search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

Invalid VNet rule in keyvault create call #27516

Open git001 opened 11 months ago

git001 commented 11 months ago

Describe the bug

I tried to create a key vault with --network-acls and got the following error.

Invalid VNet rule: /subscriptions/MY_SUBS/resourceGroups/rg-01/spoke-01/snet-01.
Format: {vnet_name}/{subnet_name} or {subnet_id}

But even the help shows that the syntax should be /subscriptions/MY_SUBS/resourceGroups/rg-01/spoke-01/snet-01

az keyvault create -h
....
Create a key vault with network ACLs specified (use --network-acls-vnets to specify VNet rules).

az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
--network-acls-vnets vnet_name_2/subnet_name_2 vnet_name_3/subnet_name_3 /subscriptions/0000
00-0000-
0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet_name_4/
subnets/subnet_name_4

Create a key vault with network ACLs specified (use --network-acls, --network-acls-ips and
--network-acls-vnets together, redundant rules will be removed, finally there will be 4 IP rules
and 3 VNet rules).

az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
--network-acls "{\"ip\": [\"1.2.3.4\", \"2.3.4.0/24\"], \"vnet\":
[\"vnet_name_1/subnet_name1\", \"vnet_name_2/subnet_name2\"]}" --network-acls-ips 3.4.5.0/24
4.5.6.0/24 --network-acls-vnets vnet_name_2/subnet_name_2 vnet_name_3/subnet_name_3 /subscri
ptions/000000-0000-
0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet_name_4/
subnets/subnet_name_4
....

Is this a misusing from my site or a doc bug? Can I put a vnet from another RG into the --network-acls json?

Related command

az keyvault create --name kv-$NAME-Dev03 --resource-group rg-$KV_RG --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls "{\"vnet\": [\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03\",\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03\"]}" --subscription $MY_SUBS

Errors

Invalid VNet rule: /subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03.
Format: {vnet_name}/{subnet_name} or {subnet_id}

Issue script & Debug output

az --debug keyvault create --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls "{\"vnet\": [\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03\",\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03\"]}" --subscription $MY_SUBS
cli.knack.cli: Command arguments: ['--debug', 'keyvault', 'create', '--name', 'kv-$KV_NAME-Dev03', '--resource-group', 'rg-$KV_NAME', '--location', 'germanywestcentral', '--enable-rbac-authorization', 'false', '--public-network-access', 'Enabled', '--sku', 'premium', '--default-action', 'Deny', '--network-acls', '{"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}', '--subscription', '$MY_SUBS']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f99f998d360>, <function OutputProducer.on_global_arguments at 0x7f99f98f0280>, <function CLIQuery.on_global_arguments at 0x7f99f9715480>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: No module found from index for '['--debug', 'keyvault', 'create', '--name', 'kv-$KV_NAME-Dev03', '--resource-group', 'rg-$KV_NAME', '--location', 'germanywestcentral', '--enable-rbac-authorization', 'false', '--public-network-access', 'Enabled', '--sku', 'premium', '--default-action', 'Deny', '--network-acls', '{"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}', '--subscription','$MY_SUBS']'
cli.azure.cli.core: Loading all modules and extensions
cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig', 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'config', 'configure', 'consumption', 'container', 'containerapp', 'cosmosdb', 'databoxedge', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservices', 'maps', 'marketplaceordering', 'monitor', 'mysql', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'resource', 'role', 'search', 'security', 'servicebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util', 'vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: acr                       0.066        34       144
cli.azure.cli.core: acs                       0.008         7        54
cli.azure.cli.core: advisor                   0.001         3         6
cli.azure.cli.core: ams                       0.003        22       100
cli.azure.cli.core: apim                      0.002        14        68
cli.azure.cli.core: appconfig                 0.001         9        47
cli.azure.cli.core: appservice                0.032        73       260
cli.azure.cli.core: aro                       0.004         1        10
cli.azure.cli.core: backup                    0.002        16        59
cli.azure.cli.core: batch                     0.012        34       102
cli.azure.cli.core: batchai                   0.001        10        30
cli.azure.cli.core: billing                   0.003        19        52
cli.azure.cli.core: botservice                0.002        12        42
cli.azure.cli.core: cdn                       0.004        39       133
cli.azure.cli.core: cloud                     0.001         1         7
cli.azure.cli.core: cognitiveservices         0.001        10        33
cli.azure.cli.core: config                    0.001         2         7
cli.azure.cli.core: configure                 0.000         2         5
cli.azure.cli.core: consumption               0.007         8         9
cli.azure.cli.core: container                 0.003         1        11
cli.azure.cli.core: containerapp              0.044        36       115
cli.azure.cli.core: cosmosdb                  0.007        58       192
cli.azure.cli.core: databoxedge               0.002         5        27
cli.azure.cli.core: dla                       0.001        23        62
cli.azure.cli.core: dls                       0.002         7        41
cli.azure.cli.core: dms                       0.001         3        22
cli.azure.cli.core: eventgrid                 0.002        25        96
cli.azure.cli.core: eventhubs                 0.004        12        19
cli.azure.cli.core: extension                 0.000         1         7
cli.azure.cli.core: feedback                  0.000         1         2
cli.azure.cli.core: find                      0.000         1         1
cli.azure.cli.core: hdinsight                 0.002         8        39
cli.azure.cli.core: identity                  0.001         2        11
cli.azure.cli.core: interactive               0.000         1         1
cli.azure.cli.core: iot                       0.041        19        82
cli.azure.cli.core: keyvault                  0.005        22       133
cli.azure.cli.core: kusto                     0.001         3        14
cli.azure.cli.core: lab                       0.001        11        34
cli.azure.cli.core: managedservices           0.001         3         8
cli.azure.cli.core: maps                      0.001         5        13
cli.azure.cli.core: marketplaceordering       0.001         1         2
cli.azure.cli.core: monitor                   0.173        20        67
cli.azure.cli.core: mysql                     0.067        14        49
cli.azure.cli.core: netappfiles               0.003        17        96
cli.azure.cli.core: network                   0.053       103       336
cli.azure.cli.core: policyinsights            0.004         9        17
cli.azure.cli.core: privatedns                0.007        14        60
cli.azure.cli.core: profile                   0.001         2         8
cli.azure.cli.core: rdbms                     0.007        44       185
cli.azure.cli.core: redis                     0.001         5        27
cli.azure.cli.core: relay                     0.008         7         8
cli.azure.cli.core: resource                  0.006        51       227
cli.azure.cli.core: role                      0.001        17        61
cli.azure.cli.core: search                    0.001         7        22
cli.azure.cli.core: security                  0.002        48       104
cli.azure.cli.core: servicebus                0.007        12        17
cli.azure.cli.core: serviceconnector          0.022        12       182
cli.azure.cli.core: servicefabric             0.005        27        76
cli.azure.cli.core: signalr                   0.001         8        30
cli.azure.cli.core: sql                       0.007        56       215
cli.azure.cli.core: sqlvm                     0.049         4        20
cli.azure.cli.core: storage                   0.023        58       272
cli.azure.cli.core: synapse                   0.007        54       246
cli.azure.cli.core: util                      0.001         3         7
cli.azure.cli.core: vm                        0.024        57       230
cli.azure.cli.core: Total (65)                0.751      1213      4662
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: connectedk8s              0.008         1        10  /home/alex/.azure/cliextensions/connectedk8s
cli.azure.cli.core: k8s-extension             0.003         2         9  /home/alex/.azure/cliextensions/k8s-extension
cli.azure.cli.core: Total (2)                 0.011         3        19
cli.azure.cli.core: Loaded 1204 groups, 4681 commands.
cli.azure.cli.core: Updated command index in 0.002 seconds.
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f99f89a6dd0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/alex/.azure/commands/2023-10-03.17-48-30.unknown_command.150115.log'.
az_command_data_logger: command args: --debug {} {} --name {} --resource-group {} --location {} --enable-rbac-authorization {} --public-network-access {} --sku {} --default-action {} --network-acls {} --subscription {} --tags {} {}
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f99f89e3a30>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f99f8a01750>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f99f8a01870>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x7f99f73da0e0>]
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--enable-rbac-authorization" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--public-network-access" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--sku" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--default-action" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
urllib3.connectionpool: Starting new HTTPS connection (1): app.aladdin.microsoft.com:443
urllib3.connectionpool: https://app.aladdin.microsoft.com:443 "GET /api/v1.0/suggestions?query=%7B%22command%22%3A+%22keyvault+create%22%2C+%22parameters%22%3A+%22%22%7D&clientType=AzureCli&context=%7B%22versionNumber%22%3A+%222.53.0%22%2C+%22errorType%22%3A+%22UnrecognizedArguments%22%2C+%22correlationId%22%3A+%227e63fff3-e687-496c-bc47-9e5ded8b8392%22%2C+%22subscriptionId%22%3A+%22$MY_SUBS%22%2C+%22eventId%22%3A+%2272e8f878-6f4c-4645-8387-f95087c3e365%22%7D HTTP/1.1" 200 None
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--enable-rbac-authorization" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--public-network-access" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--sku" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--default-action" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.azclierror: NoneType: None

cli.azure.cli.core.azclierror: unrecognized arguments: --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls {"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}
az_command_data_logger: unrecognized arguments: --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls {"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}

Examples from AI knowledge base:
az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
Create a key vault. (autogenerated)

az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup --network-acls "{\"ip\": [\"1.2.3.4\", \"2.3.4.0/24\"], \"vnet\": [\"vnet_name_1/subnet_name1\", \"vnet_name_2/subnet_name2\", \"/subscriptions/000000-0000-0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVNet/subnets/MySubnet\"]}"
Create a key vault with network ACLs specified (use --network-acls to specify IP and VNet rules by using a JSON string).

https://docs.microsoft.com/en-US/cli/azure/keyvault#az_keyvault_create
Read more about the command in reference docs
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f99f89a7010>]
az_command_data_logger: exit code: 2
cli.__main__: Command ran in 1.461 seconds (init: 0.110, invoke: 1.351)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4604 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/../../opt/az/bin/python3 /opt/az/lib/python3.10/site-packages/azure/cli/telemetry/__init__.py /home/alex/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

I would expect that the vnets are configured in the keyvault network settings.

Environment Summary

azure-cli                         2.53.0

core                              2.53.0
telemetry                          1.1.0

Extensions:
connectedk8s                       1.4.0
k8s-extension                      1.4.5

Dependencies:
msal                            1.24.0b2
azure-mgmt-resource             23.1.0b2

Python location '/opt/az/bin/python3'
Extensions directory '/home/alex/.azure/cliextensions'

Python (Linux) 3.10.10 (main, Sep 20 2023, 06:07:38) [GCC 11.4.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

yonzhan commented 11 months ago

Thank you for opening this issue, we will look into it.

azure-client-tools-bot-prd[bot] commented 11 months ago
Hi @git001 Find similar issue https://github.com/Azure/azure-cli/issues/7700.
Issue title VM create should show usage error when --vnet-name and --subnet are used incorrectly
Create time 2018-10-29
Comment number 7

Possible solution: The issue is that the --vnet-name parameter only accepts a vnet name, not an ID. Only --subnet accepts a name or ID. Therefore, you need to reference the ID of the subnet and remove the reference of vnet. Since referencing the subnet automatically adds the correct vnet.

Please confirm if this resolves your issue.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/azure-iot-cli-triage.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/azure-iot-cli-triage.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/azure-iot-cli-triage.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/azure-iot-cli-triage.

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

git001 commented 11 months ago

Hi @git001 Find similar issue #7700.

Issue title VM create should show usage error when --vnet-name and --subnet are used incorrectly Create time 2018-10-29 Comment number 7

Possible solution: The issue is that the --vnet-name parameter only accepts a vnet name, not an ID. Only --subnet accepts a name or ID. Therefore, you need to reference the ID of the subnet and remove the reference of vnet. Since referencing the subnet automatically adds the correct vnet.

Please confirm if this resolves your issue.

Not confirmed