search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

[Storage] Azure policy fails if --https-only is omitted #12519

Open jiasli opened 4 years ago

jiasli commented 4 years ago

Describe the bug When creating storage account without --https-only:

az storage account create -g {} -n {}

This command will fail if the built-in Azure policy Secure transfer to storage accounts should be enabled is enabled.

Expected behavior The policy shouldn't be triggered, as the Storage Resource Provider will set it to true on server's side since API 2019-04-01.

https://github.com/Azure/azure-cli/blob/1174a3350fad3f308688fd37c9dacf12b7afa044/src/azure-cli/azure/cli/command_modules/storage/_params.py#L172-L173

Root Cause If --https-only isn't provided, the REST request body sent by Azure CLI doesn't have supportsHttpsTrafficOnly property. The request is denied by the policy before reaching the Storage Resource Provider.

Possible solutions Any of these: REST spec: Add "default": true to Storage REST spec:

        "supportsHttpsTrafficOnly": {
          "type": "boolean",
          "x-ms-client-name": "EnableHttpsTrafficOnly",
          "description": "Allows https traffic only to storage service if sets to true."
        },

This is what Keyvault REST spec does:

        "enableSoftDelete": {
          "type": "boolean",
          "default": true,
          "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once it's been set to true value, it can NOT be reverted to false."
        },

This will make Python SDK have enable_https_traffic_only: bool=True thus sending "supportsHttpsTrafficOnly": true to ARM. The request will go through the policy.

Azure CLI: Set enable_https_traffic_only to True if https_only is None and the API is or is newer than API 2019-04-01:

https://github.com/Azure/azure-cli/blob/1174a3350fad3f308688fd37c9dacf12b7afa044/src/azure-cli/azure/cli/command_modules/storage/operations/account.py#L47-L48

ARM Resource Provider: Apply server-side default values before evaluating the policy.

yonzhan commented 4 years ago

add to S168

Juliehzl commented 4 years ago

linked with https://github.com/Azure/azure-rest-api-specs/pull/8656