ARM deployment failed for event grid subscription on endpoint webhook url

Question

Using terraform and Azure ARm template , I am trying to create an azure event grid subscription on a function.

This the ARM using for the event grid subscription:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "eventGridTopicName": {
            "type": "string",
            "metadata": {
                "description": "The name of the Event Grid custom topic."
            }
        },
        "eventGridSubscriptionName": {
            "type": "string",
            "metadata": {
                "description": "The name of the Event Grid custom topic's subscription."
            }
        },
        "eventGridSubscriptionUrl": {
            "type": "string",
            "metadata": {
                "description": "The webhook URL to send the subscription events to. This URL must be valid and must be prepared to accept the Event Grid webhook URL challenge request. (RequestBin URLs are exempt from this requirement.)"
            }
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "The location in which the Event Grid resources should be deployed."
            }
        }
    },
    "resources": [{
            "name": "[parameters('eventGridTopicName')]",
            "type": "Microsoft.EventGrid/topics",
            "location": "[parameters('location')]",
            "apiVersion": "2018-01-01"
        },
        {
            "name": "[concat(parameters('eventGridTopicName'), '/Microsoft.EventGrid/', parameters('eventGridSubscriptionName'))]",
            "type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
            "location": "[parameters('location')]",
            "apiVersion": "2018-01-01",
            "properties": {
                "destination": {
                    "endpointType": "WebHook",
                    "properties": {
                        "endpointUrl": "[parameters('eventGridSubscriptionUrl')]"
                    }
                },
                "filter": {
                    "includedEventTypes": [
                        "All"
                    ]
                }
            },
            "dependsOn": [
                "[parameters('eventGridTopicName')]"
            ]
        }
    ]
}

Following the documentation here in order to create the subscription, we have to recover a system key in order to create the complete webhook endpoint. So following this post here , I have used an ARM template to recover the system key called evengrid_extension .

So everything goes well except during the arm deployment of the eventgrid subscription. I have this error:

Error waiting for deployment: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details." Details=[{"code":"Conflict","message":"{\\r\\n
\\"status\\": \\"Failed\\",\\r\\n
\\"error\\": {\\r\\n \\"code\\": \\"ResourceDeploymentFailure\\",\\r\\n
\\"message\\": \\"The resource operation completed with terminal provisioning state 'Failed'.\\",\\r\\n
\\"details\\": [\\r\\n {\\r\\n
\\"code\\": \\"Url validation\\",\\r\\n
\\"message\\": \\"The attempt to validate the provided endpoint https://myFunctionName.azurewebsites.net/runtime/webhooks/eventgrid failed. \\For more details, visit https: //aka.ms/esvalidation.\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n}"}]

I check my code n terraform in order to be sure that I am using the right value for all parameters in this arm template and everything is ok. I have the right topic name, the right endpoint with all value filled in. So I don't understand what I am missing here. I was wondering too if I am using the right system key. I know that there are a system key named durabletask_extension , and another one named eventgrid_extension . But in fact I have tried with both and the same error occured.

---

Update

Just notice that the keys ie durabletask_extension and eventgrid_extension are both system keys. So in my arm template to recover these works well and I recover the right system key by using only eventgrid_extension .

---

Here my code for terraform:

resource "azurerm_eventgrid_topic" "eventgrid_topic" {
  name                = "topicName"
  location            = var.main_location
  resource_group_name = azurerm_resource_group.name
}

resource "azurerm_template_deployment" "eventgrid_subscription" {
  name                = "EventGridSbscription"
  resource_group_name = azurerm_resource_group.environment.name

  template_body = file("./arm/event-grid-subscription.json")

  parameters = {
    eventGridTopicName = "${azurerm_eventgrid_topic.eventgrid_topic.name}"
    eventGridSubscriptionName = "eventgrid-myFunctionName"
    eventGridSubscriptionUrl = "https://${azurerm_function_app.function.name}.azurewebsites.net/runtime/webhooks/eventgrid?functionName=${azurerm_function_app.function.name}&code=${lookup(azurerm_template_deployment.function_key.outputs, "systemKey")}"
    location = var.main_location
  }

  deployment_mode = "Incremental"

  depends_on = [
    azurerm_template_deployment.function_key
  ]
}

So I do not understand why my susbription deployment failed, or what I am missing in order to automate this settings with terraform.

Following the doc here I understand too that:

If you don't have access to the application code (for example, if you're using a third-party service that supports webhooks), you can use the manual handshake mechanism. Make sure you're using the 2018-05-01-preview API version or later (install Event Grid Azure CLI extension) to receive the validationUrl in the validation event. To complete the manual validation handshake, get the value of the validationUrl property and visit that URL in your web browser. If validation is successful, you should see a message in your web browser that validation is successful. You'll see that event subscription's provisioningState is "Succeeded".

So, there is a way to make a validation using terraform or another way to automate this validation ?

Answer 1

The template is right, you just misunderstand something in the eventGridSubscriptionUrl . Take a look at the URL . The URL shows like this:

Version 2.x runtime

https://{functionappname}.azurewebsites.net/runtime/webhooks/eventgrid?functionName={functionname}&code={systemkey}

Version 1.x runtime

https://{functionappname}.azurewebsites.net/admin/extensions/EventGridExtensionConfig?functionName={functionname}&code={systemkey}

The functionappname is what you set as the value azurerm_function_app.function.name , but functionname is not.

You get the existing function name through the Azure REST API Web Apps - Get Function .

And in Terraform, it seems there is no function resource in the function app for you to create. But you can also use the template to create the function and output the function name. Then you can set it in the URL. You can get more details about function in the Azure Template here and the function name shows in the property.