search

Azure / Enterprise-Scale-for-AKS

Enterprise Scale for AKS Reference Implementation Repo
MIT License
45 stars 55 forks source link

[BUG] Hardcoded subscription id in Parameters file. #90

Open lastcoolnameleft opened 3 years ago

lastcoolnameleft commented 3 years ago

In the step: https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/03-Setup-supporting-components.md

There is a hardcoded value for the subscription in:

https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/Infrastructure-Deployment/Supporting-components/Parameters/aks-eslz-containerregistry.parameters.json#L24

To Reproduce Steps to reproduce the behavior:

# az deployment group create --name ACR --resource-group $SUPPORTING_RESOURCEGROUP --template-file ../Templates/aks-eslz-containerregistry.template.json --parameters @aks-eslz-containerregistry.parameters.json

(DeploymentFailed) At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.                                     [1m-25.5s]

If you look at the deployment, this is the following error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"LinkedAuthorizationFailed","message":"The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/join/action' on scope '/subscriptions/df8428d4-bc25-4601-b458-1c8533ceec0b/resourcegroups/aks-eslz-arm/providers/Microsoft.Network/privateEndpoints/acr-pe', however the current tenant '72f988bf-86f1-41af-91ab-2d7cd011db47' is not authorized to access linked subscription '82e70289-bf40-45f9-8476-eab93d2031f4'."}]}

Expected behavior If I replaced 82e70289-bf40-45f9-8476-eab93d2031f4 with my subscription, it works.

lastcoolnameleft commented 3 years ago

I tried using "value": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/aks-eslz-arm/providers/Microsoft.Network/virtualNetworks/vnet_spoke_arm/subnets/privateEndpointSubnet')]" but I got the following error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"LinkedInvalidPropertyId","message":"Property id '[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/aks-eslz-arm/providers/Microsoft.Network/virtualNetworks/vnet_spoke_arm/subnets/privateEndpointSubnet')]' at path 'properties.subnet.id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'."}]}
lastcoolnameleft commented 3 years ago

This issue is also present in https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/04-Setup-Addons-and-AKS.md

The following file has a hardcoded subscription: https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/AKS- Deployment/aks-eslz-aks.parameters.json#L41