{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.44.1.10279", "templateHash": "5669680427878720278" } }, "parameters": { "arpioAccountId": { "type": "string", "metadata": { "description": "The Arpio account ID for which this deployment is being created" } }, "arpioAppPrincipalId": { "type": "string", "metadata": { "description": "The objectId of the Arpio app service principal" } }, "arpioAppClientId": { "type": "string", "metadata": { "description": "The client ID of the Entra application allowed to call the Azure Function" } }, "delegateImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate:latest", "metadata": { "description": "Delegate image" } }, "delegateJobsImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate-jobs:latest", "metadata": { "description": "Delegate jobs image" } }, "location": { "type": "string", "metadata": { "description": "Location for all resources" } }, "primaryEndpoints": { "type": "array", "metadata": { "description": "List of primary endpoints, where each is an object with subscriptionId and location properties" } }, "arpioTags": { "type": "object", "defaultValue": { "arpio:account-id": "[parameters('arpioAccountId')]", "arpio:access-resource": "[format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]" }, "metadata": { "description": "Tags to add to all resources" } } }, "resources": [ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2021-04-01", "name": "[format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]" }, { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2021-04-01", "name": "[format('ArpioRecoveryData-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]" }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioRecoveryAccess', parameters('arpioAccountId'), subscription().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), uniqueString(subscription().id, parameters('location')))]", "description": "Read-only access to all Azure resources via Resource Manager", "type": "CustomRole", "permissions": [ { "actions": [ "*/read", "Microsoft.Web/sites/config/list/action", "Microsoft.DBforPostgreSQL/locations/*" ], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/vaults/secrets/readMetadata/action", "Microsoft.ContainerRegistry/registries/catalog/read", "Microsoft.ContainerRegistry/registries/repositories/metadata/read" ], "notDataActions": [ "Microsoft.KeyVault/vaults/secrets/getSecret/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.ContainerRegistry/registries/repositories/content/read" ] } ], "assignableScopes": [ "[subscription().id]" ] } }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioRecoveryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioRecoveryDelegateAccess-{0}-{1}', parameters('arpioAccountId'), uniqueString(subscription().id, parameters('location')))]", "description": "Access granted to the Arpio recovery environment delegate", "type": "CustomRole", "permissions": [ { "actions": [ "*/read", "*/register/action", "*/PrivateEndpointConnectionsApproval/action", "Microsoft.Authorization/roleAssignments/delete", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleDefinitions/delete", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Compute/availabilitySets/delete", "Microsoft.Compute/availabilitySets/write", "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/write", "Microsoft.Compute/images/delete", "Microsoft.Compute/images/write", "Microsoft.Compute/snapshots/delete", "Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachineScaleSets/delete", "Microsoft.Compute/virtualMachineScaleSets/write", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachines/extensions/delete", "Microsoft.Compute/virtualMachines/extensions/write", "Microsoft.Compute/virtualMachines/write", "Microsoft.ContainerInstance/containerGroups/delete", "Microsoft.ContainerInstance/containerGroups/write", "Microsoft.ContainerRegistry/registries/artifacts/delete", "Microsoft.ContainerRegistry/registries/delete", "Microsoft.ContainerRegistry/registries/push/write", "Microsoft.ContainerRegistry/registries/write", "Microsoft.ContainerService/managedClusters/delete", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", "Microsoft.ContainerService/managedClusters/write", "Microsoft.Insights/diagnosticSettings/write", "Microsoft.KeyVault/vaults/delete", "Microsoft.KeyVault/vaults/deploy/action", "Microsoft.KeyVault/vaults/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.ManagedIdentity/userAssignedIdentities/delete", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete", "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write", "Microsoft.ManagedIdentity/userAssignedIdentities/write", "Microsoft.NetApp/netAppAccounts/capacityPools/delete", "Microsoft.NetApp/netAppAccounts/capacityPools/write", "Microsoft.NetApp/netAppAccounts/delete", "Microsoft.NetApp/netAppAccounts/write", "Microsoft.Network/applicationGateways/*/delete", "Microsoft.Network/applicationGateways/*/join/action", "Microsoft.Network/applicationGateways/*/write", "Microsoft.Network/applicationGateways/delete", "Microsoft.Network/applicationGateways/write", "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/delete", "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/join/action", "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/write", "Microsoft.Network/applicationSecurityGroups/write", "Microsoft.Network/applicationSecurityGroups/delete", "Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action", "Microsoft.Network/azureFirewalls/delete", "Microsoft.Network/azureFirewalls/write", "Microsoft.Network/firewallPolicies/*", "Microsoft.Network/loadBalancers/*/delete", "Microsoft.Network/loadBalancers/*/join/action", "Microsoft.Network/loadBalancers/*/write", "Microsoft.Network/loadBalancers/delete", "Microsoft.Network/loadBalancers/write", "Microsoft.Network/natGateways/delete", "Microsoft.Network/natGateways/join/action", "Microsoft.Network/natGateways/write", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/privateDnsZones/delete", "Microsoft.Network/privateDnsZones/write", "Microsoft.Network/privateDnsZones/*/delete", "Microsoft.Network/privateDnsZones/*/write", "Microsoft.Network/privateEndpoints/*/write", "Microsoft.Network/privateEndpoints/*/delete", "Microsoft.Network/privateDnsZones/join/action", "Microsoft.Network/publicIPAddresses/delete", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/write", "Microsoft.Network/virtualNetworks/delete", "Microsoft.Network/virtualNetworks/join/action", "Microsoft.Network/virtualNetworks/joinLoadBalancer/action", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/subnets/*/join/action", "Microsoft.Network/virtualNetworks/subnets/delete", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/Action", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/write", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.OperationalInsights/workspaces/delete", "Microsoft.OperationalInsights/workspaces/sharedKeys/action", "Microsoft.OperationalInsights/workspaces/write", "Microsoft.OperationsManagement/solutions/delete", "Microsoft.OperationsManagement/solutions/write", "Microsoft.Resources/deployments/delete", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Sql/servers/administrators/delete", "Microsoft.Sql/servers/administrators/write", "Microsoft.Sql/servers/connectionPolicies/write", "Microsoft.Sql/servers/databases/delete", "Microsoft.Sql/servers/databases/write", "Microsoft.Sql/servers/delete", "Microsoft.Sql/servers/dnsAliases/read", "Microsoft.Sql/servers/dnsAliases/write", "Microsoft.Sql/servers/dnsAliases/delete", "Microsoft.Sql/servers/firewallRules/delete", "Microsoft.Sql/servers/firewallRules/write", "Microsoft.Sql/servers/outboundFirewallRules/write", "Microsoft.Sql/servers/outboundFirewallRules/delete", "Microsoft.Sql/servers/virtualNetworkRules/write", "Microsoft.Sql/servers/virtualNetworkRules/read", "Microsoft.Sql/servers/virtualNetworkRules/delete", "Microsoft.Sql/servers/read", "Microsoft.Sql/servers/write", "Microsoft.DBforPostgreSQL/flexibleServers/write", "Microsoft.DBforPostgreSQL/flexibleServers/delete", "Microsoft.DBforPostgreSQL/flexibleServers/administrators/write", "Microsoft.DBforPostgreSQL/flexibleServers/administrators/delete", "Microsoft.DBforPostgreSQL/flexibleServers/configurations/write", "Microsoft.DBforPostgreSQL/flexibleServers/databases/write", "Microsoft.DBforPostgreSQL/flexibleServers/databases/delete", "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write", "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/delete", "Microsoft.SqlVirtualMachine/sqlVirtualMachines/delete", "Microsoft.SqlVirtualMachine/sqlVirtualMachines/write", "Microsoft.Storage/storageAccounts/blobServices/containers/*", "Microsoft.Storage/storageAccounts/blobServices/write", "Microsoft.Storage/storageAccounts/delete", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write", "Microsoft.Storage/storageAccounts/queueServices/queues/delete", "Microsoft.Storage/storageAccounts/queueServices/queues/write", "Microsoft.Storage/storageAccounts/queueServices/write", "Microsoft.Storage/storageAccounts/write", "Microsoft.Network/bastionHosts/read", "Microsoft.Network/bastionHosts/write", "Microsoft.Network/bastionHosts/delete", "Microsoft.App/containerApps/delete", "Microsoft.App/containerApps/write", "Microsoft.App/containerApps/authConfigs/write", "Microsoft.App/containerApps/authConfigs/delete", "Microsoft.App/jobs/delete", "Microsoft.App/jobs/write", "Microsoft.App/managedEnvironments/delete", "Microsoft.App/managedEnvironments/join/action", "Microsoft.App/managedEnvironments/write", "Microsoft.App/managedEnvironments/certificates/delete", "Microsoft.App/managedEnvironments/certificates/write", "Microsoft.App/managedEnvironments/managedCertificates/delete", "Microsoft.App/managedEnvironments/managedCertificates/write", "Microsoft.Web/hostingEnvironments/write", "Microsoft.Web/hostingEnvironments/delete", "Microsoft.Web/hostingEnvironments/join/action", "Microsoft.Web/serverfarms/write", "Microsoft.Web/serverfarms/delete", "Microsoft.Web/sites/config/write", "Microsoft.Web/sites/extensions/write", "Microsoft.Web/sites/delete", "Microsoft.Web/sites/hostNameBindings/delete", "Microsoft.Web/sites/hostNameBindings/write", "Microsoft.Web/sites/publish/action", "Microsoft.Web/sites/write", "Microsoft.Web/certificates/delete", "Microsoft.Web/certificates/write" ], "notActions": [], "dataActions": [ "Microsoft.ContainerRegistry/registries/repositories/content/delete", "Microsoft.ContainerRegistry/registries/repositories/content/read", "Microsoft.ContainerRegistry/registries/repositories/content/write", "Microsoft.ContainerRegistry/registries/repositories/metadata/delete", "Microsoft.ContainerRegistry/registries/repositories/metadata/read", "Microsoft.ContainerRegistry/registries/repositories/metadata/write", "Microsoft.ContainerService/managedClusters/*", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/vaults/certificates/delete", "Microsoft.KeyVault/vaults/certificates/import/action", "Microsoft.KeyVault/vaults/keys/create/action", "Microsoft.KeyVault/vaults/keys/delete", "Microsoft.KeyVault/vaults/keys/update/action", "Microsoft.KeyVault/vaults/secrets/delete", "Microsoft.KeyVault/vaults/secrets/getSecret/action", "Microsoft.KeyVault/vaults/secrets/readMetadata/action", "Microsoft.KeyVault/vaults/secrets/setSecret/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" ] } ], "assignableScopes": [ "[subscription().id]" ] } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(parameters('arpioAppPrincipalId'), guid('ArpioRecoveryAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "principalId": "[parameters('arpioAppPrincipalId')]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid('ArpioDelegateIdentity', guid('ArpioRecoveryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "principalId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), 'Microsoft.Resources/deployments', format('arpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), '2025-04-01').outputs.delegatePrincipalId.value]", "principalType": "ServicePrincipal", "conditionVersion": "2.0", "condition": "[format('((!(ActionMatches{{''Microsoft.Authorization/roleAssignments/write''}}) OR (@Request[Microsoft.Authorization/roleAssignments:PrincipalId] GuidNotEquals {0})))', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), 'Microsoft.Resources/deployments', format('arpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), '2025-04-01').outputs.delegatePrincipalId.value)]" }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), 'Microsoft.Resources/deployments', format('arpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location')))]", "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]" ] }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioFirewallLogReader', parameters('arpioAccountId'), subscription().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioFirewallLogReader-{0}-{1}', parameters('arpioAccountId'), uniqueString(subscription().id, parameters('location')))]", "description": "Read-only access to Azure Firewall logs in Log Analytics", "type": "CustomRole", "permissions": [ { "actions": [ "Microsoft.OperationalInsights/workspaces/read", "Microsoft.OperationalInsights/workspaces/query/AZFWApplicationRule/read", "Microsoft.OperationalInsights/workspaces/query/AZFWNetworkRule/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "assignableScopes": [ "[subscription().id]" ] } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(parameters('arpioAppPrincipalId'), guid('ArpioFirewallLogReader', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioFirewallLogReader', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "principalId": "[parameters('arpioAppPrincipalId')]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioFirewallLogReader', parameters('arpioAccountId'), subscription().id, parameters('location')))]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", "name": "[format('arpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "resourceGroup": "[format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "arpioAccountId": { "value": "[parameters('arpioAccountId')]" }, "arpioAppClientId": { "value": "[parameters('arpioAppClientId')]" }, "primaryEndpoints": { "value": "[parameters('primaryEndpoints')]" }, "delegateImage": { "value": "[parameters('delegateImage')]" }, "delegateJobsImage": { "value": "[parameters('delegateJobsImage')]" }, "arpioTags": { "value": "[parameters('arpioTags')]" }, "dataResourceGroup": { "value": "[format('ArpioRecoveryData-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.44.1.10279", "templateHash": "2242458310002090782" } }, "parameters": { "arpioAccountId": { "type": "string", "metadata": { "description": "The Arpio account ID for which this deployment is being created" } }, "arpioAppClientId": { "type": "string", "metadata": { "description": "The client ID of the Entra application allowed to call the Azure Function" } }, "delegateImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate:latest", "metadata": { "description": "Delegate image" } }, "delegateJobsImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate-jobs:latest", "metadata": { "description": "Delegate jobs image" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources" } }, "arpioTags": { "type": "object", "metadata": { "description": "Tags to add to all resources" } }, "dataResourceGroup": { "type": "string", "metadata": { "description": "Name of the data resource group" } }, "primaryEndpoints": { "type": "array", "metadata": { "description": "List of primary endpoints, where each is an object with subscriptionId and location properties" } } }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "ArpioRecoveryDelegate", "location": "[parameters('location')]", "tags": "[parameters('arpioTags')]" }, { "type": "Microsoft.OperationalInsights/workspaces", "apiVersion": "2022-10-01", "name": "ArpioRecoveryLogs", "location": "[parameters('location')]", "properties": { "sku": { "name": "PerGB2018" }, "retentionInDays": 30 } }, { "type": "Microsoft.Insights/components", "apiVersion": "2020-02-02", "name": "ArpioRecoveryInsights", "location": "[parameters('location')]", "kind": "web", "tags": "[parameters('arpioTags')]", "properties": { "Application_Type": "web", "WorkspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioRecoveryLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioRecoveryLogs')]" ] }, { "type": "Microsoft.KeyVault/vaults", "apiVersion": "2024-11-01", "name": "[format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId')))]", "location": "[parameters('location')]", "properties": { "enableRbacAuthorization": true, "enablePurgeProtection": true, "enableSoftDelete": true, "softDeleteRetentionInDays": 90, "tenantId": "[subscription().tenantId]", "sku": { "family": "A", "name": "standard" } } }, { "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2024-11-01", "name": "[format('{0}/{1}', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))), 'EncryptionKey')]", "properties": { "kty": "RSA", "keyOps": [ "encrypt", "decrypt", "wrapKey", "unwrapKey" ], "keySize": 2048 }, "dependsOn": [ "[resourceId('Microsoft.KeyVault/vaults', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[resourceId('Microsoft.KeyVault/vaults', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))))]", "name": "[guid(resourceId('Microsoft.KeyVault/vaults', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId')))), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '12338af0-0e69-4776-bea7-57ae8d297424')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]", "[resourceId('Microsoft.KeyVault/vaults', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2023-01-01", "name": "[format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))]", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]", "sku": { "name": "Standard_LRS" }, "kind": "StorageV2", "properties": { "minimumTlsVersion": "TLS1_2", "allowBlobPublicAccess": false, "allowSharedKeyAccess": false, "supportsHttpsTrafficOnly": true, "encryption": { "services": { "blob": { "enabled": true } }, "keySource": "Microsoft.Storage" } } }, { "type": "Microsoft.Storage/storageAccounts/queueServices", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Storage/storageAccounts/queueServices/queues", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default', 'tasks')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/queueServices', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default')]" ] }, { "type": "Microsoft.Storage/storageAccounts/queueServices/queues", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default', 'jobs')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/queueServices', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default')]" ] }, { "type": "Microsoft.Storage/storageAccounts/tableServices", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Storage/storageAccounts/tableServices/tables", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default', 'tasks')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/tableServices', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))), 'default')]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.App/managedEnvironments", "apiVersion": "2024-10-02-preview", "name": "arpio-recovery-env", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]", "properties": { "publicNetworkAccess": "Enabled", "workloadProfiles": [ { "name": "Consumption", "workloadProfileType": "Consumption" } ], "appLogsConfiguration": { "destination": "log-analytics", "logAnalyticsConfiguration": { "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioRecoveryLogs'), '2022-10-01').customerId]", "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioRecoveryLogs'), '2022-10-01').primarySharedKey]" } } }, "dependsOn": [ "[resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioRecoveryLogs')]" ] }, { "type": "Microsoft.App/containerApps", "apiVersion": "2025-07-01", "name": "arpio-recovery-delegate", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]", "kind": "functionapp", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'))]": {} } }, "properties": { "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', 'arpio-recovery-env')]", "configuration": { "ingress": { "external": true, "targetPort": 80, "allowInsecure": false, "traffic": [ { "latestRevision": true, "weight": 100 } ] } }, "template": { "containers": [ { "name": "arpio-delegate", "image": "[parameters('delegateImage')]", "env": [ { "name": "AzureWebJobsStorage__accountName", "value": "[format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))]" }, { "name": "AzureWebJobsStorage__credential", "value": "managedidentity" }, { "name": "AzureWebJobsStorage__clientId", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').clientId]" }, { "name": "DELEGATE_TYPE", "value": "recovery" }, { "name": "DELEGATE_IMAGE", "value": "[parameters('delegateImage')]" }, { "name": "AZURE_CLIENT_ID", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').clientId]" }, { "name": "PRINCIPAL_ID", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]" }, { "name": "IDENTITY_ID", "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]" }, { "name": "TENANT_ID", "value": "[tenant().tenantId]" }, { "name": "ARPIO_APP_CLIENT_ID", "value": "[parameters('arpioAppClientId')]" }, { "name": "FUNCTIONS_WORKER_RUNTIME", "value": "python" }, { "name": "PYTHON_THREADPOOL_THREAD_COUNT", "value": "32" }, { "name": "ARPIO_ACCOUNT_ID", "value": "[parameters('arpioAccountId')]" }, { "name": "SUBSCRIPTION_ID", "value": "[subscription().subscriptionId]" }, { "name": "AUTHORIZED_ENDPOINTS", "value": "[string(parameters('primaryEndpoints'))]" }, { "name": "REGION", "value": "[parameters('location')]" }, { "name": "SCRATCH_STORAGE_BLOB_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.blob]" }, { "name": "SCRATCH_STORAGE_TABLE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.table]" }, { "name": "SCRATCH_STORAGE_QUEUE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.queue]" }, { "name": "ACCESS_RESOURCE_GROUP", "value": "[resourceGroup().name]" }, { "name": "DATA_RESOURCE_GROUP", "value": "[parameters('dataResourceGroup')]" }, { "name": "DATA_STORAGE_ACCOUNT_NAME", "value": "[format('arpiodata{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId')))]" }, { "name": "ENCRYPTION_KEY_ID", "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))), 'EncryptionKey'), '2024-11-01').keyUriWithVersion]" }, { "name": "KEY_VAULT_ID", "value": "[resourceId('Microsoft.KeyVault/vaults', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))))]" }, { "name": "PRIMARY_KEY_WRAP_ROLE_ID", "value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryToRecoveryKeyWrap', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]" }, { "name": "APPLICATIONINSIGHTS_CONNECTION_STRING", "value": "[reference(resourceId('Microsoft.Insights/components', 'ArpioRecoveryInsights'), '2020-02-02').ConnectionString]" } ], "resources": { "cpu": "[json('1.0')]", "memory": "2Gi" } } ], "scale": { "minReplicas": 0, "maxReplicas": 100 } } }, "dependsOn": [ "[resourceId('Microsoft.Insights/components', 'ArpioRecoveryInsights')]", "[resourceId('Microsoft.App/managedEnvironments', 'arpio-recovery-env')]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]", "[resourceId('Microsoft.KeyVault/vaults/keys', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))), 'EncryptionKey')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]", "[resourceId('Microsoft.KeyVault/vaults', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))))]", "[resourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryToRecoveryKeyWrap', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]" ] }, { "type": "Microsoft.App/containerApps/authConfigs", "apiVersion": "2025-02-02-preview", "name": "[format('{0}/{1}', 'arpio-recovery-delegate', 'current')]", "properties": { "platform": { "enabled": true }, "identityProviders": { "azureActiveDirectory": { "enabled": true, "registration": { "clientId": "[parameters('arpioAppClientId')]", "openIdIssuer": "[format('https://login.microsoftonline.com/{0}/v2.0', tenant().tenantId)]" }, "validation": { "allowedAudiences": [ "[parameters('arpioAppClientId')]" ] } } } }, "dependsOn": [ "[resourceId('Microsoft.App/containerApps', 'arpio-recovery-delegate')]" ] }, { "type": "Microsoft.App/jobs", "apiVersion": "2024-10-02-preview", "name": "arpio-recovery-delegate-job", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'))]": {} } }, "properties": { "environmentId": "[resourceId('Microsoft.App/managedEnvironments', 'arpio-recovery-env')]", "configuration": { "triggerType": "Event", "replicaTimeout": 86400, "replicaRetryLimit": 0, "eventTriggerConfig": { "replicaCompletionCount": 1, "parallelism": 1, "scale": { "minExecutions": 0, "maxExecutions": 100, "pollingInterval": 10, "rules": [ { "name": "queue-based-scaling", "type": "azure-queue", "metadata": { "queueName": "jobs", "queueLength": "1", "queueLengthStrategy": "visibleonly", "accountName": "[format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))]" }, "identity": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]" } ] } } }, "template": { "containers": [ { "name": "arpio-delegate-job", "image": "[parameters('delegateJobsImage')]", "env": [ { "name": "AZURE_CLIENT_ID", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').clientId]" }, { "name": "ARPIO_ACCOUNT_ID", "value": "[parameters('arpioAccountId')]" }, { "name": "SUBSCRIPTION_ID", "value": "[subscription().subscriptionId]" }, { "name": "AUTHORIZED_ENDPOINTS", "value": "[string(parameters('primaryEndpoints'))]" }, { "name": "REGION", "value": "[parameters('location')]" }, { "name": "SCRATCH_STORAGE_BLOB_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.blob]" }, { "name": "SCRATCH_STORAGE_TABLE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.table]" }, { "name": "SCRATCH_STORAGE_QUEUE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.queue]" }, { "name": "DATA_RESOURCE_GROUP", "value": "[parameters('dataResourceGroup')]" }, { "name": "DATA_STORAGE_ACCOUNT_NAME", "value": "[format('arpiodata{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId')))]" }, { "name": "ENCRYPTION_KEY_ID", "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))), 'EncryptionKey'), '2024-11-01').keyUriWithVersion]" } ], "resources": { "cpu": "[json('0.25')]", "memory": "0.5Gi" } } ] } }, "dependsOn": [ "[resourceId('Microsoft.App/managedEnvironments', 'arpio-recovery-env')]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]", "[resourceId('Microsoft.KeyVault/vaults/keys', format('arpio-rec-{0}', uniqueString(resourceGroup().id, parameters('arpioAccountId'))), 'EncryptionKey')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-recovery', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioRecoveryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioRecoveryDelegateRGAccess-{0}-{1}', parameters('arpioAccountId'), uniqueString(resourceGroup().id, parameters('location')))]", "description": "Access granted to the Arpio recovery delegate scoped to the access resource group. This allows the recovery delegate to create and manage additional private delegates as needed.", "type": "CustomRole", "permissions": [ { "actions": [ "*/read", "Microsoft.Network/virtualNetworks/*", "Microsoft.Web/sites/*", "Microsoft.Web/serverfarms/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.Resources/deployments/delete", "Microsoft.Resources/deployments/write", "Microsoft.Resources/deploymentStacks/delete", "Microsoft.Resources/deploymentStacks/write", "Microsoft.ContainerInstance/containerGroups/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "assignableScopes": [ "[resourceGroup().id]" ] } }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioPrimaryToRecoveryKeyWrap', parameters('arpioAccountId'), resourceGroup().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioPrimaryToRecoveryKeyWrap-{0}-{1}', parameters('arpioAccountId'), uniqueString(resourceGroup().id, parameters('location')))]", "description": "Allows the primary delegate to wrap data using the recovery encryption key", "type": "CustomRole", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/keys/wrap/action" ], "notDataActions": [] } ], "assignableScopes": [ "[resourceGroup().id]" ] } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid('ArpioDelegateIdentity', guid('ArpioRecoveryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]", "properties": { "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate')]" ] } ], "outputs": { "delegatePrincipalId": { "type": "string", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]" }, "delegateAppId": { "type": "string", "value": "[resourceId('Microsoft.App/containerApps', 'arpio-recovery-delegate')]" }, "delegateAppFQDN": { "type": "string", "value": "[reference(resourceId('Microsoft.App/containerApps', 'arpio-recovery-delegate'), '2025-07-01').configuration.ingress.fqdn]" }, "delegateJobId": { "type": "string", "value": "[resourceId('Microsoft.App/jobs', 'arpio-recovery-delegate-job')]" }, "logAnalyticsWorkspaceId": { "type": "string", "value": "[resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioRecoveryLogs')]" }, "applicationInsightsConnectionString": { "type": "string", "value": "[reference(resourceId('Microsoft.Insights/components', 'ArpioRecoveryInsights'), '2020-02-02').ConnectionString]" } } } }, "dependsOn": [ "[subscriptionResourceId('Microsoft.Resources/resourceGroups', format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location')))]", "[subscriptionResourceId('Microsoft.Resources/resourceGroups', format('ArpioRecoveryData-{0}-{1}', parameters('arpioAccountId'), parameters('location')))]" ] } ] }