Nested ARM template and dependsOn

Question

I am creating set of NSG rules with my ARM template and trying to update subnets to use these NSG rules in nested ARM template. Template deployments fails with "Another operation on this or dependent resource is in progress". I tried to use the "dependsOn" feature within the nested template but that does not do the trick. I have tried to give the NSG name and the resourceId()

"[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]",

to dependsOn without luck. Is there better way for waiting for the NSG rules to be ready before trying to update the subnets?

Template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "virtualNetName": {
      "type": "string",
    },
    "subnetName": {
      "type": "string",
    }
  },
  "variables": {
    "NSGName": parameters('subnetName')
    "ResourceGroupName": "[resourceGroup().name]"
  },
  "resources": [
    {
      "apiVersion": "2017-11-01",
      "type": "Microsoft.Network/networkSecurityGroups",
      "name": "[variables('NSGName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "securityRules": [
          {
            "name": "Allow-Inbound-RDP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "3389",
              "sourceAddressPrefix": "192.168.0.1/24",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 4050,
              "direction": "Inbound"
            }
          }
        ]
      }
    },
    {
      "apiVersion": "2017-08-01",
      "name": "apply-nsg-to-subnet",
      "type": "Microsoft.Resources/deployments",
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]"
      ],
      "properties": {
        "mode" : "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "apiVersion" : "2018-03-01",
              "type": "Microsoft.Network/virtualNetworks/subnets",
              "name": "[concat(parameters('virtualNetName'), '/', parameters('subnetName'))]",
              "properties": {
                "addressPrefix": "[reference(resourceId(variables('ResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetName'), parameters('subnetName')), '2018-03-01').addressPrefix]",
                "networkSecurityGroup": {
                  "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))]"
                }
              }
            }
          ]
        }
      }
    }
  ]
}

I believe that one NSG and one subnet update would go fine through but it does not when I did it with eight.

Answer 1

your nested deployment itself needs to depend on that ( the other nested deployment), this means that you need to add:

[resourceId('Microsoft.Network/networkSecurityGroups', variables('NSGName'))].

Inside deployment resources can NOT depend on anything outside of deployment (and since its nested everything in the parent is outside of it).