az network private-link-service create - "visibility" parameter's allowed values are not working properly when use with "auto-approval".

[wviriya]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related command

Describe the bug

az network private-link-service create - the visibility parameter should allow null, "*", or a list of subscription ID

To Reproduce

PREFIX="pls" RESOURCE_GROUP="${PREFIX}-rg" LOCATION="australiaeast" PRIVATE_LINK_SERVICE="${PREFIX}-pls" VNET_NAME="${PREFIX}-custom-vnet" SUBNET_NAME="pls-subnet" LB_NAME="${PREFIX}-lb"

az group create \ --name $RESOURCE_GROUP \ --location $LOCATION

az network vnet create \ --resource-group $RESOURCE_GROUP \ --name $VNET_NAME \ --location $LOCATION \ --subnet-name $SUBNET_NAME \ --subnet-prefixes 10.0.0.0/24 \ --address-prefix 10.0.0.0/23

az network vnet subnet update \ --resource-group $RESOURCE_GROUP \ --name $SUBNET_NAME \ --vnet-name $VNET_NAME \ --disable-private-link-service-network-policies true

az network lb create \ --resource-group $RESOURCE_GROUP \ --name $LB_NAME \ --sku Standard \ --vnet-name $VNET_NAME \ --subnet $SUBNET_NAME \ --frontend-ip-name myFrontEnd \ --backend-pool-name myBackEndPool

az network lb probe create \ --resource-group $RESOURCE_GROUP \ --lb-name $LB_NAME \ --name myHealthProbe \ --protocol tcp \ --port 80

az network lb rule create \ --resource-group $RESOURCE_GROUP \ --lb-name $LB_NAME \ --name myHTTPRule \ --protocol tcp \ --frontend-port 80 \ --backend-port 80 \ --frontend-ip-name myFrontEnd \ --backend-pool-name myBackEndPool \ --probe-name myHealthProbe \ --idle-timeout 15 \ --enable-tcp-reset true

LB_FRONTEND_IP_CONFIG=az network lb frontend-ip list \ --resource-group $RESOURCE_GROUP \ --lb-name $LB_NAME \ --query [0].id --out tsv

SUBNET_ID=az network vnet subnet show \ --resource-group $RESOURCE_GROUP \ --vnet-name $VNET_NAME \ --name $SUBNET_NAME \ --query "id" --out tsv

SUBSCRIPTION_ID=az account show --query id --out tsv

az network private-link-service create \ --resource-group $RESOURCE_GROUP \ --name $PRIVATE_LINK_SERVICE \ --subnet $SUBNET_ID \ --lb-frontend-ip-configs $LB_FRONTEND_IP_CONFIG \ --location $LOCATION \ --visibility $SUBSCRIPTION_ID --auto-approval $SUBSCRIPTION_ID

Expected behavior

A Private Link Service is created with the following properties: visibility = array of subscription ID auto-approval = array of subscription ID

Environment summary

Azure CLI { "azure-cli": "2.40.0", "azure-cli-core": "2.40.0", "azure-cli-telemetry": "1.0.8", "extensions": { "containerapp": "0.3.11", "front-door": "1.0.17" } }

WSL2 distro: Ubuntu-20.04 on Windows 11

Error received

(InvalidCorrelationBetweenAutoApprovalAndVisibility) The subscriptions  in property AutoApproval has invalid correlation with the subscriptions SUBSCRIPTION_ID in property Visibility for this private link service /subscriptions/SUBSCRIPTION_ID /resourceGroups/plssvc1-rg/providers/Microsoft.Network/privateLinkServices/plssvc1-pls. Please make sure the subscriptions of AutoApproval is subset of subscriptions in Visibility or "" or empty. Code: InvalidCorrelationBetweenAutoApprovalAndVisibility Message: The subscriptions  in property AutoApproval has invalid correlation with the subscriptions SUBSCRIPTION_ID in property Visibility for this private link service /subscriptions/SUBSCRIPTION_ID/resourceGroups/plssvc1-rg/providers/Microsoft.Network/privateLinkServices/plssvc1-pls. Please make sure the subscriptions of AutoApproval is subset of subscriptions in Visibility or "" or empty.

Additional context

I believe that the allowed values for parameter visibility and auto-approval are swap. The visibility parameter should accept null, "", or an array of subscription ID. The auto-approval should also accept null or a subset of an array of subscription ID in visibility* parameter.

[yonzhan]

@necusjz for awareness