search

Azure / acr

Azure Container Registry samples, troubleshooting tips and references
https://aka.ms/acr
Other
164 stars 112 forks source link

Cannot deploy scope-maps with bicep/arm when having more than one "folder" in the hierarchy #639

Closed chriswue closed 1 year ago

chriswue commented 2 years ago

Describe the bug Bicep/arm deployment for this fails:

resource scope_map 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'myMap'
  parent: my_container_registry
  properties: {
    actions: [
      'some/complex/repo/content/read'
    ]
    description: ''
  }
}

Fails with

Scope map action: 'some/complex/repo/content/read' is invalid or not supported. 
Supported format is <resource type>/<resource name>/<resource action>, 
all characters should be in lowercase. Please refer to the ACR Scopemap 
documentation at https://aka.ms/acr/repo-permissions to find the supported resources and actions.

However it works on the Azure CLI and the permissions and tokens attached work perfectly:

az acr scope-map create --name myMap --registry my_container_registry --repository some/complex/repo content/read

You can also do this through the Azure Portal and it works.

When writing a new API there is no valid excuse of making it based around string parsing that adds weird additional restrictions and assumptions that are completely beside the point. The ARM API should be like this:

resource scope_map 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'myMap'
  parent: my_container_registry
  properties: {
    actions: [
        {
            repo: 'some/complex/repo'
            permission: 'content/read'
        }
    ]
    description: ''
  }
}

There is never ever a valid reason when writing a new API from scratch to make it about string parsing when you are in control of all the components. Full stop.

Now I have to go and write a shell script to deploy this.

cegraybl commented 2 years ago

@chriswue we can analyze the API for future changes, but can you elaborate more on the bug that you are hitting? I'm currently deploying a scope map with the following action via ARM and Bicep, but I cannot hit the issue that you are seeing. repositories/redis/with/some/long/path/content/read and repositories/redis/neque/porro/quisquam/est/qui/dolorem/ipsum/quia/dolor/sit/amet/consectetur/adipisci/velit/content/read

Can you provide more context on how you hit the issue?

chriswue commented 2 years ago

@cegraybl sorry for the delay on this, will circle back to this soon-ish

terencet-dev commented 1 year ago

@chriswue, do you have any updates for this item or are we able to close this issue?

chriswue commented 1 year ago

@terencet-dev @cegraybl

Bicep:

resource container_registry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
  name: 'testcr${uniqueString('scope-mapbug-test')}'
  location: resourceGroup().location
  sku: {
    name: 'Premium'
  }
  properties: {
    adminUserEnabled: false
    dataEndpointEnabled: true
    publicNetworkAccess: 'Enabled'
    networkRuleBypassOptions: 'AzureServices'
    zoneRedundancy: 'Disabled'
  }
}

resource testScopeMap 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'testscope'
  parent: container_registry
  properties: {
    actions: [
      'area/application/component1/content/read'
      'area/application/component2/content/read'
    ]
  }
}

Save it as container-registry.bicep

Run

az deployment group create -g SOME-RESOURCE-GROUP --template-file container-registry.bicep

Output:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n  \"error\": {\r\n    \"code\": \"InvalidScopeMapAction\",\r\n    \"message\": \"Scope map action: 'area/application/component1/content/read' is invalid or not supported. Supported format is <resource type>/<resource name>/<resource action>, all characters should be in lowercase. Please refer to the ACR Scopemap documentation at https://aka.ms/acr/repo-permissions to find the supported resources and actions.\"\r\n  },\r\n  \"status\": \"Failed\"\r\n}"}]}}
chriswue commented 1 year ago

Any progress on this?

cegraybl commented 1 year ago

@chriswue sorry for the delays with this. I took a look at your template, and got it working by adding repositories/ to each action:

resource testScopeMap 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'testscope'
  parent: container_registry
  properties: {
    actions: [
      'repositories/area/application/component1/content/read'
      'repositories/area/application/component2/content/read'
    ]
  }

I got this from exporting an ARM template from an existing registry with tokens and scope maps, but I'm wondering if you got this from following a doc (that we need to update)

cegraybl commented 1 year ago

did a search but couldn't find specific documentation on this, so it might be an issue of creating it to specify what is needed on the template.

chriswue commented 1 year ago

Hm, indeed - double checking the bicep documentation for scopeMaps does include the repositories prefix. I suppose it wasn't entirely clear to me what the significance was. The ARM error message also wasn't the most helpful.