft.web/apimanagementaccounts/apis/connections | listconnectionkeys |
| microsoft.web/apimanagementaccounts/apis/connections | listsecrets |
| microsoft.web/sites/backups | list |
| Microsoft.Web/sites/config | list |
| microsoft.web/sites/functions | listkeys |
| microsoft.web/sites/functions | listsecrets |
| microsoft.web/sites/hybridconnectionnamespaces/relays | listkeys |
| microsoft.web/sites | listsyncfunctiontriggerstatus |
| microsoft.web/sites/slots/functions | listsecrets |
| microsoft.web/sites/slots/backups | list |
| Microsoft.Web/sites/slots/config | list |
| microsoft.web/sites/slots/functions | listsecrets |
To determine which resource types have a list operation, you have the following options:
-
View the REST API operations for a resource provider, and look for list operations. For example, storage accounts have the listKeys operation.
-
Use the Get-AzProviderOperation PowerShell cmdlet. The following example gets all list operations for storage accounts:
Get-AzProviderOperation -OperationSearchString "Microsoft.Storage/*" | where {$_.Operation -like "*list*"} | FT Operation
-
Use the following Azure CLI command to filter only the list operations:
az provider operation show --namespace Microsoft.Storage --query "resourceTypes[?name=='storageAccounts'].operations[].name | [?contains(@, 'list')]"
The returned object varies by the list function you use. For example, the listKeys for a storage account returns the following format:
{
"keys": [
{
"keyName": "key1",
"permissions": "Full",
"value": "{value}"
},
{
"keyName": "key2",
"permissions": "Full",
"value": "{value}"
}
]
}Other list functions have different return formats. To see the format of a function, include it in the outputs section as shown in the example template.
Specify the resource by using either the resource name or the resourceId function. When using a list function in the same template that deploys the referenced resource, use the resource name.
If you use a list function in a resource that is conditionally deployed, the function is evaluated even if the resource isn't deployed. You get an error if the list function refers to a resource that doesn't exist. Use the if function to make sure the function is only evaluated when the resource is being deployed. See the if function for a sample template that uses if and list with a conditionally deployed resource.
The following example uses listKeys when setting a value for deployment scripts.
"storageAccountSettings": {
"storageAccountName": "[variables('storageAccountName')]",
"storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value]"
}storageAccountSettings: {
storageAccountName: storageAccountName
storageAccountKey: listKeys(resourceId('Microsoft.Storage/storageAccounts', storageAccountName), '2019-06-01').keys[0].value
}
The next example shows a list function that takes a parameter. In this case, the function is listAccountSas. Pass an object for the expiry time. The expiry time must be in the future.
"parameters": {
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "b",
"signedPermission": "r",
"signedExpiry": "2020-08-20T11:00:00Z",
"signedResourceTypes": "s"
}
}
},
...
"sasToken": "[listAccountSas(parameters('storagename'), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"param accountSasProperties object {
default: {
signedServices: 'b'
signedPermission: 'r'
signedExpiry: '2020-08-20T11:00:00Z'
signedResourceTypes: 's'
}
}
...
sasToken: listAccountSas(storagename, '2018-02-01', accountSasProperties).accountSasTokenpickZones(providerNamespace, resourceType, location, [numberOfZones], [offset])
Determines whether a resource type supports zones for a region.
| Parameter | Required | Type | Description |
|---|---|---|---|
| providerNamespace | Yes | string | The resource provider namespace for the resource type to check for zone support. |
| resourceType | Yes | string | The resource type to check for zone support. |
| location | Yes | string | The region to check for zone support. |
| numberOfZones | No | integer | The number of logical zones to return. The default is 1. The number must a positive integer from 1 to 3. Use 1 for single-zoned resources. For multi-zoned resources, the value must be less than or equal to the number of supported zones. |
| offset | No | integer | The offset from the starting logical zone. The function returns an error if offset plus numberOfZones exceeds the number of supported zones. |
An array with the supported zones. When using the default values for offset and numberOfZones, a resource type and region that supports zones returns the following array:
[
"1"
]When the numberOfZones parameter is set to 3, it returns:
[
"1",
"2",
"3"
]When the resource type or region doesn't support zones, an empty array is returned.
[
]The following template shows three results for using the pickZones function.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"functions": [],
"variables": {},
"resources": [],
"outputs": {
"supported": {
"type": "array",
"value": "[pickZones('Microsoft.Compute', 'virtualMachines', 'westus2')]"
},
"notSupportedRegion": {
"type": "array",
"value": "[pickZones('Microsoft.Compute', 'virtualMachines', 'northcentralus')]"
},
"notSupportedType": {
"type": "array",
"value": "[pickZones('Microsoft.Cdn', 'profiles', 'westus2')]"
}
}
}output supported array = pickZones('Microsoft.Compute', 'virtualMachines', 'westus2')
output notSupportedRegion array = pickZones('Microsoft.Compute', 'virtualMachines', 'northcentralus')
output notSupportedType array = pickZones('Microsoft.Cdn', 'profiles', 'westus2')The output from the preceding examples returns three arrays.
| Name | Type | Value |
|---|---|---|
| supported | array | [ "1" ] |
| notSupportedRegion | array | [] |
| notSupportedType | array | [] |
You can use the response from pickZones to determine whether to provide null for zones or assign virtual machines to different zones. The following example sets a value for the zone based on the availability of zones.
"zones": {
"value": "[if(not(empty(pickZones('Microsoft.Compute', 'virtualMachines', 'westus2'))), string(add(mod(copyIndex(),3),1)), json('null'))]"
},Note
Loops and copyIndex() are not implemented yet. See Loops.
providers(providerNamespace, [resourceType])
Returns information about a resource provider and its supported resource types. If you don't provide a resource type, the function returns all the supported types for the resource provider.
| Parameter | Required | Type | Description |
|---|---|---|---|
| providerNamespace | Yes | string | Namespace of the provider |
| resourceType | No | string | The type of resource within the specified namespace. |
Each supported type is returned in the following format:
{
"resourceType": "{name of resource type}",
"locations": [ all supported locations ],
"apiVersions": [ all supported API versions ]
}Array ordering of the returned values isn't guaranteed.
The following example template shows how to use the provider function:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"providerNamespace": {
"type": "string"
},
"resourceType": {
"type": "string"
}
},
"resources": [],
"outputs": {
"providerOutput": {
"type": "object",
"value": "[providers(parameters('providerNamespace'), parameters('resourceType'))]"
}
}
}param providerNamespace string
param resourceType string
output providerOutput array = providers(providerNamespace, resourceType)For the Microsoft.Web resource provider and sites resource type, the preceding example returns an object in the following format:
{
"resourceType": "sites",
"locations": [
"South Central US",
"North Europe",
"West Europe",
"Southeast Asia",
...
],
"apiVersions": [
"2016-08-01",
"2016-03-01",
"2015-08-01-preview",
"2015-08-01",
...
]
}reference(resourceName or resourceIdentifier, [apiVersion], ['Full'])
Returns an object representing a resource's runtime state.
| Parameter | Required | Type | Description |
|---|---|---|---|
| resourceName or resourceIdentifier | Yes | string | Name or unique identifier of a resource. When referencing a resource in the current template, provide only the resource name as a parameter. When referencing a previously deployed resource or when the name of the resource is ambiguous, provide the resource ID. |
| apiVersion | No | string | API version of the specified resource. This parameter is required when the resource isn't provisioned within same template. Typically, in the format, yyyy-mm-dd. For valid API versions for your resource, see template reference. |
| 'Full' | No | string | Value that specifies whether to return the full resource object. If you don't specify 'Full', only the properties object of the resource is returned. The full object includes values such as the resource ID and location. |
Every resource type returns different properties for the reference function. The function doesn't return a single, predefined format. Also, the returned value differs based on the value of the 'Full' argument. To see the properties for a resource type, return the object in the outputs section as shown in the example.
The reference function retrieves the runtime state of either a previously deployed resource or a resource deployed in the current template. This article shows examples for both scenarios.
Typically, you use the reference function to return a particular value from an object, such as the blob endpoint URI or fully qualified domain name.
"outputs": {
"BlobUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))).primaryEndpoints.blob]"
},
"FQDN": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('ipAddressName'))).dnsSettings.fqdn]"
}
}output BlobUri string = reference(resourceId('Microsoft.Storage/storageAccounts', storageAccountName)).primaryEndpoints.blob
output FQDN string = reference(resourceId('Microsoft.Network/publicIPAddresses', ipAddressName)).dnsSettings.fqdnUse 'Full' when you need resource values that aren't part of the properties schema. For example, to set key vault access policies, get the identity properties for a virtual machine.
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"name": "vaultName",
"properties": {
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')), '2019-03-01', 'Full').identity.tenantId]",
"objectId": "[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')), '2019-03-01', 'Full').identity.principalId]",
"permissions": {
"keys": [
"all"
],
"secrets": [
"all"
]
}
}
],
...resource myVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: 'vaultName'
properties: {
tenantId: subscription().tenantId
accessPolicies: [
{
'tenantId': reference(resourceId('Microsoft.Compute/virtualMachines', vmName), '2019-03-01', 'Full').identity.tenantId
'objectId': reference(resourceId('Microsoft.Compute/virtualMachines', vmName), '2019-03-01', 'Full').identity.principalId
'permissions': {
'keys': [
'all'
]
'secrets': [
'all'
]
}
}
]
}
}The reference function can only be used in the properties of a resource definition and the outputs section of a template or deployment. When used with property iteration, you can use the reference function for input because the expression is assigned to the resource property.
You can't use the reference function to set the value of the count property in a copy loop. You can use to set other properties in the loop. Reference is blocked for the count property because that property must be determined before the reference function is resolved.
To use the reference function or any list* function in the outputs section of a nested template, you must set the expressionEvaluationOptions to use inner scope evaluation or use a linked instead of a nested template.
If you use the reference function in a resource that is conditionally deployed, the function is evaluated even if the resource isn't deployed. You get an error if the reference function refers to a resource that doesn't exist. Use the if function to make sure the function is only evaluated when the resource is being deployed. See the if function for a sample template that uses if and reference with a conditionally deployed resource.
By using the reference function, you implicitly declare that one resource depends on another resource if the referenced resource is provisioned within same template and you refer to the resource by its name (not resource ID). You don't need to also use the dependsOn property. The function isn't evaluated until the referenced resource has completed deployment.
When referencing a resource that is deployed in the same template, provide the name of the resource.
"value": "[reference(parameters('storageAccountName'))]"value: reference(storageAccountName)When referencing a resource that isn't deployed in the same template, provide the resource ID and apiVersion.
"value": "[reference(resourceId(parameters('storageResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01')]"value: reference(resourceId(storageResourceGroup, 'Microsoft.Storage/storageAccounts', storageAccountName), '2018-07-01')]"To avoid ambiguity about which resource you're referencing, you can provide a fully qualified resource identifier.
"value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('ipAddressName')))]"value: reference(resourceId('Microsoft.Network/publicIPAddresses', ipAddressName))When constructing a fully qualified reference to a resource, the order to combine segments from the type and name isn't simply a concatenation of the two. Instead, after the namespace, use a sequence of type/name pairs from least specific to most specific:
{resource-provider-namespace}/{parent-resource-type}/{parent-resource-name}[/{child-resource-type}/{child-resource-name}]
For example:
Microsoft.Compute/virtualMachines/myVM/extensions/myExt is correct
Microsoft.Compute/virtualMachines/extensions/myVM/myExt is not correct
To simplify the creation of any resource ID, use the resourceId() functions described in this document instead of the concat() function.
Managed identities for Azure resources are extension resource types that are created implicitly for some resources. Because the managed identity isn't explicitly defined in the template, you must reference the resource that the identity is applied to. Use Full to get all of the properties, including the implicitly created identity.
The pattern is:
"[reference(resourceId(<resource-provider-namespace>, <resource-name>, <API-version>, 'Full').Identity.propertyName]"
For example, to get the principal ID for a managed identity that is applied to a virtual machine, use:
"[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')),'2019-12-01', 'Full').identity.principalId]",reference(resourceId('Microsoft.Compute/virtualMachines', vmName),'2019-12-01', 'Full').identity.principalIdOr, to get the tenant ID for a managed identity that is applied to a virtual machine scale set, use:
"[reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', variables('vmNodeType0Name')), 2019-12-01, 'Full').Identity.tenantId]"reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', vmNodeType0Name), 2019-12-01, 'Full').Identity.tenantIdThe following example template deploys a resource, and references that resource.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2016-12-01",
"name": "[parameters('storageAccountName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"tags": {},
"properties": {
}
}
],
"outputs": {
"referenceOutput": {
"type": "object",
"value": "[reference(parameters('storageAccountName'))]"
},
"fullReferenceOutput": {
"type": "object",
"value": "[reference(parameters('storageAccountName'), '2016-12-01', 'Full')]"
}
}
}param storageAccountName string
resource myStorage 'Microsoft.Storage/storageAccounts@2016-12-01' = {
name: storageAccountName
location: resourceGroup().location
sku: {
name: 'Standard_LRS'
}
kind: 'Storage'
tags: {}
properties: {}
}
output referenceOutput object = reference(storageAccountName)
output fullReferenceOutput object = reference(storageAccountName, '2016-12-01', 'Full')The preceding example returns the two objects. The properties object is in the following format:
{
"creationTime": "2017-10-09T18:55:40.5863736Z",
"primaryEndpoints": {
"blob": "https://examplestorage.blob.core.windows.net/",
"file": "https://examplestorage.file.core.windows.net/",
"queue": "https://examplestorage.queue.core.windows.net/",
"table": "https://examplestorage.table.core.windows.net/"
},
"primaryLocation": "southcentralus",
"provisioningState": "Succeeded",
"statusOfPrimary": "available",
"supportsHttpsTrafficOnly": false
}The full object is in the following format:
{
"apiVersion":"2016-12-01",
"location":"southcentralus",
"sku": {
"name":"Standard_LRS",
"tier":"Standard"
},
"tags":{},
"kind":"Storage",
"properties": {
"creationTime":"2017-10-09T18:55:40.5863736Z",
"primaryEndpoints": {
"blob":"https://examplestorage.blob.core.windows.net/",
"file":"https://examplestorage.file.core.windows.net/",
"queue":"https://examplestorage.queue.core.windows.net/",
"table":"https://examplestorage.table.core.windows.net/"
},
"primaryLocation":"southcentralus",
"provisioningState":"Succeeded",
"statusOfPrimary":"available",
"supportsHttpsTrafficOnly":false
},
"subscriptionId":"<subscription-id>",
"resourceGroupName":"functionexamplegroup",
"resourceId":"Microsoft.Storage/storageAccounts/examplestorage",
"referenceApiVersion":"2016-12-01",
"condition":true,
"isConditionTrue":true,
"isTemplateResource":false,
"isAction":false,
"provisioningOperation":"Read"
}The following example template references a storage account that isn't deployed in this template. The storage account already exists within the same subscription.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageResourceGroup": {
"type": "string"
},
"storageAccountName": {
"type": "string"
}
},
"resources": [],
"outputs": {
"ExistingStorage": {
"type": "object",
"value": "[reference(resourceId(parameters('storageResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01')]"
}
}
}param storageResourceGroup string
param storageAccountName string
output ExistingStorage object = reference(resourceId(storageAccountName), 'Microsoft.Storage/storageAccounts', storageAccountName), '2018-07-01')resourceGroup()
Returns an object that represents the current resource group.
The returned object is in the following format:
{
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
"name": "{resourceGroupName}",
"type":"Microsoft.Resources/resourceGroups",
"location": "{resourceGroupLocation}",
"managedBy": "{identifier-of-managing-resource}",
"tags": {
},
"properties": {
"provisioningState": "{status}"
}
}The managedBy property is returned only for resource groups that contain resources that are managed by another service. For Managed Applications, Databricks, and AKS, the value of the property is the resource ID of the managing resource.
The resourceGroup() function can't be used in a template that is deployed at the subscription level. It can only be used in templates that are deployed to a resource group. You can use the resourceGroup() function in a linked or nested template (with inner scope) that targets a resource group, even when the parent template is deployed to the subscription. In that scenario, the linked or nested template is deployed at the resource group level. For more information about targeting a resource group in a subscription level deployment, see Deploy Azure resources to more than one subscription or resource group.
A common use of the resourceGroup function is to create resources in the same location as the resource group. The following example uses the resource group location for a default parameter value.
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
}param location string = resourceGroup().locationYou can also use the resourceGroup function to apply tags from the resource group to a resource. For more information, see Apply tags from resource group.
When using nested templates to deploy to multiple resource groups, you can specify the scope for evaluating the resourceGroup function. For more information, see Deploy Azure resources to more than one subscription or resource group.
The following example template returns the properties of the resource group.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [],
"outputs": {
"resourceGroupOutput": {
"type" : "object",
"value": "[resourceGroup()]"
}
}
}output resourceGroupOutput object = resourceGroup()The preceding example returns an object in the following format:
{
"id": "/subscriptions/{subscription-id}/resourceGroups/examplegroup",
"name": "examplegroup",
"type":"Microsoft.Resources/resourceGroups",
"location": "southcentralus",
"properties": {
"provisioningState": "Succeeded"
}
}resourceId([subscriptionId], [resourceGroupName], resourceType, resourceName1, [resourceName2], ...)
Returns the unique identifier of a resource. You use this function when the resource name is ambiguous or not provisioned within the same template. The format of the returned identifier varies based on whether the deployment happens at the scope of a resource group, subscription, management group, or tenant.
| Parameter | Required | Type | Description |
|---|---|---|---|
| subscriptionId | No | string (In GUID format) | Default value is the current subscription. Specify this value when you need to retrieve a resource in another subscription. Only provide this value when deploying at the scope of a resource group or subscription. |
| resourceGroupName | No | string | Default value is current resource group. Specify this value when you need to retrieve a resource in another resource group. Only provide this value when deploying at the scope of a resource group. |
| resourceType | Yes | string | Type of resource including resource provider namespace. |
| resourceName1 | Yes | string | Name of resource. |
| resourceName2 | No | string | Next resource name segment, if needed. |
Continue adding resource names as parameters when the resource type includes more segments.
When the template is deployed at the scope of a resource group, the resource ID is returned in the following format:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}You can use the resourceId function for other deployment scopes, but the format of the ID changes.
If you use resourceId while deploying to a subscription, the resource ID is returned in the following format:
/subscriptions/{subscriptionId}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}If you use resourceId while deploying to a management group or tenant, the resource ID is returned in the following format:
/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}To avoid confusion, we recommend that you not use resourceId when working with resources deployed to the subscription, management group, or tenant. Instead, use the ID function that is designed for the scope.
For subscription-level resources, use the subscriptionResourceId function.
For management group-level resources, use the extensionResourceId function to reference a resource that is implemented as an extension of a management group. For example, custom policy definitions that are deployed to a management group are extensions of the management group. Use the tenantResourceId function to reference resources that are deployed to the tenant but available in your management group. For example, built-in policy definitions are implemented as tenant level resources.
For tenant-level resources, use the tenantResourceId function. Use tenantResourceId for built-in policy definitions because they are implemented at the tenant level.
The number of parameters you provide varies based on whether the resource is a parent or child resource, and whether the resource is in the same subscription or resource group.
To get the resource ID for a parent resource in the same subscription and resource group, provide the type and name of the resource.
"[resourceId('Microsoft.ServiceBus/namespaces', 'namespace1')]"resourceId('Microsoft.ServiceBus/namespaces', 'namespace1')To get the resource ID for a child resource, pay attention to the number of segments in the resource type. Provide a resource name for each segment of the resource type. The name of the segment corresponds to the resource that exists for that part of the hierarchy.
"[resourceId('Microsoft.ServiceBus/namespaces/queues/authorizationRules', 'namespace1', 'queue1', 'auth1')]"resourceId('Microsoft.ServiceBus/namespaces/queues/authorizationRules', 'namespace1', 'queue1', 'auth1')To get the resource ID for a resource in the same subscription but different resource group, provide the resource group name.
"[resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts', 'examplestorage')]"resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts', 'examplestorage')To get the resource ID for a resource in a different subscription and resource group, provide the subscription ID and resource group name.
"[resourceId('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'otherResourceGroup', 'Microsoft.Storage/storageAccounts','examplestorage')]"resourceId('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'otherResourceGroup', 'Microsoft.Storage/storageAccounts','examplestorage')Often, you need to use this function when using a storage account or virtual network in an alternate resource group. The following example shows how a resource from an external resource group can easily be used:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"virtualNetworkName": {
"type": "string"
},
"virtualNetworkResourceGroup": {
"type": "string"
},
"subnet1Name": {
"type": "string"
},
"nicName": {
"type": "string"
}
},
"variables": {
"subnet1Ref": "[resourceId(parameters('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]"
},
"resources": [
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2015-05-01-preview",
"name": "[parameters('nicName')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('subnet1Ref')]"
}
}
}
]
}
}
]
}param location string
param virtualNetworkName string
param virtualNetworkResourceGroup string
param subnet1Name string
param nicName string
var subnet1Ref = resourceId('virtualNetworkResourceGroup', 'Microsoft.Network/virtualNetworks/subnets', 'virtualNetworkName', 'subnet1Name')
resource myInterface 'Microsoft.Network/networkInterfaces@2015-05-01-preview' = {
name: nicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: subnet1Ref
}
}
}
]
}
}The following example template returns the resource ID for a storage account in the resource group:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [],
"outputs": {
"sameRGOutput": {
"type": "string",
"value": "[resourceId('Microsoft.Storage/storageAccounts','examplestorage')]"
},
"differentRGOutput": {
"type": "string",
"value": "[resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts','examplestorage')]"
},
"differentSubOutput": {
"type": "string",
"value": "[resourceId('11111111-1111-1111-1111-111111111111', 'otherResourceGroup', 'Microsoft.Storage/storageAccounts','examplestorage')]"
},
"nestedResourceOutput": {
"type": "string",
"value": "[resourceId('Microsoft.SQL/servers/databases', 'serverName', 'databaseName')]"
}
}
}output sameRGOutput string = resourceId('Microsoft.Storage/storageAccounts','examplestorage')
output differentRGOutput string = resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts','examplestorage')
output differentSubOutput string = resourceId('11111111-1111-1111-1111-111111111111', 'otherResourceGroup', 'Microsoft.Storage/storageAccounts','examplestorage')
output nestedResourceOutput string = resourceId('Microsoft.SQL/servers/databases', 'serverName', 'databaseName')The output from the preceding example with the default values is:
| Name | Type | Value |
|---|---|---|
| sameRGOutput | String | /subscriptions/{current-sub-id}/resourceGroups/examplegroup/providers/Microsoft.Storage/storageAccounts/examplestorage |
| differentRGOutput | String | /subscriptions/{current-sub-id}/resourceGroups/otherResourceGroup/providers/Microsoft.Storage/storageAccounts/examplestorage |
| differentSubOutput | String | /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/otherResourceGroup/providers/Microsoft.Storage/storageAccounts/examplestorage |
| nestedResourceOutput | String | /subscriptions/{current-sub-id}/resourceGroups/examplegroup/providers/Microsoft.SQL/servers/serverName/databases/databaseName |
subscription()
Returns details about the subscription for the current deployment.
The function returns the following format:
{
"id": "/subscriptions/{subscription-id}",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}",
"displayName": "{name-of-subscription}"
}When using nested templates to deploy to multiple subscriptions, you can specify the scope for evaluating the subscription function. For more information, see Deploy Azure resources to more than one subscription or resource group.
The following example template shows the subscription function called in the outputs section.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [],
"outputs": {
"subscriptionOutput": {
"value": "[subscription()]",
"type" : "object"
}
}
}output subscriptionOutput object = subscription()subscriptionResourceId([subscriptionId], resourceType, resourceName1, [resourceName2], ...)
Returns the unique identifier for a resource deployed at the subscription level.
| Parameter | Required | Type | Description |
|---|---|---|---|
| subscriptionId | No | string (in GUID format) | Default value is the current subscription. Specify this value when you need to retrieve a resource in another subscription. |
| resourceType | Yes | string | Type of resource including resource provider namespace. |
| resourceName1 | Yes | string | Name of resource. |
| resourceName2 | No | string | Next resource name segment, if needed. |
Continue adding resource names as parameters when the resource type includes more segments.
The identifier is returned in the following format:
/subscriptions/{subscriptionId}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}You use this function to get the resource ID for resources that are deployed to the subscription rather than a resource group. The returned ID differs from the value returned by the resourceId function by not including a resource group value.
The following template assigns a built-in role. You can deploy it to either a resource group or subscription. It uses the subscriptionResourceId function to get the resource ID for built-in roles.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"type": "string",
"allowedValues": [
"Owner",
"Contributor",
"Reader"
],
"metadata": {
"description": "Built-in role to assign"
}
},
"roleNameGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "A new GUID used to identify the role assignment"
}
}
},
"variables": {
"Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[parameters('roleNameGuid')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}param principalId string {
metadata: {
'description': 'principalId'
}
}
param builtInRoleType string {
'allowed': [
'Owner'
'Contributor'
'Reader'
]
'metadata': {
'description': 'Built-in role to assign'
}
}
param roleNameGuid string {
default: newGuid()
metadata: {
'description': 'A new GUID used to identify the role assignment'
}
}
var roleDefinitionId = {
Owner: {
id: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
}
Contributor: {
id: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
}
Reader: {
id: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
}
}
resource myRoleAssignment 'Microsoft.Authorization/roleAssignments@2018-09-01-preview' = {
name: roleNameGuid
properties: {
roleDefinitionId: roleDefinitionId[builtInRoleType].id
principalId: principalId
}
}tenantResourceId(resourceType, resourceName1, [resourceName2], ...)
Returns the unique identifier for a resource deployed at the tenant level.
| Parameter | Required | Type | Description |
|---|---|---|---|
| resourceType | Yes | string | Type of resource including resource provider namespace. |
| resourceName1 | Yes | string | Name of resource. |
| resourceName2 | No | string | Next resource name segment, if needed. |
Continue adding resource names as parameters when the resource type includes more segments.
The identifier is returned in the following format:
/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}You use this function to get the resource ID for a resource that is deployed to the tenant. The returned ID differs from the values returned by other resource ID functions by not including resource group or subscription values.
Built-in policy definitions are tenant level resources. To deploy a policy assignment that references a built-in policy definition, use the tenantResourceId function.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionID": {
"type": "string",
"defaultValue": "0a914e76-4921-4c19-b460-a2d36003525a",
"metadata": {
"description": "Specifies the ID of the policy definition or policy set definition being assigned."
}
},
"policyAssignmentName": {
"type": "string",
"defaultValue": "[guid(parameters('policyDefinitionID'), resourceGroup().name)]",
"metadata": {
"description": "Specifies the name of the policy assignment, can be used defined or an idempotent name as the defaultValue provides."
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "[parameters('policyAssignmentName')]",
"apiVersion": "2019-09-01",
"properties": {
"scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)]",
"policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', parameters('policyDefinitionID'))]"
}
}
]
}param policyDefinitionID string{
default: '0a914e76-4921-4c19-b460-a2d36003525a'
metadata: {
'description': 'Specifies the ID of the policy definition or policy set definition being assigned.'
}
}
param policyAssignmentName string {
default: guid(policyDefinitionID, resourceGroup().name)
metadata: {
'description': 'Specifies the name of the policy assignment, can be used defined or an idempotent name as the defaultValue provides.'
}
}
resource myPolicyAssignment 'Microsoft.Authorization/policyAssignments@2019-09-01' = {
name: policyAssignmentName
properties: {
scope: subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)
policyDefinitionId: tenantResourceId('Microsoft.Authorization/policyDefinitions', policyDefinitionID)
}
}- For a description of the sections in an ARM template, see Understand the structure and syntax of ARM templates.
- To merge multiple templates, see Using linked and nested templates when deploying Azure resources.
- To iterate a specified number of times when creating a type of resource, see Resource iteration in ARM templates.
- To see how to deploy the template you've created, see Deploy resources with ARM templates and Azure PowerShell.