Well-known issues with Microsoft.Security/pricing resources?

[jikuja]

Hello all,

The issue

I've tried to deploy following template:

targetScope = 'subscription'

resource CloudPosturePricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'CloudPosture'
  properties: {
    pricingTier: 'Free'
  }
}

resource VirtualMachinesPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'P2'
  }
}

resource AppServicesPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'AppServices'
  properties: {
    pricingTier: 'Free'
  }
}

resource SqlServersPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'SqlServers'
  properties: {
    pricingTier: 'Free'
  }
}

resource SqlServerVirtualMachinesPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'SqlServerVirtualMachines'
  properties: {
    pricingTier: 'Free'
  }
}

resource OpenSourceRelationalDatabasesPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'OpenSourceRelationalDatabases'
  properties: {
    pricingTier: 'Free'
  }
}

resource CosmosDbsPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'CosmosDbs'
  properties: {
    pricingTier: 'Free'
  }
}

resource StorageAccountsPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'PerTransaction'
  }
}

resource ContainersPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Containers'
  properties: {
    pricingTier: 'Free'
  }
}

resource KeyVaultsPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'KeyVaults'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'PerTransaction'
  }
}

resource ArmPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Arm'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'PerApiCall'
  }
}

resource ApiPricing 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Api'
  properties: {
    pricingTier: 'Free'
  }
}

So the template is:

• simple
• small
• does not exceed any template size limitations

When I try to deploy that template 1-4 resources fail to deploy with following error messages:

{
  "code": "Conflict",
  "message": "Another update operation is in progress"
}

This happened for me at least on two tenants and three subscriptions.

Related work

Azure landing zone templating is using dependsOn two deploy Microsoft.Security/pricing resources in on by one.

        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "SqlServers",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/VirtualMachines')]"
            ],
            "properties": {
                "pricingTier": "[parameters('pricingTierSqlServers')]"
            }
        },
        {
            "type": "Microsoft.Security/pricings",
            "apiVersion": "2018-06-01",
            "name": "AppServices",
            "dependsOn": [
                "[concat('Microsoft.Security/pricings/SqlServers')]"
            ],
            "properties": {
                "pricingTier": "[parameters('pricingTierAppServices')]"
            }
        }

I have earlier deployed similar templates without any errors.

• Did I just fight with well-known undocumented limitations?
• Has anyone else got this issue?

Azure Support

• I created support ticket 2023-09-14
• Delays have been really long
• I still does not know if PG of resource provider or deployment endpoint is in the loop or not

Bicep

If this is a well-known issue this should be documented by PG and then maybe Bicep should have linting rule to check if template has well-known issues.

[dewolfs]

Hi @jikuja,

This is not a Bicep issue, this is just how the Azure Security Center API behaves. Some APIs have intelligence built-in to handle multiple requests at once, some don't.

The way to solve this is to add the batchSize decorator. Ex:

@batchSize(1)

This will make sure the request to the Security Center API is done sequentially and not in parallel.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/file#resource-and-module-decorators

Create a loop to iterate over the plans to simplify your code.

[jikuja]

This is not a Bicep issue, this is just how the Azure Security Center API behaves. Some APIs have intelligence built-in to handle multiple requests at once, some don't.

Any known documentation for this behaviour? I feel like IaC using deployment API endpoint is being neglected or left fully untested :(

Create a loop to iterate over the plans to simplify your code.

I'm not sure if loop would simplify the code. Because I'm setting different settings for plans and even some subplans:

• I then need to extract all settings into external variable or parameter
• write user-defined type for the array if intellisense is needed

Copying behaviour of the landing zone resources might be cleaner solution even it will create linter warnings.

[mmMantas]

I was facing the same issue, and find out the way that works as expected by creating a module for security/pricings.

targetScope = 'subscription'

param name string
@allowed([ 'Free', 'Standard' ])
param pricingTier string = 'Free'
param subnPlan string = ''

resource defenderPlan 'Microsoft.Security/pricings@2022-03-01' = {
  name: name
  properties: {
    pricingTier: pricingTier
    subPlan: pricingTier == 'Free' ? '' : subnPlan
  }
}

output planName string = defenderPlan.name

the main bicep looks like this:

targetScope = 'subscription'

var defenderPlan = {
  VirtualMachines: {
    pricingTier: 'Standard'
    subnPlan: 'P1'
  }
  StorageAccounts: {
    pricingTier: 'Standard'
    subnPlan: ''
  }
}


@batchSize(1)
module defenderPricings '../securityPricings.bicep' = [for item in items(defenderPlan):  {
  name: 'defenderPricing-${item.key}'
  params: {
    name: item.key
    pricingTier: item.value.pricingTier
    subnPlan: item.value.subnPlan
  }
}]

[rs-service]

Hello,
I had same problem as described. I can confirm, that adding decorator @batchsize(1) to a resource definition solved deployment "conflict error". I am using for expression in resource deployment to loop through each item.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/file#resource-and-module-decorators

[jikuja]

This has really good readability but

• I still hope that PG would do their work and document limitations.
• is extra layer of modules really required? AFAIK creating directly Microsoft.Security/pricings in a loop with @batchSize(1) should have identical results

[jikuja]

@alex-frankel Do you happen to have a good instructions who to get through first support tiers when opening issues about missing PUT endpoints, idempotency issues or other obvious undocumented deployment issues?

Those can be solved only by the PG and honestly I don't want to use 4-x weeks with level 1 support and their workarounds.

Should I try shibboleet?

[scdomian]

Defender for cloud bicep worked fine for years,
but today I hit this issue multiple times across different subscriptions and projects
I'll try out batching with size 1 to address the problem

this workaround can't be perceived as designed behavior
Pipeline writer has no chance to predict this behavior until facing the issue and wasting the time investigating