search

Azure / arm-template-whatif

A repository to track issues related to what-if noise suppression
MIT License
87 stars 14 forks source link

Microsoft.Web/sites #90

Open JamesDLD opened 4 years ago

JamesDLD commented 4 years ago

Describe the noise

Resource type Microsoft.Web

apiVersion 2019-08-01

Client PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template Complete template sample is available here

        {
            "type": "Microsoft.Web/sites",
            "apiVersion": "2019-08-01",
            "name": "[variables('functionAppName')]",
            "location": "[parameters('location')]",
            "tags": "[union(variables('additional_tags'),resourceGroup().tags)]",
            "dependsOn": [
                "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
                "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
            ],
            "kind": "functionapp",
            "properties": {
                "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
                "siteConfig": {
                    "appSettings": [
                        {
                            "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
                            "value": "[reference(variables('appInsightsResourceId'), '2018-05-01-preview').instrumentationKey]"
                        },
                        {
                            "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
                            "value": "[concat('InstrumentationKey=', reference(variables('appInsightsResourceId'), '2018-05-01-preview').instrumentationKey)]"
                        },
                        {
                            "name": "AzureWebJobsStorage",
                            "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listkeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value,';')]"
                        },
                        {
                            "name": "FUNCTIONS_EXTENSION_VERSION",
                            "value": "~3"
                        },
                        {
                            "name": "FUNCTIONS_WORKER_RUNTIME",
                            "value": "[variables('functionWorkerRuntime')]"
                        },
                        {
                            "name": "WEBSITE_NODE_DEFAULT_VERSION",
                            "value": "~12"
                        }
                    ]
                }
            }

Expected response I expected no noise since the template has not been modified since the resources were deployed

Current (noisy) response

    + properties.siteConfig.appSettings: [
        0:

          name:  "APPINSIGHTS_INSTRUMENTATIONKEY"
          value: "[reference(variables('appInsightsResourceId'), '2018-05-01-preview').instrumentationKey]"

        1:

          name:  "APPLICATIONINSIGHTS_CONNECTION_STRING"
          value: "[concat('InstrumentationKey=', reference(variables('appInsightsResourceId'), '2018-05-01-preview').instrumentationKey)]"

        2:

          name:  "AzureWebJobsStorage"
          value: "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listkeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), 
'2019-06-01').keys[0].value,';')]"

        3:

          name:  "FUNCTIONS_EXTENSION_VERSION"
          value: "~3"

        4:

          name:  "FUNCTIONS_WORKER_RUNTIME"
          value: "node"

        5:

          name:  "WEBSITE_NODE_DEFAULT_VERSION"
          value: "~12"

      ]
    + properties.siteConfig.http20Enabled:       true
    + properties.siteConfig.localMySqlEnabled:   false
    + properties.siteConfig.netFrameworkVersion: "v4.6"

Additional context Thank you for this feature, I was a fan of Terraform so I really appreciate the work done here.

alex-frankel commented 4 years ago

FWIW, on Create, I am seeing that siteConfig gets marked correctly as a secret:

image

shenglol commented 4 years ago

We have marked properties.siteConfig as a secret property in custom metadata, but somehow the generated metadata does not pick up all child properties of properties.siteConfig declared in Swagger. Will need @majastrz to help understand if it's a metadata generator related issue.

shenglol commented 4 years ago

This turned out to be a provider bug. Most of of the child properties of siteConfig are not secret at all, such as http20Enabled, but upon GET the web RP returns siteConfig with all child properties set to null: image.

I have annotated all the actual secret properties in our metadata, but we are still waiting for the web RP team to fix the siteConfig property to not mask non-secret child properties.

floriankoch commented 3 years ago

This Noise still exists, any ETA for this?

PabloJomer commented 3 years ago

we have this issue would be great to know when it will be fixed.

alex-frankel commented 3 years ago

Today, the web RP returns this info only behind a query string in the GET request. Currently in what-if, we do not have a way to add the query string and as a result get this more limited GET response.

Options for fixing:

  1. return the "full" payload w/o the query string -- this is a very big change since it would lead to a bigger response for a very popular API
  2. figure out a way to add the query string in the what-if GET request for this specific resource (and potentially a framework to do it for others)

2 is the more realistic option, but we do not have this work scheduled atm, so there is no current ETA for when we can get this resolved.

cc @seligj95 / @shenglol as FYI in case I got any of this wrong.

seligj95 commented 3 years ago

@alex-frankel A GET on Microsoft.Web/sites won't reveal the config object, this is a limitation of the RP. I'm working with our Azure Resource Graph engineering team to be able to use ARG to query the config object directly. This functionality is expected to be released later this year.

AllainPL commented 2 years ago

@seligj95 @majastrz is there some ETA for this :) we are using bicep quite extensively and we would love to add some reliable checks based on the whatif. Currently we have an ugly json file with params to be skipped during checks but this can be error prone :(