Bicep deployment of maintenance configuration assigment for scope Resource

Question

Bicep deployment of maintenance configuration assigment for scope Resource

bombbe 1,466

Hi,

I have seen few post about Bicep deployment of maintenance configuration assigment but they have always been for dynamic scopes. I have created maintenance Configurations with maintenanceScope: 'Resource' for our VPN gateways. Deployment of that is went just fine.

Now I'm trying to assign single VPN to that configuration with the vpn resouceId but the deployment always seems to be failing and struglin to find right format.

This is my current Main bicep

module maintenance_assignments 'maintenance_assignment.bicep' = [for testing in assignment_test: {
  scope: subscription()
  name: '${assignment.mCName}'
  params: {
    maintenanceConfigurationId: assignment.maintenanceConfigurationId
    resourceId: assignment.resourceId
  }
}]

This is my module currently module

targetScope = 'subscription'

param resourceId string
param maintenanceConfigurationId string

resource configurationAssignment 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = {
  name: last(split(resourceId, '/'))
  properties: {
    maintenanceConfigurationId: maintenanceConfigurationId
    resourceId: resourceId
  }
}

I have tried with targetScope = 'subscription' and targetScope = 'resoucegroup' and with and without having "location" parameter and mix of these but it always failing with refering to subscription or resouce group.

Provided combination of resource type Microsoft.Resource/subscriptions and maintenance configuration scope Resource aren't supported. Only following resource types are supported for scope Resource: Microsoft.ContainerService/managedClusters,Microsoft.ServiceFabric/managedClusters,Microsoft.Network/vpnGateways,Microsoft.Network/expressRouteGateways,Microsoft.Network/virtualnetworkgateways,Microsoft.Network/applicationGateways,Microsoft.Network/azureFirewalls,Microsoft.Network/virtualHubs,Microsoft.Network/bastionHosts,Microsoft.Network/networkVirtualAppliances,Microsoft.Network/p2sVpnGateways,Microsoft.Web/hostingEnvironments,Configuration assignment ResourceId must be empty or equal to the Subscription/Resource Group id for Subscription/Resource Group level assignment.,Given Maintenance Subscope value (NetworkGatewayMaintenance) is not compatible with the resource type Microsoft.Resource/subscriptions.,Cross Region Config Assignment is not allowed for NetworkGatewayMaintenance resources

I would want to just assignt that one vpn to that maintenanceConfiguration but note sure if that is possible or am I just doing something wrong here?

Bharath Y P 2,805 Reputation points Microsoft External Staff Moderator

2025-10-15T11:52:46.3733333+00:00
Hello bombbe,

As per your description, look like you're trying to assign a maintenance configuration with maintenanceScope: 'Resource' to a single VPN gateway using Bicep. The configuration itself deploys successfully, but the assignment fails, and the error message suggests issues with scope and resource compatibility.

We understand that the maintenance configuration deployment works fine. assignment fails when trying to target a single VPN gateway, the errors suggest scope mismatch likely because the assignment is being deployed at the subscription or resource group level, which is invalid for maintenanceScope: 'Resource'.

Could you please help us with the below details

Are you deploying the Bicep file at subscription level or resource group level? Because for maintenanceScope: Resource, the assignment must be deployed at the resource level, not subscription.

Are you deploying the maintenance assignment in the same region as the VPN gateway and the maintenance configuration? Cross-region assignments are not allowed for NetworkGatewayMaintenance.

The core problem is the conflict between the deployment scope (scope: subscription()) and the maintenance configuration's required scope (maintenanceScope: 'Resource').

To fix this, you can change the Bicep code to deploy the assignment as a child resource of the VPN Gateway, which is best achieved by using the parent property.

Here are the required changes for your main file and your module file:

Module File: This file defines the assignment and attaches it to the VPN gateway using the parent property. Uses the received reference with the parent: parentResource property, which automatically tells Azure Resource Manager (ARM) to nest the assignment under the VPN Gateway, thus satisfying the maintenanceScope: 'Resource' requirement.

targetScope = 'resourceGroup' param maintenanceConfigurationId string param parentResource resource resource configurationAssignment 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = { parent: parentResource name: 'default' properties: { maintenanceConfigurationId: maintenanceConfigurationId } }

Main file: This file references the existing VPN gateway and calls the module. Creates a symbolic reference (vpnGateway) to the existing resource and passes that reference as a parameter (parentResource) to the module. It also ensures the deployment scope is correctly set to the resource group (scope: resourceGroup(vpnResourceGroup))

param maintenanceConfigurationId string param vpnGatewayName string param vpnResourceGroup string // Reference the existing VPN gateway resource vpnGateway 'Microsoft.Network/vpnGateways@2023-09-01' existing = { name: vpnGatewayName scope: resourceGroup(vpnResourceGroup) } // Call the module and pass the VPN gateway reference module maintenance_assignments 'maintenance_assignment.bicep' = { scope: resourceGroup(vpnResourceGroup) name: 'vpnMaintenanceAssignment' params: { maintenanceConfigurationId: maintenanceConfigurationId parentResource: vpnGateway } }

The main file references the existing VPN gateway and passes it to the module. The module file uses the parent property to deploy the assignment directly onto the VPN gateway. This setup satisfies the 'Resource' scope requirement and avoids deployment errors.

Hope this helps.

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Hi bombbe,

the error message is telling you everything. you are trying to assign a maintenance configuration with scope 'resource' at the subscription level, but that is not allowed. the deployment scope and the assignment scope are fighting each other.

your maintenance configuration is scoped to a single 'resource', like a vpn gateway. therefore, the configurationAssignment resource itself must be deployed directly onto that specific vpn gateway resource, not at the subscription or resource group level.

you cannot use a subscription scoped module for this. you need to deploy the assignment as a resource within the scope of the vpn gateway itself.

remove the module that has targetScope = 'subscription'. instead, in your main bicep file, you need to create the configurationAssignment resource inside the same resource group as your vpn gateway, and you must use the vpn gateway's resource id as the parent scope.

if your vpn gateway is defined in the same bicep file, it would look like this.

resource vpnGateway 'Microsoft.Network/vpnGateways@2023-09-01' = {
name: 'myVpnGateway'
location: location
...other properties...
}
resource maintenanceAssignment 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = {
parent: vpnGateway
name: 'myAssignment'
properties: {
maintenanceConfigurationId: maintenanceConfigurationId
}
}

see the parent: vpnGateway line? that is the key. it deploys the assignment as a child resource of the vpn gateway, which is exactly what the 'resource' maintenance scope requires.

if your vpn gateway is in a different module or already exists, you need to use an existing resource reference to get its scope.

this concept of deploying a resource as a child of another is a fundamental bicep pattern for resource specific configurations.

you must deploy your configuration assignment as a child resource of the specific vpn gateway, not at the subscription level. the parent property is your solution.

regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

https://ctrlaltdel.blog/

bombbe 1,466 Reputation points

2025-10-15T13:14:01.6766667+00:00

Yeah this solved the issue, I don't know why I did not try or trough to test vpn as parent like I did with Maintenance Configuration. Deployment works now :)

Share via

Bicep deployment of maintenance configuration assigment for scope Resource

0 additional answers

Your answer