Share via

Deploying Azure Database Watcher via IaC fails intermittently

Daniel Rogers 1 Reputation point
2025-11-26T14:21:03.04+00:00

Hi there,

I'm deploying the preview of Azure Database Watcher but I'm seeing some odd behaviour.

When deploying the cluster, I receive the error below after deployments often.

This is the bicep excerpt for the cluster deployment. I can't reproduce exactly, but it seems that whenever it fails if I toggle restrictOutboundNetworkAccess between Enabled and Disabled and deploy again it will work fine. 

resource cluster 'Microsoft.Kusto/clusters@2024-04-13' = {
  name: clusterName
  location: location
  sku: {
    name: clusterParams.sku.name
    tier: clusterParams.sku.tier
  }
  properties: {
    // https://learn.microsoft.com/en-us/azure/data-explorer/security-network-restrict-outbound-access
    publicNetworkAccess: clusterParams.publicNetworkAccess ?? 'Disabled'
    // Required database attribute for Database Watcher to work
    enableStreamingIngest: true
    restrictOutboundNetworkAccess: 'Enabled'
  }
}


output databaseName string = clusterDb.name
output clusterDataIngestionUri string = cluster.properties.dataIngestionUri
output clusterName string = cluster.name
output clusterResourceId string = cluster.id
output clusterUri string = cluster.properties.uri

{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/redacted/resourceGroups/redacted/providers/Microsoft.Resources/deployments/deployment1","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"ResourceDeploymentFailure","target":"/subscriptions/redacted/resourceGroups/redacted/providers/Microsoft.Resources/deployments/adxCluster-vik7hena5b6k2","message":"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.","details":[{"code":"DeploymentOutputEvaluationFailed","target":"/subscriptions/redacted/resourceGroups/redacted/providers/Microsoft.Resources/deployments/adxCluster-vik7hena5b6k2","message":"Unable to evaluate template outputs: 'clusterDataIngestionUri,clusterUri'. Please see error details and deployment operations. Please see https://aka.ms/arm-common-errors for usage details.","details":[{"code":"DeploymentOutputEvaluationFailed","target":"clusterDataIngestionUri","message":"The template output 'clusterDataIngestionUri' is not valid: The language expression property 'dataIngestionUri' doesn't exist, available properties are 'enableStreamingIngest, restrictOutboundNetworkAccess, publicNetworkAccess, provisioningState'.."},{"code":"DeploymentOutputEvaluationFailed","target":"clusterUri","message":"The template output 'clusterUri' is not valid: The language expression property 'uri' doesn't exist, available properties are 'enableStreamingIngest, restrictOutboundNetworkAccess, publicNetworkAccess, provisioningState'.."}]}]}]}}

Is there something odd with the evaluation of the properties when the outbound access is disabled - I don't want it enabled, but as mentioned I seem to have to toggle it back and forth to get working deployments.

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manoj Kumar Boyini 1,330 Reputation points Microsoft External Staff Moderator
    2025-11-26T20:05:23.11+00:00

    Hi Daniel Rogers,

    Thank you for clarifying that this is related to Azure Data Explorer cluster deployment. I apologize for the initial confusion with those questions they were intended for a different service. the problem is that when you enable restrictOutboundNetworkAccess, the cluster takes longer to fully set up, and Bicep tries to grab the output properties (dataIngestionUri and uri) before they are ready. That's why you get the error those properties only show up after the cluster is fully deployed.

    The fix is simple: split your deployment into two steps. First, deploy the cluster. Then in a second deployment, reference the already-created cluster to grab the outputs. This way, everything's ready by the time you ask for those values.

    Here's what to do:

    text
// Second deployment file - run this AFTER the cluster is created
resource existingCluster 'Microsoft.Kusto/clusters@2024-04-13' existing = {
  name: clusterName
}

output clusterDataIngestionUri string = existingCluster.properties.dataIngestionUri
output clusterUri string = existingCluster.properties.uri
output clusterName string = existingCluster.name
output clusterResourceId string = existingCluster.id

    Deploy the cluster first, then deploy this separate template for outputs. It will work every time without having to toggle settings.

    Helpful References:

    Restrict outbound access from Azure Data Explorer

    Microsoft.Kusto/clusters Bicep reference

    Azure Data Explorer cluster REST API

    Troubleshoot Bicep file deployments

    Please let us know if you have any questions and concerns.

    0 comments
  2. Daniel Rogers 1 Reputation point
    2025-11-27T09:16:20.2566667+00:00

    Thanks Manoj, that did cross my mind but it's a bit clunky so was hoping to avoid it, but thank you for clarifying that's the best way forward - I'll give it a shot today. I've re-jigged it like this:

    @description('Required. The Azure Data Explorer (ADX) cluster name.')
param clusterName string

resource existingCluster 'Microsoft.Kusto/clusters@2024-04-13' existing = {
  name: clusterName
}

output clusterDataIngestionUri string = existingCluster.properties.dataIngestionUri
output clusterName string = existingCluster.name
output clusterResourceId string = existingCluster.id
output clusterUri string = existingCluster.properties.uri


    module adxClusterOutputs './adxClusterOutputs.bicep' = {
  params: {
    clusterName: adxClusterName
  }
  dependsOn: [
    adxCluster // cluster creation module
  ]
}
    0 comments
  3. Sina Salam 26,661 Reputation points Volunteer Moderator
    2025-11-28T11:19:47.4+00:00

    Hello Daniel Rogers,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are deploying Azure Database Watcher via IaC fails intermittently.

    Reading through all the above, among many things observed; an assumption that support exists in Terraform/ARM/AzAPI is misleading, since Terraform implementation was missing. - https://github.com/hashicorp/terraform-provider-azurerm/issues/28051 and possible misuse of ARM by passing boolean as string (see same common error example - https://stackoverflow.com/questions/65492839/deploying-arm-template-with-terraform-results-in-datatype-mismatch).

    Best practices I will suggest if you must use Terraform today:

    Secondly, if you prefer Bicep or ARM:

    Thirdly, for successful troubleshooting tips:

    1. Use Azure CLI or Portal to manually create a Database Watcher with same parameters to capture working JSON, then replicate via IaC.
    2. Check all nested types (type: int, bool, string).
    3. Use the Azure REST API: GET /subscriptions/.../watchers?api-version=2025-01-02-preview to test validity.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.