Allow Secondary EventHub's tags to be updated via ARM/PS/Policies
When setting up Azure policy for tag inheritance, you cannot exclude secondary namespaces, even though by definition the secondary namespaces cannot be updated under any circumstances. So when you do an automated deployment the policy kicks in and deployment fails wit the error "Cannot update a namespace that is secondary".
The only suggested way to get around this from Microsoft is to break the pairing (10 minutes) delete secondary namespace's event hubs (2-5 minutes) and set up tags enable pairing gain (10 minutes). I am setting this as the baseline, and it turns out it will be at least 25 minutes per namespce pairing. Imagine have multiple namespaces!! Even if you automate the process it still is a downtime of 25 minutes. Which is not acceptable. So please allow tags to be updated on event hub.
How to recreate this situation.
- Create an ARM template for EventHub with GeoRecovery (with no tags set up)
- Create a policy to inherit tags from Resource Group/subscription if not set (provided tags are set up for the RG/subscription)
- Deploy the ARM - This will succeed, as when the primary and secondary namespaces are still different stand alone namespaces, tags will be inherited on resource creation and pairing happens normally.
- Re-deploy the same template - This will fail, as the primary and secondary are now paired secondary cannot be updated. Even though you are deploying the same event hub definition with no tags, ARM will assume you are trying to update the tags (even on an incremental update).
- Now break the pairing, delete the event hubs, deploy again - this will succeed, but you have just added a lot of manual work and have gained yourself a downtime of 15-20 minutes.
- Now imagine a large scale enterprise having at least 50 namespaces.
Possible solution -
1. PoweShell to exclude scope on policy assignment - Defies the point of having an easy template on the portal, but have to be a scripting genius to get this right.
2. Set up policies based on naming convention - Big enterprise, not going to be easy.
3. Multiple policies one to exclude all event hubs the other one to exclude namespaces based on either a PowerShell script or naming convention - Please check cons of point 1 and 2.
4. Allow tags to be updated on secondary namespaces - That could be interesting!
Ramkumar Balasubramaniam commented
If anyone still desperate to fix this, you can still do it via Azure resource explorer patch api through Azure portal. Although it is manual, it helps!!!