search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.96k stars 2.94k forks source link

`az security contact create` fails with ERROR: Operation returned an invalid status 'Created' #25851

Open odegroot opened 1 year ago

odegroot commented 1 year ago

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related command

az security contact create --name foo-example.com --email foo@example.com --alert-notifications On --alerts-admins Off

Describe the bug

The security contact gets created successfully, but the az command fails nonetheless.

ERROR: Operation returned an invalid status 'Created'

The REST API returns HTTP status code 201 Created. This is perfectly valid - see API docs - but the az cli still considers this a failure. It prints an error message and returns a nonzero exit code.

To Reproduce

The error occurs "invalid status 'Created'" occurs sometimes, not always. I can reliably reproduce the error on a brand new subscription. There may be other triggers that I'm unaware of.

  1. Create a new subscription
  2. Create a security contact using az security contact create.

After the initial failure, subsequent attempts on the same subscription work just fine, with the exact same inputs. Deleting and then recreating the security contact with the same inputs also works just fine.

Expected behavior

The az cli should treat status code 201 Created as a success. It shouldn't print an error message.

Environment summary

Azure DevOps pipeline step AzureCLI@2

Pool: Azure Pipelines
Image: ubuntu-latest
Agent: Hosted Agent
==============================================================================
Task         : Azure CLI
Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
Version      : 2.217.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
==============================================================================
/usr/bin/az --version
azure-cli                         2.46.0

core                              2.46.0
telemetry                          1.0.8

Extensions:
account                            0.2.5
azure-devops                      0.26.0

Dependencies:
msal                              1.20.0
azure-mgmt-resource             21.1.0b1

Python location '/opt/az/bin/python3'
Extensions directory '/opt/az/azcliextensions'

Python (Linux) 3.10.10 (main, Mar  6 2023, 09:39:14) [GCC 11.3.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.
Setting AZURE_CONFIG_DIR env variable to: /home/vsts/work/_temp/.azclitask
Setting active cloud to: AzureCloud

Additional context

Here's the command output with --debug enabled. (tenant / subscription IDs redacted)

##[command]az security contact create --debug --name foo-example.com --email foo@example.com --alert-notifications On --alerts-admins Off
DEBUG: cli.knack.cli: Command arguments: ['security', 'contact', 'create', '--debug', '--name', 'foo-example.com', '--email', 'foo@example.com', '--alert-notifications', 'On', '--alerts-admins', 'Off']
DEBUG: cli.knack.cli: __init__ debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fc165fb5360>, <function OutputProducer.on_global_arguments at 0x7fc165eb3f40>, <function CLIQuery.on_global_arguments at 0x7fc165f051b0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'security': ['azure.cli.command_modules.security']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands
DEBUG: cli.azure.cli.core: security                  0.007        48       104
DEBUG: cli.azure.cli.core: Total (1)                 0.007        48       104
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
DEBUG: cli.azure.cli.core: Total (0)                 0.000         0         0  
DEBUG: cli.azure.cli.core: Loaded 48 groups, 104 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command  : security contact create
DEBUG: cli.azure.cli.core: Command table: security contact create
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fc1648a6560>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/vsts/work/_temp/.azclitask/commands/2023-03-16.17-54-49.security_contact_create.2372.log'.
INFO: az_command_data_logger: command args: security contact create --debug --name {} --email {} --alert-notifications {} --alerts-admins {}
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7fc1648bb0a0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7fc1646a9000>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7fc1646a9120>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fc165ed0040>, <function CLIQuery.handle_query_parameter at 0x7fc165f05240>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7fc1646a9090>]
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=SecurityCenter
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/service_principal_entries.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/msal_token_cache.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/vsts/work/_temp/.azclitask/msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? False
DEBUG: msal.application: Region to be used: None
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: 129baf20-d5e0-4d44-86ea-b4e4ce57bb3e
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'PUT'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '120'
DEBUG: cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'a550efad-c423-11ed-960e-e3c79e9d1358'
DEBUG: cli.azure.cli.core.sdk.policies:     'CommandName': 'security contact create'
DEBUG: cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--debug --name --email --alert-notifications --alerts-admins'
DEBUG: cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.46.0 (DEB) azsdk-python-azure-mgmt-security/3.0.0 Python/3.10.10 (Linux-5.15.0-1034-azure-x86_64-with-glibc2.35) VSTS_9f9c2088-4d89-48b3-8760-c639dab38b85_build_1_0'
DEBUG: cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties": {"email": "foo@example.com", "phone": "", "alertNotifications": "On", "alertsToAdmins": "Off"}}
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview HTTP/1.1" 201 398
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 201
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '398'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies:     'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-resource-requests': '249'
DEBUG: cli.azure.cli.core.sdk.policies:     'api-supported-versions': '2017-08-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies:     'Server': 'Kestrel'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '8da4e6cf-f18b-4e57-8526-7481891d1952'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '8da4e6cf-f18b-4e57-8526-7481891d1952'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTEUROPE:20230316T175458Z:8da4e6cf-f18b-4e57-8526-7481891d1952'
DEBUG: cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 16 Mar 2023 17:54:58 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1e000f3a-0000-0d00-0000-641357f20000\"","location":"West Europe"}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/security/custom.py", line 285, in create_security_contact
    return client.create(resource_name, new_contact)
  File "/opt/az/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/mgmt/security/v2017_08_01_preview/operations/_security_contacts_operations.py", line 473, in create
    raise HttpResponseError(response=response, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Created'
Content: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1e000f3a-0000-0d00-0000-641357f20000\"","location":"West Europe"}

ERROR: cli.azure.cli.core.azclierror: Operation returned an invalid status 'Created'
ERROR: az_command_data_logger: Operation returned an invalid status 'Created'
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fc1648a67a0>]
INFO: az_command_data_logger: exit code: 1
INFO: cli.__main__: Command ran in 9.745 seconds (init: 0.335, invoke: 9.410)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 3516 in cache
WARNING: telemetry.check: Negative: The /home/vsts/work/_temp/.azclitask/telemetry.txt was modified at 2023-03-16 17:53:23.427256, which in less than 600.000000 s
ghost commented 1 year ago

Thank you for your feedback. This has been routed to the support team for assistance.

yonzhan commented 1 year ago

route to CXP team

SaurabhSharma-MSFT commented 1 year ago

@odegroot I am not able to reproduce this issue. I have checked with both Azure CLI 2.45 and 2.46 versions, and I am not getting any errors. image Using --debug parameters also did not give any error messages. Is this cmd giving the same error message when you are using outside of the devops pipeline for you?

odegroot commented 1 year ago

Yes. When I run the same command from my laptop, not from a devops pipeline, I get the same error.

Details below (identifiers redacted).

Authenticate to the tenant.

$AdoSpApplicationIdAcc = '00000000-0000-0000-0000-000000000000'
$AdoSpCred = Get-Credential -UserName $AdoSpApplicationIdAcc
$TenantAcc = 'mytenant.onmicrosoft.com'
az login --service-principal -u $AdoSpCred.UserName -p $AdoSpCred.GetNetworkCredential().Password --tenant $TenantAcc

Create a brand new subscription, and connect to it.

az account alias create --name 'temporary-alias' --billing-scope /providers/Microsoft.Billing/billingAccounts/00000000/enrollmentAccounts/000000 --display-name delete-me-01 --workload DevTest
az login --service-principal -u $AdoSpCred.UserName -p $AdoSpCred.GetNetworkCredential().Password --tenant $TenantAcc
az account set --subscription delete-me-01
az account show

Create the security contact.

az security contact create --debug --name 'foo-example.com' --email 'foo@example.com' --alert-notifications On --alerts-admins Off

Creation succeeds, but the command errors out:

cli.knack.cli: Command arguments: ['security', 'contact', 'create', '--debug', '--name', 'foo-example.com', '--email', 'foo@example.com', '--alert-notifications', 'On', '--alerts-admins', 'Off']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0259B538>, <function OutputProducer.on_global_arguments at 0x02767CD0>, <function CLIQuery.on_global_arguments at 0x02787928>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'security': ['azure.cli.command_modules.security']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: security                  0.007        48       104
cli.azure.cli.core: Total (1)                 0.007        48       104
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: Loaded 48 groups, 104 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : security contact create
cli.azure.cli.core: Command table: security contact create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x049562B0>]
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x0497E2B0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x0498E1D8>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x0498E3D0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02767D18>, <function CLIQuery.handle_query_parameter at 0x02787970>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x0498E388>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=SecurityCenter
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\me\\.azure\\service_principal_entries.bin', encrypt=True
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\me\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\me\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
msal.application: Region to be used: None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 09458350-fe82-4816-847c-2fe9efe19771
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '110'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'e6872ed9-cd77-11ed-bcda-5c80b672992f'
cli.azure.cli.core.sdk.policies:     'CommandName': 'security contact create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--debug --name --email --alert-notifications --alerts-admins'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.46.0 (MSI) azsdk-python-azure-mgmt-security/3.0.0 Python/3.10.10 (Windows-10-10.0.22000-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"email": "foo@example.com", "phone": "", "alertNotifications": "On", "alertsToAdmins": "Off"}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview HTTP/1.1" 201 368
cli.azure.cli.core.sdk.policies: Response status: 201
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '368'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-resource-requests': '249'
cli.azure.cli.core.sdk.policies:     'api-supported-versions': '2017-08-01-preview'
cli.azure.cli.core.sdk.policies:     'Server': 'Kestrel'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '6dca2ac5-b0f9-4746-8fc2-0425bc427c75'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '6dca2ac5-b0f9-4746-8fc2-0425bc427c75'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTEUROPE:20230328T145038Z:6dca2ac5-b0f9-4746-8fc2-0425bc427c75'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 28 Mar 2023 14:50:37 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1600ddf5-0000-0d00-0000-6422febe0000\"","location":"West Europe"}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/security/custom.py", line 285, in create_security_contact
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/security/v2017_08_01_preview/operations/_security_contacts_operations.py", line 473, in create
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Created'
Content: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1600ddf5-0000-0d00-0000-6422febe0000\"","location":"West Europe"}

cli.azure.cli.core.azclierror: Operation returned an invalid status 'Created'
az_command_data_logger: Operation returned an invalid status 'Created'
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x049563D0>]
cli.__main__: Command ran in 1.712 seconds (init: 0.373, invoke: 1.339)
SaurabhSharma-MSFT commented 1 year ago

@odegroot I am not able to reproduce this with your code either and getting the results as expected. Only difference which I could see is the response code is 201 for your response with error message whereas I am getting always getting 200. image

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @chlahav.

Issue Details
> ### `az feedback` auto-generates most of the information requested below, as of CLI version 2.0.62 **Related command** ``` az security contact create --name foo-example.com --email foo@example.com --alert-notifications On --alerts-admins Off ``` **Describe the bug** The security contact gets created successfully, but the `az` command fails nonetheless. ``` ERROR: Operation returned an invalid status 'Created' ``` The REST API returns HTTP status code `201 Created`. This is perfectly valid - see API docs - but the az cli still considers this a failure. It prints an error message and returns a nonzero exit code. **To Reproduce** The error occurs "invalid status 'Created'" occurs sometimes, not always. I can reliably reproduce the error on a brand new subscription. There may be other triggers that I'm unaware of. 1. Create a new subscription 2. Create a security contact using `az security contact create`. After the initial failure, subsequent attempts on the same subscription work just fine, with the exact same inputs. Deleting and then recreating the security contact with the same inputs also works just fine. **Expected behavior** The az cli should treat status code `201 Created` as a success. It shouldn't print an error message. **Environment summary** Azure DevOps pipeline step AzureCLI@2 ``` Pool: Azure Pipelines Image: ubuntu-latest Agent: Hosted Agent ``` ``` ============================================================================== Task : Azure CLI Description : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent. Version : 2.217.1 Author : Microsoft Corporation Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli ============================================================================== /usr/bin/az --version azure-cli 2.46.0 core 2.46.0 telemetry 1.0.8 Extensions: account 0.2.5 azure-devops 0.26.0 Dependencies: msal 1.20.0 azure-mgmt-resource 21.1.0b1 Python location '/opt/az/bin/python3' Extensions directory '/opt/az/azcliextensions' Python (Linux) 3.10.10 (main, Mar 6 2023, 09:39:14) [GCC 11.3.0] Legal docs and information: aka.ms/AzureCliLegal Your CLI is up-to-date. Setting AZURE_CONFIG_DIR env variable to: /home/vsts/work/_temp/.azclitask Setting active cloud to: AzureCloud ``` **Additional context** Here's the command output with `--debug` enabled. (tenant / subscription IDs redacted) ``` ##[command]az security contact create --debug --name foo-example.com --email foo@example.com --alert-notifications On --alerts-admins Off DEBUG: cli.knack.cli: Command arguments: ['security', 'contact', 'create', '--debug', '--name', 'foo-example.com', '--email', 'foo@example.com', '--alert-notifications', 'On', '--alerts-admins', 'Off'] DEBUG: cli.knack.cli: __init__ debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [, , ] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'security': ['azure.cli.command_modules.security'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: security 0.007 48 104 DEBUG: cli.azure.cli.core: Total (1) 0.007 48 104 DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] DEBUG: cli.azure.cli.core: Loading extensions: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0 DEBUG: cli.azure.cli.core: Loaded 48 groups, 104 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : security contact create DEBUG: cli.azure.cli.core: Command table: security contact create DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/vsts/work/_temp/.azclitask/commands/2023-03-16.17-54-49.security_contact_create.2372.log'. INFO: az_command_data_logger: command args: security contact create --debug --name {} --email {} --alert-notifications {} --alerts-admins {} DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [.add_subscription_parameter at 0x7fc1648bb0a0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [.add_ids_arguments at 0x7fc1646a9000>, .add_cache_arguments at 0x7fc1646a9120>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [, , .parse_ids_arguments at 0x7fc1646a9090>] DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=SecurityCenter DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/service_principal_entries.json', encrypt=False DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/msal_token_cache.json', encrypt=False DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/vsts/work/_temp/.azclitask/msal_http_cache.bin DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) DEBUG: msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? False DEBUG: msal.application: Region to be used: None DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={} DEBUG: cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={} DEBUG: msal.application: Cache hit an AT DEBUG: msal.telemetry: Generate or reuse correlation_id: 129baf20-d5e0-4d44-86ea-b4e4ce57bb3e DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview' DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'PUT' DEBUG: cli.azure.cli.core.sdk.policies: Request headers: DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '120' DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'a550efad-c423-11ed-960e-e3c79e9d1358' DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'security contact create' DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--debug --name --email --alert-notifications --alerts-admins' DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.46.0 (DEB) azsdk-python-azure-mgmt-security/3.0.0 Python/3.10.10 (Linux-5.15.0-1034-azure-x86_64-with-glibc2.35) VSTS_9f9c2088-4d89-48b3-8760-c639dab38b85_build_1_0' DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': '*****' DEBUG: cli.azure.cli.core.sdk.policies: Request body: DEBUG: cli.azure.cli.core.sdk.policies: {"properties": {"email": "foo@example.com", "phone": "", "alertNotifications": "On", "alertsToAdmins": "Off"}} DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview HTTP/1.1" 201 398 DEBUG: cli.azure.cli.core.sdk.policies: Response status: 201 DEBUG: cli.azure.cli.core.sdk.policies: Response headers: DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '398' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-resource-requests': '249' DEBUG: cli.azure.cli.core.sdk.policies: 'api-supported-versions': '2017-08-01-preview' DEBUG: cli.azure.cli.core.sdk.policies: 'Server': 'Kestrel' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '8da4e6cf-f18b-4e57-8526-7481891d1952' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '8da4e6cf-f18b-4e57-8526-7481891d1952' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTEUROPE:20230316T175458Z:8da4e6cf-f18b-4e57-8526-7481891d1952' DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 16 Mar 2023 17:54:58 GMT' DEBUG: cli.azure.cli.core.sdk.policies: Response content: DEBUG: cli.azure.cli.core.sdk.policies: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1e000f3a-0000-0d00-0000-641357f20000\"","location":"West Europe"} DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute raise ex File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job result = cmd_copy(params) File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__ return self.handler(*args, **kwargs) File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler return op(**command_args) File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/security/custom.py", line 285, in create_security_contact return client.create(resource_name, new_contact) File "/opt/az/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer return func(*args, **kwargs) File "/opt/az/lib/python3.10/site-packages/azure/mgmt/security/v2017_08_01_preview/operations/_security_contacts_operations.py", line 473, in create raise HttpResponseError(response=response, error_format=ARMErrorFormat) azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Created' Content: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1e000f3a-0000-0d00-0000-641357f20000\"","location":"West Europe"} ERROR: cli.azure.cli.core.azclierror: Operation returned an invalid status 'Created' ERROR: az_command_data_logger: Operation returned an invalid status 'Created' DEBUG: cli.knack.cli: Event: Cli.PostExecute [] INFO: az_command_data_logger: exit code: 1 INFO: cli.__main__: Command ran in 9.745 seconds (init: 0.335, invoke: 9.410) INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1 INFO: telemetry.client: Accumulated 0 events. Flush the clients. INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1 INFO: telemetry.save: Save telemetry record of length 3516 in cache WARNING: telemetry.check: Negative: The /home/vsts/work/_temp/.azclitask/telemetry.txt was modified at 2023-03-16 17:53:23.427256, which in less than 600.000000 s ```
Author: odegroot
Assignees: SaurabhSharma-MSFT
Labels: `bug`, `Service Attention`, `Security`, `customer-reported`, `needs-team-attention`, `Auto-Assign`
Milestone: Backlog
ghost commented 1 year ago

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

odegroot commented 1 year ago

@SaurabhSharma-MSFT An overzealous bot unduly closed this issue. Can you reopen it, and remove the needs-author-feedback label please?

jesperhansen17 commented 10 months ago

I've also encountered these errors when trying to create a security contact on a newly created subscription.

az security contact create --name="<name>" --email="<email>" --alert-notifications="on" --alerts-admins="off" --subscription=<subscription>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Operation returned an invalid status 'Created'

On the first failing request I also get an 201 response, but on subsequent successful requests I get an 200 response back.

az version
-----------------------
{
  "azure-cli": "2.50.0",
  "azure-cli-core": "2.50.0",
  "azure-cli-telemetry": "1.0.8",
}