Summary
Several issues block clean Azure IoT Operations deployments on the current main:
-
Schema upload fails with HTTP 403 AuthorizationPermissionMismatch. The deploying principal lacks Storage Blob Data Contributor on the schema-registry container. It currently only works transitively when the 030-data data-lake module is also deployed (which grants Storage Blob Data Owner at the storage account scope) — the schema-registry module is not self-contained.
-
K3s VM Arc bootstrap (linux-cluster-server-setup) fails on azure-cli 2.67+. The --client-id flag for az login --identity was removed in 2.67. Both deploy-script-secrets.sh and k3s-device-setup.sh still use the old syntax.
-
Pinned AIO component versions are out of date relative to az iot ops 2.4.0:
- cert-manager 0.10.2 → 0.11.0
- secret-sync-controller 1.3.0 → 1.4.0
- iotoperations 1.3.38 → 1.3.70
-
Blueprint Bicep parameters were temporarily downgraded to vars while DeploymentScripts was pinned to az CLI < 2.71. trustIssuerSettings, shouldDeployAioDeploymentScripts, shouldEnableOtelCollector, and shouldEnableOpcUaSimulator should be first-class params again now that the runtime supports az CLI 2.71+.
-
Missing OPC UA securityPki.applicationUri. The AIO instance config does not set a per-cluster OPC UA broker application URI, so deployments can collide on the default URN.
-
No upgrade documentation. Users have no guide for moving an existing AIO deployment to newer component versions (az iot ops upgrade + Terraform -refresh-only reconciliation).
Acceptance criteria
Notes
Addressed in #471.
Summary
Several issues block clean Azure IoT Operations deployments on the current
main:Schema upload fails with HTTP 403
AuthorizationPermissionMismatch. The deploying principal lacksStorage Blob Data Contributoron the schema-registry container. It currently only works transitively when the030-datadata-lake module is also deployed (which grantsStorage Blob Data Ownerat the storage account scope) — the schema-registry module is not self-contained.K3s VM Arc bootstrap (
linux-cluster-server-setup) fails on azure-cli 2.67+. The--client-idflag foraz login --identitywas removed in 2.67. Bothdeploy-script-secrets.shandk3s-device-setup.shstill use the old syntax.Pinned AIO component versions are out of date relative to
az iot ops2.4.0:Blueprint Bicep parameters were temporarily downgraded to
vars while DeploymentScripts was pinned to az CLI < 2.71.trustIssuerSettings,shouldDeployAioDeploymentScripts,shouldEnableOtelCollector, andshouldEnableOpcUaSimulatorshould be first-classparams again now that the runtime supports az CLI 2.71+.Missing OPC UA
securityPki.applicationUri. The AIO instance config does not set a per-cluster OPC UA broker application URI, so deployments can collide on the default URN.No upgrade documentation. Users have no guide for moving an existing AIO deployment to newer component versions (
az iot ops upgrade+ Terraform-refresh-onlyreconciliation).Acceptance criteria
Storage Blob Data Contributoron the schemas container, scoped narrowly, with an optional override for non-interactive principals.full-single-node-clusterBicep restores the four parameters with sensible defaults.securityPki.applicationUriin both Bicep and Terraform.Notes
Addressed in #471.