az cosmosdb update unable to remove all virtual network rules

[t-bzhan]

Describe the bug

az cosmosdb update seems to not able to remove all the virtual network rules.

Command Name az cosmosdb update

Errors:

cli.azure.cli.core.azclierror: (LinkedInvalidPropertyId) Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
Code: LinkedInvalidPropertyId
Message: Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
az_command_data_logger: (LinkedInvalidPropertyId) Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
Code: LinkedInvalidPropertyId
Message: Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Create a Cosmos DB and add some virtual network rules
• az cosmosdb update -n nwisolation-demo -g bo-private --enable-public-network true --enable-virtual-network false --virtual-network-rules "" --debug

Expected Behavior

The virtual network rules should be removed.

Environment Summary

Windows-10-10.0.19044-SP0
Python 3.10.3
Installer: MSI

azure-cli 2.35.0 *

Extensions:
alias 0.5.2
application-insights 0.1.14
azure-devops 0.25.0
front-door 1.0.16
virtual-wan 0.2.11

Dependencies:
msal 1.17.0
azure-mgmt-resource 20.0.0

Additional Context

Debug outout

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/27cafca8-b9a4-4264-b399-45d0c9cca1ab/resourceGroups/bo-private/providers/Microsoft.DocumentDB/databaseAccounts/nwisolation-demo?api-version=2021-10-15'
cli.azure.cli.core.sdk.policies: Request method: 'PATCH'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '148'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '6b57493a-08d4-11ed-83d6-c8d9d2133ae1'
cli.azure.cli.core.sdk.policies:     'CommandName': 'cosmosdb update'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-n -g --enable-public-network --enable-virtual-network --virtual-network-rules --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.35.0 (MSI) azsdk-python-mgmt-cosmosdb/7.0.0b2 Python/3.10.3 (Windows-10-10.0.19044-SP0)' cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"isVirtualNetworkFilterEnabled": false, "virtualNetworkRules": [{"id": ""}], "publicNetworkAccess": "Enabled", "apiProperties": {}}}
urllib3.connectionpool: https://management.azure.com:443 "PATCH /subscriptions/27cafca8-b9a4-4264-b399-45d0c9cca1ab/resourceGroups/bo-private/providers/Microsoft.DocumentDB/databaseAccounts/nwisolation-demo?api-version=2021-10-15 HTTP/1.1" 400 261
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'a002313c-3e61-4b1a-b58b-7bd873de9719'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'a002313c-3e61-4b1a-b58b-7bd873de9719'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'SOUTHEASTASIA:20220721T090636Z:a002313c-3e61-4b1a-b58b-7bd873de9719'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 21 Jul 2022 09:06:35 GMT'
cli.azure.cli.core.sdk.policies:     'Content-Length': '261'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"LinkedInvalidPropertyId","message":"Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'."}}
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 658, in execute
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 721, in _run_jobs_serially
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 692, in _run_job
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/cosmosdb/custom.py", line 446, in cli_cosmosdb_update
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/cosmosdb/operations/_database_accounts_operations.py", line 197, in begin_update
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/cosmosdb/operations/_database_accounts_operations.py", line 153, in _update_initial
azure.core.exceptions.HttpResponseError: (LinkedInvalidPropertyId) Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
Code: LinkedInvalidPropertyId
Message: Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.

cli.azure.cli.core.azclierror: (LinkedInvalidPropertyId) Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
Code: LinkedInvalidPropertyId
Message: Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
az_command_data_logger: (LinkedInvalidPropertyId) Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
Code: LinkedInvalidPropertyId
Message: Property id '' at path 'properties.virtualNetworkRules[0].id' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0416B2B0>]

I also tried az cosmosdb update -n nwisolation-demo -g bo-private --enable-public-network true --enable-virtual-network false --debug

It fails with another error:

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/27cafca8-b9a4-4264-b399-45d0c9cca1ab/resourceGroups/bo-private/providers/Microsoft.DocumentDB/databaseAccounts/nwisolation-demo?api-version=2021-10-15'
cli.azure.cli.core.sdk.policies: Request method: 'PATCH'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '111'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'ac8c5b43-08d4-11ed-be93-c8d9d2133ae1'
cli.azure.cli.core.sdk.policies:     'CommandName': 'cosmosdb update'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-n -g --enable-public-network --enable-virtual-network --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.35.0 (MSI) azsdk-python-mgmt-cosmosdb/7.0.0b2 Python/3.10.3 (Windows-10-10.0.19044-SP0)' cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"isVirtualNetworkFilterEnabled": false, "publicNetworkAccess": "Enabled", "apiProperties": {}}}
urllib3.connectionpool: https://management.azure.com:443 "PATCH /subscriptions/27cafca8-b9a4-4264-b399-45d0c9cca1ab/resourceGroups/bo-private/providers/Microsoft.DocumentDB/databaseAccounts/nwisolation-demo?api-version=2021-10-15 HTTP/1.1" 400 212
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-store, no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '212'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'x-ms-gatewayversion': 'version=2.14.0'
cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-HTTPAPI/2.0'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'f2182a29-3a73-4444-9fdb-3132f534ed7f'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'f2182a29-3a73-4444-9fdb-3132f534ed7f'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'SOUTHEASTASIA:20220721T090828Z:f2182a29-3a73-4444-9fdb-3132f534ed7f'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 21 Jul 2022 09:08:28 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"code":"BadRequest","message":"VirtualNetworkRules should be specified only if IsVirtualNetworkFilterEnabled is True\r\nActivityId: ac8c5b43-08d4-11ed-be93-c8d9d2133ae1, Microsoft.Azure.Documents.Common/2.14.0"}
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 658, in execute
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 721, in _run_jobs_serially
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 692, in _run_job
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/cosmosdb/custom.py", line 446, in cli_cosmosdb_update
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/cosmosdb/operations/_database_accounts_operations.py", line 197, in begin_update
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/cosmosdb/operations/_database_accounts_operations.py", line 153, in _update_initial
azure.core.exceptions.HttpResponseError: (BadRequest) VirtualNetworkRules should be specified only if IsVirtualNetworkFilterEnabled is True
ActivityId: ac8c5b43-08d4-11ed-be93-c8d9d2133ae1, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: VirtualNetworkRules should be specified only if IsVirtualNetworkFilterEnabled is True
ActivityId: ac8c5b43-08d4-11ed-be93-c8d9d2133ae1, Microsoft.Azure.Documents.Common/2.14.0

cli.azure.cli.core.azclierror: (BadRequest) VirtualNetworkRules should be specified only if IsVirtualNetworkFilterEnabled is True
ActivityId: ac8c5b43-08d4-11ed-be93-c8d9d2133ae1, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: VirtualNetworkRules should be specified only if IsVirtualNetworkFilterEnabled is True
ActivityId: ac8c5b43-08d4-11ed-be93-c8d9d2133ae1, Microsoft.Azure.Documents.Common/2.14.0
az_command_data_logger: (BadRequest) VirtualNetworkRules should be specified only if IsVirtualNetworkFilterEnabled is True
ActivityId: ac8c5b43-08d4-11ed-be93-c8d9d2133ae1, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: VirtualNetworkRules should be specified only if IsVirtualNetworkFilterEnabled is True
ActivityId: ac8c5b43-08d4-11ed-be93-c8d9d2133ae1, Microsoft.Azure.Documents.Common/2.14.0
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0498C2B0>]

[yonzhan]

route to CXP team

[SaurabhSharma-MSFT]

@t-bzhan I don't think you can remove ACL configuration using update command. You may need to use az cosmosdb network-rule remove to remove any existing network rules.

[t-bzhan]

@SaurabhSharma-MSFT , az cosmosdb network-rule remove does not support removing multiple rules. It is not very convenient to remove the rules one by one if we have a lot of rules. I am wondering whether we could handle the empty input like for "--ip-range-filter", it support to input an empty string to remove all existing IP addresses as mentioned in https://github.com/Azure/azure-cli/pull/15276

[SaurabhSharma-MSFT]

@t-bzhan ok, got it. I am looking into it and update you on my findings.