search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.98k stars 2.96k forks source link

Azure Resource Manager not respecting dependencies for role assignments #20050

Open warrantor opened 2 years ago

warrantor commented 2 years ago

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az deployment group create

Errors:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"NotFound","message":"{\r\n  \"error\": {\r\n    \"code\": \"ResourceNotFound\",\r\n    \"message\": \"The Resource 'Microsoft.Web/sites/func-dev-we-test' under resource group 'rg-dev-we' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix\"\r\n  }\r\n}"}]}}

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Expected Behavior

Function app deployment successfully completes before role assignment starts.

Environment Summary

macOS-11.6-x86_64-i386-64bit, Darwin 20.6.0
Python 3.9.7
Installer: HOMEBREW

azure-cli 2.29.1

Extensions:
azure-devops 0.20.0

Additional Context

When doing this with appsettings or when adding a secret to a keyvault with this kind of setup, Azure Resource Manager respects the dependency. When trying this for role assignments, the ARM immediately tries to assign the role, while the resource deployment is still busy. The template spec outputs the object ID of the function app, if we change the template to use this output variable in properties.principalId: 

    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2020-08-01-preview",
      "name": "[guid(variables('func_name'), '4633458b-17de-408a-b874-0445c86b69e6')]",
      "properties": {
        "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('func_name')), '2021-02-01', 'full').identity.principalId]",
        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')]"
      ]
    }

becomes:

{
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2020-08-01-preview",
      "name": "[guid(variables('func_name'), '4633458b-17de-408a-b874-0445c86b69e6')]",
      "properties": {
        "principalId": "[reference(resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')).outputs.objectId.value]",
        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')]"
      ]
    }

The Azure Resource Manager respects the dependency.

yonzhan commented 2 years ago

ARM

ghost commented 2 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @armleads-azure.

Issue Details
### **This is autogenerated. Please review and update as needed.** ## Describe the bug **Command Name** `az deployment group create` **Errors:** ``` {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"NotFound","message":"{\r\n \"error\": {\r\n \"code\": \"ResourceNotFound\",\r\n \"message\": \"The Resource 'Microsoft.Web/sites/func-dev-we-test' under resource group 'rg-dev-we' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix\"\r\n }\r\n}"}]}} ``` ## To Reproduce: Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information. - _Put any pre-requisite steps here..._ - `az deployment group create -g {} --template-file {}` - template: ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "functions": [], "variables": { "location": "[resourceGroup().location]", "func_name": "func-dev-we-test" }, "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "name": "functionapp_deploy", "properties": { "mode": "Incremental", "templateLink": { "id": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, 'rg-dev-templateSpecs-we'), 'Microsoft.Resources/templateSpecs/versions', 'ts-dev-functionApp', '1.0')]", "contentVersion": "1.0.0.0" }, "parameters": { "functionAppName": { "value": "[variables('func_name')]" }, "storageAccountName": { "value": "stdevwefuntest" }, "storageAccountType": { "value": "Standard_LRS" }, "location": { "value": "[variables('location')]" }, "appInsightsInstrumentationKey": { "value": "" }, "hostingPlanName": { "value": "plan-dev-we-func-test" }, "runtime": { "value": "dotnet" }, "keyvaultName": { "value": "" } } } }, { "type": "Microsoft.Web/sites/config", "apiVersion": "2021-02-01", "name": "[format('{0}/{1}', variables('func_name'), 'appsettings')]", "properties": { "AppSettingsOne": "Foo_Bar" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-08-01-preview", "name": "[guid(variables('func_name'), '4633458b-17de-408a-b874-0445c86b69e6')]", "properties": { "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('func_name')), '2021-02-01', 'full').identity.principalId]", "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')]" ] } ] } ``` ## Expected Behavior Function app deployment successfully completes before role assignment starts. ## Environment Summary ``` macOS-11.6-x86_64-i386-64bit, Darwin 20.6.0 Python 3.9.7 Installer: HOMEBREW azure-cli 2.29.1 Extensions: azure-devops 0.20.0 ``` ## Additional Context When doing this with appsettings or when adding a secret to a keyvault with this kind of setup, Azure Resource Manager respects the dependency. When trying this for role assignments, the ARM immediately tries to assign the role, while the resource deployment is still busy. The template spec outputs the object ID of the function app, if we change the template to use this output variable in `properties.principalId`: ```json { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-08-01-preview", "name": "[guid(variables('func_name'), '4633458b-17de-408a-b874-0445c86b69e6')]", "properties": { "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('func_name')), '2021-02-01', 'full').identity.principalId]", "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')]" ] } ``` becomes: ```json { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-08-01-preview", "name": "[guid(variables('func_name'), '4633458b-17de-408a-b874-0445c86b69e6')]", "properties": { "principalId": "[reference(resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')).outputs.objectId.value]", "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'functionapp_deploy')]" ] } ``` The Azure Resource Manager respects the dependency.
Author: warrantor
Assignees: zhoxing-ms
Labels: `Service Attention`, `ARM`, `customer-reported`
Milestone: Backlog
SaurabhSharma-MSFT commented 2 years ago

@armleads-azure Do you have any updates on this issue.