search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.99k stars 2.96k forks source link

az webapp config access-restriction set Service Tags validation "{"value":[],"nextLink":""}" response #29041

Closed r300mrg closed 4 months ago

r300mrg commented 4 months ago

Describe the bug

When using Azure CLI command az webapp config access-restriction add or az functionapp config access-restriction add to add a Service Tag for a function app network exception via a YAML DevOps pipeline deployment.

The Service Tag API check validation fails with a response {"value":[],"nextLink":""} and the Service Tag Network exception rule is not created/updated.

Using the REST API for Service Tags via Postman with this URL: https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Network/locations/westus2/serviceTags?api-version=2022-01-01 e.g. https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?view=rest-virtualnetwork-2023-09-01&tabs=HTTP

returns 200 OK status with this same body response:

{
    "value": [],
    "nextLink": ""
}

Related command

az webapp config access-restriction add \ --subscription "$SUBSCRIPTION_ID" \ --resource-group "$RESOURCE_GROUP" \ --name "$FUNCTION_APP" \ --rule-name "ActionGroup_ServiceTag" \ --priority "100" \ --action "Allow" \ --service-tag ActionGroup \ --scm-site "false" \ --debug

or

az functionapp config access-restriction add \ --subscription "$SUBSCRIPTION_ID" \ --resource-group "$RESOURCE_GROUP" \ --name "$FUNCTION_APP" \ --rule-name "ActionGroup_ServiceTag" \ --priority "100" \ --action "Allow" \ --service-tag ActionGroup \ --scm-site "false" \ --debug

Errors

DEBUG: cli.azure.cli.core.sdk.policies: Response content: DEBUG: cli.azure.cli.core.sdk.policies: {"value":[],"nextLink":""} DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/opt/az/lib/python3.11/site-packages/knack/invocation.py", line 113, in _validation self._validate_arg_level(parsed_ns) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 898, in _validate_arg_level validator(**self._build_kwargs(validator, ns)) File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/appservice/_validators.py", line 331, in validate_service_tag _validate_service_tag_format(cmd, namespace) File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/appservice/_validators.py", line 356, in _validate_service_tag_format for tag_full_list in service_tag_full_list["values"]:


KeyError: 'values'

ERROR: cli.azure.cli.core.azclierror: 'values'
ERROR: az_command_data_logger: 'values'

### Issue script & Debug output

DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Network/locations/westus2/serviceTags?api-version=2022-01-01'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '1a81f301-1cdb-11ef-82e5-c74e87252af6'
DEBUG: cli.azure.cli.core.sdk.policies:     'CommandName': 'webapp config access-restriction add'
DEBUG: cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--subscription --resource-group --name --rule-name --priority --action --service-tag --scm-site --debug'
DEBUG: cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.61.0 (DEB) azsdk-python-core/1.28.0 Python/3.11.8 (Linux-6.5.0-1021-azure-x86_64-with-glibc2.35) VSTS_1a46aa10-9efa-4aeb-9ec6-fdc0fe56a7d1_build_197_0'
DEBUG: cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Network/locations/westus2/serviceTags?api-version=2022-01-01 HTTP/1.1" 200 26
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '26'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies:     'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '83ce7ae5-9ef3-4317-8945-df051da6b72d'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '83ce7ae5-9ef3-4317-8945-df051da6b72d'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'EASTUS:20240528T101451Z:83ce7ae5-9ef3-4317-8945-df051da6b72d'
DEBUG: cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
DEBUG: cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: E1031B64B2B2473C973737D381563B3D Ref B: BN1AA2051014047 Ref C: 2024-05-28T10:14:50Z'
DEBUG: cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 28 May 2024 10:14:50 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"value":[],"nextLink":""}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.11/site-packages/knack/invocation.py", line 113, in _validation
    self._validate_arg_level(parsed_ns)
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 898, in _validate_arg_level
    validator(**self._build_kwargs(validator, ns))
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/appservice/_validators.py", line 331, in validate_service_tag
    _validate_service_tag_format(cmd, namespace)
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/appservice/_validators.py", line 356, in _validate_service_tag_format
    for tag_full_list in service_tag_full_list["values"]:
                         ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
KeyError: 'values'

ERROR: cli.azure.cli.core.azclierror: 'values'
ERROR: az_command_data_logger: 'values'
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f25265a5120>]
INFO: az_command_data_logger: exit code: 2

### Expected behavior

Service Tag is validated through the API as a valid Service Tag and the Service Tag network rule is added to the webapp and/or functionapp.

### Environment Summary

azure-cli                         2.61.0

core                              2.61.0
telemetry                          1.1.0

Extensions:
azure-devops                       1.0.1

Dependencies:
msal                              1.28.0
azure-mgmt-resource               23.1.1

Python location '/opt/az/bin/python3'
Extensions directory '/opt/az/azcliextensions'

Python (Linux) 3.11.8 (main, May 16 2024, 03:47:28) [GCC 11.4.0]

### Additional context

The API output response `{"value":[],"nextLink":""}` indicates that the API results are too large to respond in one response and the response is therefore throttled.

As described in this arthttps://learn.microsoft.com/en-us/rest/api/azure/#async-operations-throttling-and-paging

Shouldn't the Service Tag validation only validate the Service Tag being added and not all available Service Tags?  This may mitigate the validation issue.
yonzhan commented 4 months ago

Thank you for opening this issue, we will look into it.

microsoft-github-policy-service[bot] commented 4 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AnatoliB, @Francisco-Gamino, @shreyabatra4.

microsoft-github-policy-service[bot] commented 4 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

madsd commented 4 months ago

@r300mrg most likely it is because you do not have read permissions at the subscription level which is required to get the list of service tags. Can you verify that?

If so, I'll see if we can make a change to allow you to skip the validation in the future.

r300mrg commented 4 months ago

@r300mrg most likely it is because you do not have read permissions at the subscription level which is required to get the list of service tags. Can you verify that?

If so, I'll see if we can make a change to allow you to skip the validation in the future.

I will double check with my access team and confirm back.

Are you able to confirm where and what access should be granted for this to work? Thank you for the quick response.

madsd commented 4 months ago

Should be subscription/read.

It used to be that when you did not have access, it would return null and we fixed this recently. I have not seen it return an empty "value" before and cannot repro that. Could be a change from the networking team responsible for the Service tag API

r300mrg commented 4 months ago

@madsd apologies for the delay in replying. I had to engage my Access Control team and review etc.

I've been able to get the Azure CLI Service Tag command to successfully work after creating a custom role at subscription level and then assigning the custom role to the Service Principle account that was running the DevOps Pipeline deployment.

FYI - access for custom role which was successful. image

Thank you for your help with this.

madsd commented 4 months ago

Ah, Service Tag team added specific permissions for this - that's new to me. Thanks for the update.

I also added a PR allowing you to skip validation if you do not have the right permissions.