Hi @neilpeterson,
I was forwarded by your colleague alex frankel that we can maybe put our heads together for a Azure DevOps blueprint task.

Would you like me to help?
I also started writing an extension, which currently includes deployment of Policies and I started to do this for Blueprints as well. I figured we could combine our effort.

https://github.com/RazorSPoint/azure-devops-azure-policy-extension/tree/topic/AzureBluePrint/src/AzureBlueprints/AzureBlueprintsV1

I am pretty much specialized in Azure DevOps itself.

Currently, an assignment JSON file is required. Looking at the docs for new-azblueprintassignment it appears an assignment file is not required. Update the assignment logic to reflect.

https://docs.microsoft.com/en-us/powershell/module/az.blueprint/new-azblueprintassignment?view=azps-2.8.0

It would be great if the extension supported the sovereign cloud environments.

Why is it that, in the docs here, that the task input key called BlueprintPath is valued with create in the documentation?

steps:
- task: nepeters.azure-blueprints.CreateBlueprint.CreateBlueprint@1
  displayName: 'Create Azure Blueprint'
  inputs:
    azureSubscription: 'nepeters-devops-mgmt'
    BlueprintName: 'blueprints-demo'
    BlueprintPath: create
    PublishBlueprint: true

Mistake or is this referring to a create folder?

Scenario: Blueprint exists with a version of version1. A task is used to update the blueprint and the task is set to increment the version.

This will not work / how should we handle?

I see how to set 'complete' mode for individual ARM templates, but not for blueprints.

Documentation: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-modes#complete-mode

Be nice when the assignment fails if the build step would also fail.

Example YAML file.

Results

I want to create, publish and assign blueprints using an User Assigned Managed Identity. I think the current script does not account for that. I added a screenshot of the failed task.

> ##[section]Starting: CreateBlueprint
> 
> ==============================================================================
> Task         : Create Azure Blueprint
> Description  : Creates an Azure Blueprint
> Version      : 1.5.6
> Author       : Neil Peterson
> Help         : 
> ==============================================================================
> ##[debug]Caught exception from task script.
> ##[debug]Error record:
> ##[debug]ConvertTo-SecureString : Cannot bind argument to parameter 'String' because it is null.
> ##[debug]At D:\a\_tasks\CreateBlueprint_1a8623d7-1d5c-423c-9d92-5e9587bbb02a\1.5.6\createBlueprint.ps1:14 char:65
> ##[debug]+ ... ters.ServicePrincipalKey | ConvertTo-SecureString -AsPlainText -Force
> ##[debug]+                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ##[debug]    + CategoryInfo          : InvalidData: (:) [ConvertTo-SecureString], ParameterBindingValidationException
> ##[debug]    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertToSe    cureStringCommand
> ##[debug] 
> ##[debug]Script stack trace:
> ##[debug]at <ScriptBlock>, D:\a\_tasks\CreateBlueprint_1a8623d7-1d5c-423c-9d92-5e9587bbb02a\1.5.6\createBlueprint.ps1: line 14
> ##[debug]at <ScriptBlock>, <No file>: line 1
> ##[debug]at <ScriptBlock>, <No file>: line 22
> ##[debug]at <ScriptBlock>, <No file>: line 18
> ##[debug]at <ScriptBlock>, <No file>: line 1
> ##[debug]Exception:
> ##[debug]System.Management.Automation.ParameterBindingValidationException: Cannot bind argument to parameter 'String' because it is null.
> ##[debug]   at System.Management.Automation.CmdletParameterBinderController.BindValueFromPipeline(PSObject inputToOperateOn, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
> ##[debug]   at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingStateInParameterSet(PSObject inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
> ##[debug]   at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingState(PSObject inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
> ##[debug]   at System.Management.Automation.CmdletParameterBinderController.BindPipelineParametersPrivate(PSObject inputToOperateOn)
> ##[debug]   at System.Management.Automation.CmdletParameterBinderController.BindPipelineParameters(PSObject inputToOperateOn)
> ##[debug]   at System.Management.Automation.CommandProcessor.Read()
> ##[error]Cannot bind argument to parameter 'String' because it is null.
> ##[debug]Processed: ##vso[task.logissue type=error]Cannot bind argument to parameter 'String' because it is null.
> ##[debug]Processed: ##vso[task.complete result=Failed]
> ##[section]Finishing: `CreateBlueprint

If a project contains space, createBlueprint.ps1 fails with subj error.
The possible reason: lack of single quotes ' for $BlueprintName parameter to handle spaces in paths:

Invoke-Expression "Import-AzBlueprintWithArtifact -Name $BlueprintName -InputPath $BlueprintPath $BlueprintScope -Force"

It would be nice to be able to set the ChangeNote when publishing.

Publish-AzBlueprint PowerShell cmdlet takes an optional parameter "ChangeNote".
A parameter could be added to the CreateBlueprint task and just passed along to the underlying PowerShell command.
Could be used to ie. set change note for new versions to commit messages etc.

If the blueprint already exists, the task should delete all existing artifacts. Otherwise artifacts from old versions of the source code will remain in the blueprint. The source code should be the source of truth, so the blueprint should always have only the artifacts that are in source. The API does not natively support this, so artifacts will need to be manually cleaned out by the task before a new set of artifacts is uploaded.

{
  "name": "ParametersFile",
  "type": "string",
  "label": "Parameters File Path",
  "defaultValue": "",
  "required": true,
  "helpMarkDown": "Should be fully qualified path or relative to the default working directory."
},

should this be required? You can make blueprints without parameters.

I forgot that when we go through the API we need to give the Blueprint 1st party app (which is an SPN in all tenants) owner permissions on the subscription. This is specifically for the system-assigned managed identity path. We use the first party app to create the system-assigned identity with owner permissions. When an assignment completes, we remove the 1st party app from the subscription so we don’t have standing access.

Here is some more info:
https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-rest-api#assign-a-blueprint

The assignment is successful (REST API) however deployment fails. Happens frequently on know good blueprints and artifacts.

I forgot to create this issue earlier, apologies.

The scripts are using Management Group Name in the URIs for the REST calls, but it should be the ID. The service connection dialog asks for both MG name and MG id, but MG name is essentially a display name.

I was able to get tasks working by using the MG ID in the name field for the service connection, but obviously that is not ideal.

Hi,

I want to use your great blueprint devops plugin
But in assignment, we only can use assign.json file, but I want to assign parameters dynamically from another platform's API.
Is there any way to do that?
any advice would be appreciated
best, Jasmine

The assignment is created however the results fail. This only appears to happen .via a pipeline assignment and does not fail every time.

When using the script outside of a pipeline, things work fine.

Today the task "succeeds" if the PUT succeeds, but it should only succeed if the assignment itself succeeds. The task will need to wait and continue to check until the blueprint either succeeds or fails. If the assignment fails, it should print out the error and the task should fail

We are calling lots of URI's throughout the script. Build a function for returning properly formatted URI based on the scope (Management Group / Subscription).

If the assignment file is missing the blueprintId element, the task fails.

{
  "identity": {
    "type": "SystemAssigned"
  },
  "location": "eastus",
  "properties": {
    "description": "TWO enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
    "blueprintId": "",
    "resourceGroups": {
      "blueprint-demo": {
        "name": "blueprint-demo-two",
        "location": "eastus"
      }
    },
    "parameters": {}
  }
}

Task only can create a new assignment, but if that assignment already exists, the Assign Task will fail. Need to check for the existence of the assignment, and if it exists use Set-AzBlueprintAssignment

Current error:
An assignment with name 'pla-foundation-with-pci' in subscription '/subscriptions/e93d3ee6-fac1-412f-92d6-bfb379e81af2' already exists. Please use Set-AzBlueprintAssignment to update an existing assignment.

Is there a case sensitivity bug in line 89 of assignBlueprint.ps1? My pipeline is throwing an error: ##[error]Cannot bind argument to parameter 'InputObject' because it is null.

After tracing through the logs, it looks like $BluePrintObject.id in line 89 of assignBlueprint.ps1 maybe should be $BluePrintObject.Id instead (capital I on .Id)?

body.properties | Add-Member -Name "blueprintId" -value $BluePrintObject.id -MemberType NoteProperty -Force

Change to this?

body.properties | Add-Member -Name "blueprintId" -value $BluePrintObject.Id -MemberType NoteProperty -Force

When I run the PowerShell command which loads the blueprint with the exact same parameters as in the pipeline:
Get-AzBlueprint -Name blueprints-demo -SubscriptionId (redacted)

This is the return value, and the Id field is capitalized, which may be causing the error as the PowerShell script is looking for lowercase on line 89.

Name : blueprints-demo
Id : /subscriptions/(redacted)/providers/Microsoft.Blueprint/blueprints/blueprint
s-demo
SubscriptionId : (redacted)
Versions : {1, 2, 3, 4...}
Description : Cloud Adoption Framework for Azure – Configure Foundational best practices
TimeCreated : 7/9/2021 8:19:10 PM
TargetScope : Subscription
Parameters : {appendataganditsvaluetoresourcegroups_tagValue,
enableMonitoringinAzureSecurityCenter_adaptiveApplicationControlsMonitoringEffect,
enableMonitoringinAzureSecurityCenter_diagnosticsLogsInBatchAccountMonitoringEffect,
enableMonitoringinAzureSecurityCenter_diagnosticsLogsInBatchAccountRetentionDays...}
ResourceGroups : {SharedServices-RG, Network-RG, ResourceGroup}

I'm running version 0.4.0 of Az-Blueprint.

When assigning the blueprint to a subscription, one of the parameters refers to a secret stored in a Azure Key Vault and it errors out.

##[error]Can't deserialize the JSON file 'D:\a\1\s\Blueprint\assign.json'. 'Error converting value "@{id=/subscriptions/Msub-id>/resourceGroups/providers/Microsoft.KeyVault/vaults/<keyvaultname}" to type 'Microsoft.Azure.Management.Blueprint.Models.KeyVaultReference'. Path 'reference.keyVault', line 68, position 245.'

My parameter file contains the following:

"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<-SUBID->/resourceGroups/<-RESOURCEGROUP->/providers/Microsoft.KeyVault/vaults/<-KEYVAULTNAME->"
},
"secretName": "mySuperSecret"
}
}

If I do the deployment from powershell utilizing New-AzBlueprintAssignment -Blueprint $blueprint -Name 'assignMyBlueprint' -AssignmentFile .\blueprintAssignment.json, it goes without error.

the az.blueprint module is written for powershell core, so it should work cross-platform. If I try to switch to a linux hosted agent I get this error:

When you assign a blueprint that has a parameter that has a json block as value it will fail when there are more then 2 json levels.

$body = Get-Content -Raw -Path $AssignmentFilePath | ConvertFrom-Json

ConvertFrom-Json default to 2 if I remembered correctly.

This could easily be solved by adding -depth 10

Is there a reason not use Az.Blueprint? I know it's nice to have a job that can run cross platform. But once Powershell.Core is available as a task handler this shouldn't be an issue anymore and then this could be written for pwsh 6 +

Seems like a LOT of work to rewrite this
https://github.com/Azure/azure-powershell/tree/master/src/Blueprint

Into typescript.

I changed the assignment script into the Az cmd-let myself because I wanted a way during a release to specify the version of the blueprint that is going to be assigned. The current uri you are using to get the blueprint does not return versions.

https://management.azure.com/providers/Microsoft.Management/managementGroups/{0}/providers/Microsoft.Blueprint/blueprints/{1}?api-version=2018-11-01-preview

We are currently on 2018-11-01-preview

I am getting the following error:
##[error]This artifact is invalid. Error: 'Blueprint parameter 'addatagtoresources_tagName' referenced by artifact '06753083-44ef-40d1-88d5-4d36cf50761a' does not exist in blueprint

The parameter exists in the blueprint file and has a value:
"addatagtoresources_tagName": {
"type": "string",
"metadata": {
"displayName": "Tag Name (Policy: Add a tag to resources)"
},
"defaultValue": "Cost Center"

Here are how the parameters are defined in the artifact json file:

{
"kind": "policyAssignment",
"properties": {
"displayName": "Add a tag to resources",
"dependsOn": [],
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26",
"parameters": {
"tagName": {
"value": "[parameters('addatagtoresources_tagName')]"
},
"tagValue": {
"value": "[parameters('addatagtoresources_tagValue')]"
}
}
}
}

When you supply a TargetSubscriptionId it will always try "New-AzBlueprintAssignment" since the Get- defaults to the subscriptionId of the supplied Service Connection.

[error]An assignment with name '$AssignmentName' in subscription '/subscriptions/$TargetSubscriptionID' already exists. 
Please use Set-AzBlueprintAssignment to update an existing assignment.

Also the $TargetSubscriptionID is used in the script even though it is an optional argument according to the task.json.

I would like the Get- to look at the TargetSubscriptionId and that it falls back to the SubscriptionId of the service connection when not provided.

The field is here.

I've tried the following visibility rule, however, it seems visibility is based on values from other inputs.

"ScopeLevel == ManagementGroup"

Problem

We recently ran into an error when we added comments to our assignment files.

It seems that ConvertFrom-Json in older powershell versions do not support json with comments but newer versions do support it.

Broken: 5.1
Working: 7.1.5

Solution

This task is incredibly helpful! It would be great if the powershell version could be updated so that assignment would work with json with code comments. We have found adding comments is very helpful in maintaining the blueprint.

It seems like this could be a quick fix to task.json

Workaround

We are currently using this inline powershell script as a workaround.

Write-Host 'The Assign Azure Blueprint task uses an old version of powershell that does not support json with comments.' 

Write-Host "Removing comments from $(blueprintAssignmentPath)"

# https://stackoverflow.com/questions/51066978/convert-to-json-with-comments-from-powershell/51069060#51069060
(Get-Content '$(blueprintAssignmentPath)')  -replace '^\s*//.*' | Out-File '$(blueprintAssignmentPath)'

Current documentation states excluding a principle from a deny assignment using resource group locks can only be done via REST API (https://docs.microsoft.com/bs-latn-ba/azure/governance/blueprints/concepts/resource-locking)

Does this task support the use of passing json body (as documented in link above) to invoke the rest api, or is their a mechanism to achieve resource group locking and exclusion of principles via this task and the blueprint assignment?

Thank You

Yogesh

I recently had an issue deploying an App Gateway Blueprint using this Blueprints pipeline tasks extension...

Tricky to explain this as it's part of a big deployment but here we go...

It had been working fine with an App Gateway with multiple Listeners, HTTP Settings, Routing Rules and Health Probes until one day I added a Rewrite ruleset which was necessary to change the response HTTP headers from an internal only App Service (*.azurewebsites.net) to the external domain suffix, e.g. contoso.com.

I could deploy the content of the Blueprint ARM template using Visual Studio Deploy method and it worked fine - not a perfect test of the Blueprint but the content in the JSON was correct and it worked to create, successfully, the Rewrite ruleset. Unfortunately when getting the creation to go through Azure DevOps it fails.

Azure DevOps initially calls the Create Blueprint task and successfully creates the Blueprint - no problem.

It then later has a pipeline to assign the Blueprint in order to deploy the App Gateway - that fails.

The failure is:

"properties": {
    "statusCode": "BadRequest",
    "statusMessage": "{\"error\":{\"code\":\"InvalidRequestFormat\",\"message\":\"Cannot parse the request.\",\"details\":[{\"code\":\"InvalidJson\",\"message\":\"Unexpected initial token 'String' when populating object. Expected JSON object or array. Path 'properties.rewriteRuleSets[0].properties.rewriteRules[0].actionSet.responseHeaderConfigurations[0]', line 1, position 9748.\"},{\"code\":\"InvalidJson\",\"message\":\"Unexpected initial token 'String' when populating object. Expected JSON object or array. Path 'properties.rewriteRuleSets[1].properties.rewriteRules[0].actionSet.responseHeaderConfigurations[0]', line 1, position 10202.\"},{\"code\":\"InvalidJson\",\"message\":\"Unexpected initial token 'String' when populating object. Expected JSON object or array. Path 'properties.rewriteRuleSets[2].properties.rewriteRules[0].actionSet.responseHeaderConfigurations[0]', line 1, position 10645.\"}]}}",

An example of the Rewrite ruleset is discussed here.

The section of ARM that has been added for my rewrite ruleset is like this (redacted for domain/server/name only):

  "g_appGatewayRewriteRuleSets": {
    "value": [
      {
        "name": "my1-lsnr",
        "properties": {
          "rewriteRules": [
            {
              "ruleSequence": 100,
              "conditions": [
                {
                  "variable": "http_resp_Location",
                  "pattern": "(https?):\\/\\/.*azurewebsites\\.net(.*)$",
                  "ignoreCase": true,
                  "negate": false
                }
              ],
              "name": "ConvertToASCGroup",
              "actionSet": {
                "requestHeaderConfigurations": [],
                "responseHeaderConfigurations": [
                  {
                    "headerName": "Location",
                    "headerValue": "{http_resp_Location_1}://my1-server.contoso.com{http_resp_Location_2}"
                  }
                ]
              }
            }
          ]
        }
      },

... 2 more rules follow for my2-lsnr and my3-lsnr similarly coded.

If I try to Assign the Blueprint manually in Portal, I can see that the value of the g_appGatewayRewriteRuleSets parameter is being assigned this - which is what was sent in from the last Azure DevOps deployment with the Blueprint Assign task:

[{"name":"my1-lsnr","properties":{"rewriteRules":[{"ruleSequence":100,"conditions":[{"variable":"http_resp_Location","pattern":"(https?):\/\/.azurewebsites\.net(.)$","ignoreCase":true,"negate":false}],"name":"ConvertToASCGroup","actionSet":{"requestHeaderConfigurations":[],"responseHeaderConfigurations":["@{headerName=Location; headerValue={http_resp_Location_1}://my-server1.contoso.com{http_resp_Location_2}}"]}}]}},{"name":"my2-lsnr","properties":{"rewriteRules":[{"ruleSequence":100,"conditions":[{"variable":"http_resp_Location","pattern":"(https?):\/\/.azurewebsites\.net(.)$","ignoreCase":true,"negate":false}],"name":"ConvertToASCGroup","actionSet":{"requestHeaderConfigurations":[],"responseHeaderConfigurations":["@{headerName=Location; headerValue={http_resp_Location_1}://my-server2.contoso.com{http_resp_Location_2}}"]}}]}},{"name":"my3-lsnr","properties":{"rewriteRules":[{"ruleSequence":100,"conditions":[{"variable":"http_resp_Location","pattern":"(https?):\/\/.azurewebsites\.net(.)$","ignoreCase":true,"negate":false}],"name":"ConvertToASCGroup","actionSet":{"requestHeaderConfigurations":[],"responseHeaderConfigurations":["@{headerName=Location; headerValue={http_resp_Location_1}://my-server3.contoso.com{http_resp_Location_2}}"]}}]}}]

That is wrong and should be:

[{"name":"my1-lsnr","properties":{"rewriteRules":[{"ruleSequence":100,"conditions":[{"variable":"http_resp_Location","pattern":"(https?):\/\/.azurewebsites\.net(.)$","ignoreCase": true,"negate": false}],"name": "ConvertToASCGroup","actionSet": {"requestHeaderConfigurations": [],"responseHeaderConfigurations": [{"headerName": "Location","headerValue": "{http_resp_Location_1}://my1-server.contoso.com{http_resp_Location_2}"}]}}]}},{"name": "my2-lsnr","properties": {"rewriteRules": [{"ruleSequence": 100,"conditions": [{"variable": "http_resp_Location","pattern": "(https?):\/\/.azurewebsites\.net(.)$","ignoreCase": true,"negate": false}],"name": "ConvertToASCGroup","actionSet": {"requestHeaderConfigurations": [],"responseHeaderConfigurations": [{"headerName": "Location","headerValue": "{http_resp_Location_1}://my2-server.contoso.com{http_resp_Location_2}"}]}}]}},{"name": "my3-lsnr","properties": {"rewriteRules": [{"ruleSequence": 100,"conditions": [{"variable": "http_resp_Location","pattern": "(https?):\/\/.azurewebsites\.net(.)$","ignoreCase": true,"negate": false}],"name": "ConvertToASCGroup","actionSet": {"requestHeaderConfigurations": [],"responseHeaderConfigurations": [{"headerName": "Location","headerValue": "{http_resp_Location_1}://my3-server.contoso.com{http_resp_Location_2}"}]}}]}}]

...which if I paste in, works.

There are some subtle differences around the responseHeaderConfigurations area - in the failing JSON parameter value you can see an @ symbol...but that isn't in the ARM JSON and isn't in the working parameter text either.

To get around this I disabled use of the blueprint assignment task and simply added a Powershell task that did this, i.e. uses the PS commands to do the assignment using the successfully deployed Blueprint and the incoming ARM Blueprint assignment file that I'm asking the original Assignment to use:

Install-Module -Name Az.Blueprint -Force
$subscriptionID = Get-AzSubscription | Where-Object -Property Name -eq "My-sub"
$bpDefinition = Get-AzBlueprint -SubscriptionId $subscriptionID -Name 'My-AppGateway-bp' -LatestPublished
$bpAssignment = Set-AzBlueprintAssignment -Name 'My-AppGateway-Assignment-bp' -Blueprint $bpDefinition -SubscriptionId $subscriptionID -AssignmentFile '$(System.DefaultWorkingDirectory)_Blueprint-AppGateway\code\blueprint\assign-My-ag.json'

Any ideas would be appreciated as I'd obviously like to go back to being consistently using the task rather than the PS to deploy this one. I've tons of other resources being deployed across the estate using these tasks without issue so it's working great apart from this one esoteric issue.

Thanks
Jeff

I would like the assignment of blueprints to have a version field so i can either assign the latest published blueprint or a specific version.

This way I can have a proper Ci/Cd based on the build / release of the blueprint.

This also makes it possible to rollback an older blueprint.

When I run this task, I keep getting a 401. I am using a service connection which I've tried specifying in YAML (in build) and in the UI (for release), but neither are working. I ran it with debug and

What seems to be the relevant error:
error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 6ef7f788-7671-4305-97cb-f3f5b7384900

I also see that some of these are blank:
"spnObjectId":"","appObjectId":""

So I guess something is wrong with my service connection?

This is the full dump:

2019-04-08T16:52:42.2928624Z ##[debug]Evaluating condition for step: 'Create Azure Blueprint'
2019-04-08T16:52:42.2942327Z ##[debug]Evaluating: succeeded()
2019-04-08T16:52:42.2942558Z ##[debug]Evaluating succeeded:
2019-04-08T16:52:42.2942968Z ##[debug]=> True
2019-04-08T16:52:42.2943260Z ##[debug]Result: True
2019-04-08T16:52:42.2943836Z ##[section]Starting: Create Azure Blueprint
2019-04-08T16:52:42.3272834Z ==============================================================================
2019-04-08T16:52:42.3273128Z Task         : Create Azure Blueprint
2019-04-08T16:52:42.3273203Z Description  : Creates an Azure Blueprint
2019-04-08T16:52:42.3273287Z Version      : 1.0.0
2019-04-08T16:52:42.3273351Z Author       : Neil Peterson
2019-04-08T16:52:42.3273429Z Help         : 
2019-04-08T16:52:42.3273498Z ==============================================================================
2019-04-08T16:52:44.2848539Z ##[debug]VstsTaskSdk 0.11.0 commit 7ff27a3e0bdd6f7b06690ae5f5b63cb84d0f23f4
2019-04-08T16:52:44.7671692Z ##[debug]INPUT_CONNECTEDSERVICENAME: '2010be28-4fba-4774-bc8d-bd4a611057da'
2019-04-08T16:52:44.7830810Z ##[debug]ENDPOINT_URL_2010be28-4fba-4774-bc8d-bd4a611057da: 'https://management.azure.com/'
2019-04-08T16:52:44.7870804Z ##[debug]ENDPOINT_AUTH_2010be28-4fba-4774-bc8d-bd4a611057da: '********'
2019-04-08T16:52:44.7972407Z ##[debug]ENDPOINT_DATA_2010be28-4fba-4774-bc8d-bd4a611057da: '{"subscriptionId":"d56e652e-758d-480a-8f0d-47f230264b4c","subscriptionName":"Visual Studio Ultimate with MSDN","environment":"AzureCloud","scopeLevel":"Subscription","creationMode":"Manual","azureSpnRoleAssignmentId":"","azureSpnPermissions":"","spnObjectId":"","appObjectId":"","environmentUrl":"https://management.azure.com/","galleryUrl":"https://gallery.azure.com/","serviceManagementUrl":"https://management.core.windows.net/","resourceManagerUrl":"https://management.azure.com/","activeDirectoryAuthority":"https://login.microsoftonline.com/","environmentAuthorityUrl":"https://login.windows.net/","graphUrl":"https://graph.windows.net/","managementPortalUrl":"https://manage.windowsazure.com/","armManagementPortalUrl":"https://portal.azure.com/","activeDirectoryServiceEndpointResourceId":"https://management.core.windows.net/","sqlDatabaseDnsSuffix":".database.windows.net","AzureKeyVaultDnsSuffix":"vault.azure.net","AzureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","StorageEndpointSuffix":"core.windows.net","EnableAdfsAuthentication":"false"}'
2019-04-08T16:52:44.8066962Z ##[debug]INPUT_PUBLISHBLUEPRINT: 'true'
2019-04-08T16:52:44.8098395Z ##[debug]INPUT_VERSION: 'Increment'
2019-04-08T16:52:44.8128261Z ##[debug]INPUT_BLUEPRINTCREATIONLOCATION: 'managementGroup'
2019-04-08T16:52:44.8197174Z ##[debug]INPUT_MANAGEMENTGROUPNAME: 'root'
2019-04-08T16:52:44.8221667Z ##[debug]INPUT_BLUEPRINTNAME: 'AppNetwork'
2019-04-08T16:52:44.8228970Z ##[debug]INPUT_BLUEPRINTPATH: './Example Blueprints/AppNetwork/blueprint.json'
2019-04-08T16:52:44.8258581Z ##[debug]INPUT_ARTIFACTSPATH: './Example Blueprints/AppNetwork/artifacts'
2019-04-08T16:52:44.8503832Z ##[debug]POST https://login.microsoftonline.com/***/oauth2/token with -1-byte payload
2019-04-08T16:52:45.3588019Z ##[debug]Caught exception from task script.
2019-04-08T16:52:45.3631545Z ##[debug]Error record:
2019-04-08T16:52:45.4888869Z ##[debug]Invoke-RestMethod : {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 6ef7f788-7671-4305-97cb-f3f5b7384900\r\nCorrelation ID: 56dc967c-8e7a-41c5-8dfe-e0eaed3cf1f8\r\nTimestamp: 2019-04-08 16:52:44Z","error_codes":[7000215],"timestamp":"2019-04-08 16:52:44Z","trace_id":"6ef7f788-7671-4305-97cb-f3f5b7384900","correlation_id":"56dc967c-8e7a-41c5-8dfe-e0eaed3cf1f8"}
2019-04-08T16:52:45.4901926Z ##[debug]At D:\a\_tasks\CreateBlueprint_1a8623d7-1d5c-423c-9d92-5e9587bbb02a\1.0.0\createBlueprint.ps1:35 char:10
2019-04-08T16:52:45.4916056Z ##[debug]+ $Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri - ...
2019-04-08T16:52:45.4932626Z ##[debug]+          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2019-04-08T16:52:45.4948113Z ##[debug]    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:Htt    pWebRequest) [Invoke-RestMethod], WebException
2019-04-08T16:52:45.4963833Z ##[debug]    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe    ll.Commands.InvokeRestMethodCommand
2019-04-08T16:52:45.4994170Z ##[debug]Script stack trace:
2019-04-08T16:52:45.5041822Z ##[debug]at <ScriptBlock>, D:\a\_tasks\CreateBlueprint_1a8623d7-1d5c-423c-9d92-5e9587bbb02a\1.0.0\createBlueprint.ps1: line 35
2019-04-08T16:52:45.5056221Z ##[debug]at <ScriptBlock>, <No file>: line 1
2019-04-08T16:52:45.5072381Z ##[debug]at <ScriptBlock>, <No file>: line 22
2019-04-08T16:52:45.5086346Z ##[debug]at <ScriptBlock>, <No file>: line 18
2019-04-08T16:52:45.5100626Z ##[debug]at <ScriptBlock>, <No file>: line 1
2019-04-08T16:52:45.5124471Z ##[debug]Exception:
2019-04-08T16:52:45.5175720Z ##[debug]System.Net.WebException: The remote server returned an error: (401) Unauthorized.
2019-04-08T16:52:45.5189823Z ##[debug]   at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
2019-04-08T16:52:45.5203090Z ##[debug]   at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
2019-04-08T16:52:45.5825597Z ##[error]The remote server returned an error: (401) Unauthorized.
2019-04-08T16:52:45.5835545Z ##[debug]Processed: ##vso[task.logissue type=error]The remote server returned an error: (401) Unauthorized.
2019-04-08T16:52:45.5851075Z ##[debug]Processed: ##vso[task.complete result=Failed]
2019-04-08T16:52:45.6411594Z ##[section]Finishing: Create Azure Blueprint

Allow these tasks to use a service connection scoped to a management group. See the Azure PowerShell V4 task for a sample implementation.

Azure PowerShell V4 Service Connection

I'd like to give my SPN access to my root MG, but still choose a different MG or sub to create the blueprint in. Otherwise, I will need to create a unique SPN for each scope where I want to create/manage a blueprint.

The 1.0 version of the extension had support for this, which I think worked well.

Configure a dynamic list of management groups.

The code would be here and here.

When assigning a blueprint, we need the blueprint ID. If the blueprint was created at a management group, the ID includes the management group name. I see that the PowerShell module can list all blueprints, can we also do this .via REST?

https://docs.microsoft.com/en-us/powershell/module/az.blueprint/get-azblueprint?view=azps-1.6.0