Merge pull request #222679 from davidsmatlak/ds-ghi-102047

JamesJBarnett · web-flow · commit d8df8dda18a3 · 2022-12-30T15:17:32.000-07:00
Updates ARM debug logging article
diff --git a/articles/azure-resource-manager/troubleshooting/enable-debug-logging.md b/articles/azure-resource-manager/troubleshooting/enable-debug-logging.md
@@ -3,27 +3,28 @@ title: Enable debug logging
 description: Describes how to enable debug logging to troubleshoot Azure resources deployed with Bicep files or Azure Resource Manager templates (ARM templates).
 tags: top-support-issue
 ms.topic: troubleshooting
-ms.date: 09/14/2022
+ms.date: 12/30/2022
 ms.custom: devx-track-azurepowershell
 ---
 
 # Enable debug logging
 
-To troubleshoot a deployment error, enable debug logging to get more information. Debug logging works for deployments using Bicep files or Azure Resource Manager templates (ARM templates). You can get data about a deployment's request and response to learn the cause of a problem.
+To troubleshoot a deployment error, you can enable debug logging to get more information. Debug logging works for deployments with Bicep files or Azure Resource Manager templates (ARM templates). You can get data about a deployment's request and response to learn the cause of a problem.
 
 > [!WARNING]
-> Debug logging can expose secrets like passwords or `listKeys`. Only enable debug logging when you need to troubleshoot a deployment error.
+> Debug logging can expose secrets like passwords or `listKeys` operations. Only enable debug logging when you need to troubleshoot a deployment error. When you're finished debugging, you should [remove the debug deployment history](#remove-debug-deployment-history).
 
 ## Set up debug logging
 
-Use Azure PowerShell to enable debug logging and view the results with Azure PowerShell or Azure CLI.
+Use Azure PowerShell to enable debug logging that populates the `request` and `response` properties with deployment information for troubleshooting. Debug logging can't be enabled using Azure CLI.
 
-# [PowerShell](#tab/azure-powershell)
+Debug logging is only enabled for the main ARM template or Bicep file. If you're using nested ARM templates or Bicep modules, see [Debug nested template](#debug-nested-template).
 
-For a resource group deployment, use [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) to set the `DeploymentDebugLogLevel` parameter to `All`, `ResponseContent`, or `RequestContent`.
+# [PowerShell](#tab/azure-powershell)
 
-When debug logging is enabled, a warning is displayed that secrets like passwords or `listKeys` can be logged and displayed when you get deployment operations with commands like `Get-AzResourceGroupDeploymentOperation`.
+For a resource group deployment, use [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) and set the `DeploymentDebugLogLevel` parameter to `All`, `ResponseContent`, or `RequestContent`.
 
+When debug logging is enabled, a warning is displayed that secrets like passwords or `listKeys` operations can be logged and displayed when you use commands like `Get-AzResourceGroupDeploymentOperation` to get information about deployment operations.
 
 ```azurepowershell
 New-AzResourceGroupDeployment `
@@ -33,7 +34,7 @@ New-AzResourceGroupDeployment `
   -DeploymentDebugLogLevel All
 ```
 
-The output shows the debug logging level.
+The deployment's output shows the debug logging level.
 
 ```Output
 DeploymentDebugLogLevel : RequestContent, ResponseContent
@@ -49,13 +50,13 @@ The `DeploymentDebugLogLevel` parameter is available for other deployment scopes
 
 You can't enable debug logging with Azure CLI but you can get the debug log's data using the `request` and `response` properties.
 
-
 ---
 
-
 ## Get debug information
 
-After debug logging is enabled, you can get more information from the deployment operations.
+After debug logging is enabled, you can get more information about the deployment operations. The Azure PowerShell cmdlets for deployment operations don't output the `request` and `response` properties. You need to use Azure CLI to get the information from those properties.
+
+If you don't enable debug logging from the deployment command, you can still get deployment operations information. Use Azure PowerShell or Azure CLI to get the status code, status message, and provisioning state.
 
 # [PowerShell](#tab/azure-powershell)
 
@@ -67,12 +68,12 @@ Get-AzResourceGroupDeploymentOperation `
   -ResourceGroupName examplegroup
 ```
 
-You can specify a property, like `StatusMessage` or `StatusCode` to filter the output.
+You can specify a property, like `StatusCode`, `StatusMessage`,  or `ProvisioningState` to filter the output.
 
 ```azurepowershell
 (Get-AzResourceGroupDeploymentOperation `
   -DeploymentName exampledeployment `
-  -ResourceGroupName examplegroup).StatusMessage
+  -ResourceGroupName examplegroup).StatusCode
 ```
 
 For more information, see the documentation for deployment operation scopes: subscription, management group, and tenant.
@@ -110,18 +111,81 @@ az deployment operation group list \
   --query [].properties.response
 ```
 
+You can use a query to get the properties `statusCode`, `statusMessage`, or `provisioningState` for a deployment.
+
+```azurecli
+az deployment operation group list \
+  --name exampledeployment \
+  --resource-group examplegroup \
+  --query [].properties.statusCode
+```
+
 For more information, see the documentation for deployment operation scopes: subscription, management group, and tenant.
 
 - [az deployment operation sub list](/cli/azure/deployment/operation/sub#az-deployment-operation-sub-list)
 - [az deployment operation mg list](/cli/azure/deployment/operation/mg#az-deployment-operation-mg-list)
 - [az deployment operation tenant list](/cli/azure/deployment/operation/tenant#az-deployment-operation-tenant-list)
 
-
 ---
 
+## Debug nested template
+
+The main ARM template and nested templates have their own deployment name and deployment history. The main Bicep file and module also use a separate deployment name and deployment history.
+
+### ARM template
+
+To log debug information for a [nested](../templates/linked-templates.md#nested-template) ARM template, use the [Microsoft.Resources/deployments](/azure/templates/microsoft.resources/deployments) with the `debugSetting` property.
+
+The following sample shows a nested template with the `debugSetting` to log the deployment's request and response.
+
+```json
+"resources": [
+  {
+    "type": "Microsoft.Resources/deployments",
+    "apiVersion": "2021-04-01",
+    "name": "nestedTemplateDebug",
+    "properties": {
+      "mode": "Incremental",
+      "template": {
+        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+        "contentVersion": "1.0.0.0",
+        "resources": [
+          {
+            "type": "Microsoft.Storage/storageAccounts",
+            "apiVersion": "2022-05-01",
+            "name": "[variables('storageAccountName')]",
+            "location": "[parameters('location')]",
+            "sku": {
+              "name": "[parameters('storageAccountType')]"
+            },
+            "kind": "StorageV2"
+          }
+        ]
+      },
+      "debugSetting": {
+        "detailLevel": "requestContent, responseContent"
+      }
+    }
+  }
+],
+```
+
+The main ARM template and nested templates have their own deployment name and deployment history. If you want the `request` and `response` properties to contain troubleshooting information, be aware of the following deployment scenarios:
+
+- The `request` and `response` properties contain `null` values for the main template and nested template when `DeploymentDebugLogLevel` isn't enabled with deployment command.
+- When the deployment command enables `DeploymentDebugLogLevel` the `request` and `response` properties contain information only for the main template. The nested template's properties contain `null` values.
+- When a nested template uses the `debugSetting` and the deployment command doesn't include `DeploymentDebugLogLevel` only the nested template deployment has values for the `request` and `response` properties. The main template's properties contain `null` values.
+- To get the `request` and `response` for the main template and nested template, specify `DeploymentDebugLogLevel` in the deployment command and use `debugSetting` in the nested template.
+
+### Bicep file
+
+The recommendation for Bicep files is to use [modules](../bicep/modules.md) rather than nested templates with `Microsoft.Resources/deployments`. The status message, status code, and provisioning state will include information for the main Bicep file and module that you can use to troubleshoot the deployment.
+
+If you enable `DeploymentDebugLogLevel` from the deployment command, the `request` and `response` properties will contain information only for the main Bicep file's deployment.
+
 ## Remove debug deployment history
 
-When you're finished debugging, you can remove deployment history to prevent anyone who has access from seeing sensitive information that might have been logged. If you used multiple deployment names during debugging, run the command for each deployment name.
+When you're finished debugging, you should remove the deployment history to prevent anyone who has access from seeing sensitive information that might have been logged. For each deployment name that you used while debugging, run the command to remove the deployment history.
 
 # [PowerShell](#tab/azure-powershell)
 
@@ -148,39 +212,16 @@ To remove deployment history for a resource group deployment, use [az deployment
 az deployment group delete --resource-group examplegroup --name exampledeployment
 ```
 
+The command returns to the command prompt when it's completed.
+
 For more information, see the documentation for deployment scopes: subscription, management group, and tenant.
 
 - [az deployment sub delete](/cli/azure/deployment/sub#az-deployment-sub-delete)
 - [az deployment mg delete](/cli/azure/deployment/mg#az-deployment-mg-delete)
 - [az deployment tenant delete](/cli/azure/deployment/tenant#az-deployment-tenant-delete)
 
-
 ---
 
-## Nested template
-
-To log debug information for a [nested](../templates/linked-templates.md#nested-template) ARM template, use the [Microsoft.Resources/deployments](/azure/templates/microsoft.resources/deployments) `debugSetting` property.
-
-```json
-{
-  "type": "Microsoft.Resources/deployments",
-  "apiVersion": "2020-10-01",
-  "name": "nestedTemplate",
-  "properties": {
-    "mode": "Incremental",
-    "templateLink": {
-      "uri": "{template-uri}",
-      "contentVersion": "1.0.0.0"
-    },
-    "debugSetting": {
-       "detailLevel": "requestContent, responseContent"
-    }
-  }
-}
-```
-
-Bicep uses [modules](../bicep/modules.md) rather than nested templates.
-
 ## Next steps
 
 - [Common deployment errors](common-deployment-errors.md)
