Closed r300mrg closed 4 months ago
Thank you for opening this issue, we will look into it.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AnatoliB, @Francisco-Gamino, @shreyabatra4.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.
@r300mrg most likely it is because you do not have read permissions at the subscription level which is required to get the list of service tags. Can you verify that?
If so, I'll see if we can make a change to allow you to skip the validation in the future.
@r300mrg most likely it is because you do not have read permissions at the subscription level which is required to get the list of service tags. Can you verify that?
If so, I'll see if we can make a change to allow you to skip the validation in the future.
I will double check with my access team and confirm back.
Are you able to confirm where and what access should be granted for this to work? Thank you for the quick response.
Should be subscription/read.
It used to be that when you did not have access, it would return null and we fixed this recently. I have not seen it return an empty "value" before and cannot repro that. Could be a change from the networking team responsible for the Service tag API
@madsd apologies for the delay in replying. I had to engage my Access Control team and review etc.
I've been able to get the Azure CLI Service Tag command to successfully work after creating a custom role at subscription level and then assigning the custom role to the Service Principle account that was running the DevOps Pipeline deployment.
FYI - access for custom role which was successful.
Thank you for your help with this.
Ah, Service Tag team added specific permissions for this - that's new to me. Thanks for the update.
I also added a PR allowing you to skip validation if you do not have the right permissions.
Describe the bug
When using Azure CLI command
az webapp config access-restriction add
oraz functionapp config access-restriction add
to add a Service Tag for a function app network exception via a YAML DevOps pipeline deployment.The Service Tag API check validation fails with a response
{"value":[],"nextLink":""}
and the Service Tag Network exception rule is not created/updated.Using the REST API for Service Tags via Postman with this URL:
https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Network/locations/westus2/serviceTags?api-version=2022-01-01
e.g. https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?view=rest-virtualnetwork-2023-09-01&tabs=HTTPreturns 200 OK status with this same body response:
Related command
az webapp config access-restriction add \ --subscription "$SUBSCRIPTION_ID" \ --resource-group "$RESOURCE_GROUP" \ --name "$FUNCTION_APP" \ --rule-name "ActionGroup_ServiceTag" \ --priority "100" \ --action "Allow" \ --service-tag ActionGroup \ --scm-site "false" \ --debug
or
az functionapp config access-restriction add \ --subscription "$SUBSCRIPTION_ID" \ --resource-group "$RESOURCE_GROUP" \ --name "$FUNCTION_APP" \ --rule-name "ActionGroup_ServiceTag" \ --priority "100" \ --action "Allow" \ --service-tag ActionGroup \ --scm-site "false" \ --debug
Errors
DEBUG: cli.azure.cli.core.sdk.policies: Response content: DEBUG: cli.azure.cli.core.sdk.policies: {"value":[],"nextLink":""} DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/opt/az/lib/python3.11/site-packages/knack/invocation.py", line 113, in _validation self._validate_arg_level(parsed_ns) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 898, in _validate_arg_level validator(**self._build_kwargs(validator, ns)) File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/appservice/_validators.py", line 331, in validate_service_tag _validate_service_tag_format(cmd, namespace) File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/appservice/_validators.py", line 356, in _validate_service_tag_format for tag_full_list in service_tag_full_list["values"]: