1# Durable Task Scheduler — Bicep Patterns
2 
3Bicep templates for provisioning the Durable Task Scheduler, task hubs, and RBAC role assignments.
4 
5## Scheduler + Task Hub
6 
7```bicep
8// Parameters — define these at file level or pass from a parent module
9param schedulerName string
10param location string = resourceGroup().location
11 
12@allowed(['Consumption', 'Dedicated'])
13@description('Use Consumption for quickstarts/variable workloads, Dedicated for high-demand/predictable throughput')
14param skuName string = 'Consumption'
15 
16resource scheduler 'Microsoft.DurableTask/schedulers@2025-11-01' = {
17  name: schedulerName
18  location: location
19  properties: {
20    sku: { name: skuName }
21    ipAllowlist: ['0.0.0.0/0'] // Required: empty list denies all traffic
22  }
23}
24 
25resource taskHub 'Microsoft.DurableTask/schedulers/taskHubs@2025-11-01' = {
26  parent: scheduler
27  name: 'default'
28}
29```
30 
31## SKU Selection
32 
33| SKU | Best For |
34|-----|----------|
35| **Consumption** | quickstarts, variable or bursty workloads, pay-per-use |
36| **Dedicated** | High-demand workloads, predictable throughput requirements |
37 
38> **💡 TIP**: Start with `Consumption` for development and variable workloads. Switch to `Dedicated` when you need consistent, high-throughput performance.
39 
40> **⚠️ WARNING**: The scheduler's `ipAllowlist` **must** include at least one entry (e.g., `['0.0.0.0/0']` for allow-all). An empty array `[]` denies **all** traffic, causing 403 errors on gRPC calls even with correct RBAC.
41 
42## RBAC — Durable Task Data Contributor
43 
44The Function App's managed identity **must** have the `Durable Task Data Contributor` role on the scheduler resource. Without it, the app receives **403 PermissionDenied** on gRPC calls.
45 
46```bicep
47// Assumes the UAMI principal ID is passed from the base template's identity module
48param functionAppPrincipalId string
49 
50var durableTaskDataContributorRoleId = '0ad04412-c4d5-4796-b79c-f76d14c8d402'
51 
52resource durableTaskRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
53  name: guid(scheduler.id, functionAppPrincipalId, durableTaskDataContributorRoleId)
54  scope: scheduler
55  properties: {
56    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', durableTaskDataContributorRoleId)
57    principalId: functionAppPrincipalId
58    principalType: 'ServicePrincipal'
59  }
60}
61```
62 
63## RBAC — Dashboard Access for Developers
64 
65To allow developers to view orchestration status and history in the [DTS dashboard](https://portal.azure.com), assign the same `Durable Task Data Contributor` role to the deploying user's identity. Without this, the dashboard returns **403 Forbidden**.
66 
67```bicep
68// Accept the deploying user's principal ID (azd auto-populates this from AZURE_PRINCIPAL_ID)
69param principalId string = ''
70 
71resource dashboardRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(principalId)) {
72  name: guid(scheduler.id, principalId, durableTaskDataContributorRoleId)
73  scope: scheduler
74  properties: {
75    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', durableTaskDataContributorRoleId)
76    principalId: principalId
77    principalType: 'User'
78  }
79}
80```
81 
82> **💡 TIP**: This is the same role used for the Function App's managed identity, but assigned with `principalType: 'User'` to the developer. See the [sample repo](https://github.com/Azure-Samples/Durable-Task-Scheduler/blob/main/samples/infra/main.bicep) for a full example.
83 
84## Connection String App Setting
85 
86Include these entries in the Function App resource's `siteConfig.appSettings` array:
87 
88```bicep
89// UAMI client ID from base template identity module - REQUIRED for UAMI auth
90param uamiClientId string
91 
92{
93  name: 'DURABLE_TASK_SCHEDULER_CONNECTION_STRING'
94  value: 'Endpoint=${scheduler.properties.endpoint};TaskHub=${taskHub.name};Authentication=ManagedIdentity;ClientID=${uamiClientId}'
95}
96```
97 
98> **⚠️ IMPORTANT**: The base templates use User Assigned Managed Identity (UAMI). You **must** include `ClientID=<uami-client-id>` in the connection string. Without it, the Durable Task SDK cannot resolve the correct identity.
99 
100> **⚠️ WARNING**: Always use `scheduler.properties.endpoint` to get the scheduler URL. Do **not** construct it manually — the endpoint includes a hash suffix and region (e.g., `https://myscheduler-abc123.westus2.durabletask.io`).
101 
102## Provision via CLI
103 
104> **💡 TIP**: When hosting Durable Functions, use a **Flex Consumption** plan (`FC1` SKU) rather than the legacy Consumption plan (`Y1`). Flex Consumption supports identity-based storage connections natively and handles deployment artifacts correctly.
105 
106```bash
107# Install the durabletask CLI extension (if not already installed)
108az extension add --name durabletask
109 
110# Create scheduler (consumption SKU for getting started)
111az durabletask scheduler create \
112    --resource-group myResourceGroup \
113    --name my-scheduler \
114    --location eastus \
115    --sku consumption
116```
117