yonzhan
commented
9 months ago Thank you for opening this issue, we will look into it.
Open NollaigShea opened 9 months ago
yonzhan
commented
9 months ago Thank you for opening this issue, we will look into it.
NollaigShea
commented
3 months ago @yonzhan Is there any update on this? We currently have to downgrade to an older verison of azure-cli to keep our production environment alive. Thanks.
microsoft-github-policy-service[bot]
commented
3 months ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @sffamily, @chenkennt.
chenkennt
commented
2 months ago @zackliu please help take a look
zackliu
commented
2 months ago It's fixed in the latest patch but still need to wait for the release
Describe the bug
Looks to have been introduced with #27542. An empty location string is added to the request body being sent to 'https://management.azure.com/subscriptions/<...>/resourceGroups/<...>/providers/Microsoft.SignalRService/signalR/<...>?api-version=2023-06-01-preview'
If you also have a location policy on the target resource, the request will fail and also the command.
Related command
az signalr upstream update
Errors
Code: RequestDisallowedByPolicy Message: Resource '' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Allowed locations","id":"/providers/Microsoft.Management/managementGroups//providers/Microsoft.Authorization/policyAssignments/"},"policyDefinition":{"name":"Allowed locations","id":"/providers/Microsoft.Authorization/policyDefinitions/"}}]'.
Target:
Additional Information:Type: PolicyViolation
Info:
Issue script & Debug output
Heavily redacted for obvious reasons, but it contains the key information:
az signalr upstream update --name <...> --resource-group <...> --template url-template="https://<...>/runtime/webhooks/signalr?code=<...>" --debug ... az_command_data_logger: command args: signalr upstream update --name {} --resource-group {} --template {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000002150F3D4180>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000002150F3D4220>, <function register_cache_arguments..add_cache_arguments at 0x000002150F3D4360>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x000002151149FEC0>]
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000002150C145E40>, <function CLIQuery.handle_query_parameter at 0x000002150C1739C0>, <function register_ids_argument..parse_ids_arguments at 0x000002150F3D42C0>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=SignalRManagementClient
...
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: <...>
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<...>/resourceGroups/<...>/providers/Microsoft.SignalRService/signalR/<...>?api-version=2023-06-01-preview'
cli.azure.cli.core.sdk.policies: Request method: 'PATCH'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '306'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '6cb48646-9275-11ee-930c-ac1a3db7fa8b'
cli.azure.cli.core.sdk.policies: 'CommandName': 'signalr upstream update'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --resource-group --template --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.54.0 (MSI) azsdk-python-mgmt-signalr/2.0.0b1 Python/3.11.5 (Windows-10-10.0.22621-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "", "properties": {"upstream": {"templates": [{"urlTemplate": "https://<...>/runtime/webhooks/signalr?code=<...>"}]}, "publicNetworkAccess": "Enabled", "disableLocalAuth": false, "disableAadAuth": false}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PATCH /subscriptions/<...>/resourceGroups/<...>/providers/Microsoft.SignalRService/signalR/<...>?api-version=2023-06-01-preview HTTP/1.1" 403 2016
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '2016'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '<...>'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '<...>'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': '<...>'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: <...> Ref B: <...> Ref C: <...>'
cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 04 Dec 2023 07:19:15 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"RequestDisallowedByPolicy","target":"<...>","message":"Resource '<...>' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Allowed locations\",\"id\":\"/providers/Microsoft.Management/managementGroups/<...>/providers/Microsoft.Authorization/policyAssignments/<...>\"},\"policyDefinition\":{\"name\":\"Allowed locations\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/<...>\"}}]'.","additionalInfo":[{"type":"PolicyViolation","info":{"evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"location","path":"location","expressionValue":"","targetValue":["westeurope","southcentralus","southeastasia","northeurope","northcentralus","eastasia"],"operator":"NotIn"},{"result":"True","expressionKind":"Field","expression":"location","path":"location","expressionValue":"","targetValue":"global","operator":"NotEquals"},{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.SignalRService/signalR","targetValue":"Microsoft.AzureActiveDirectory/b2cDirectories","operator":"NotEquals"}]},"policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/<...>","policyDefinitionName":"<...>","policyDefinitionDisplayName":"Allowed locations","policyDefinitionEffect":"deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/<...>/providers/Microsoft.Authorization/policyAssignments/<...>","policyAssignmentName":"<...>","policyAssignmentDisplayName":"Allowed locations","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/<...>","policyAssignmentParameters":{"listOfAllowedLocations":["westeurope","southcentralus","southeastasia","northeurope","northcentralus","eastasia"]},"policyExemptionIds":[]}}]}}
...
Expected behavior
The command should offer the user a possibility to change the default location "" to an allowed location so that the CLI can be used in conjunction with a target resource that has a location policy attached to it.
or
Internally the command should acquire the location of the target resource and attach it to the PATCH request.
or
simply don't send the location with an update command. The target already exists and this command does not change the location.
Environment Summary
azure-cli 2.54.0
core 2.54.0 telemetry 1.1.0
Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\<...>.azure\cliextensions'
Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:38:34) [MSC v.1936 64 bit (AMD64)]
Legal docs and information: aka.ms/AzureCliLegal
Additional context
No response