search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.91k stars 2.88k forks source link

functionapp: cannot create application insights #29244

Open williamhbell opened 1 week ago

williamhbell commented 1 week ago

Describe the bug

When an Azure function is created, the CLI attempts to create the application insights in the default resource group rather than within the resource group specified. If the user has the right to create the application insights in the specified resource group, but not in the default resource group the command fails with:

cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.

Running the functionapp create command with --debug:

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01'
...
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01 HTTP/1.1" 403 462
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '462'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
...
cli.azure.cli.core.sdk.policies:     'Date': 'Mon, 24 Jun 2024 21:31:55 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxxxxxx@xxxxxxxxxx' with object id xxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.

The application insights can be manually created with

az monitor app-insights component create `
--location $location `
--app $function_name `
--kind web `
--resource-group $resource_group `
--application-type web `
--retention-time 120

The issue mentioned above is caused by the application insights not using the specified resource group.

Related command

az functionapp create --name "$function_name" `
--storage-account "$storage_account_id" `
--plan "$plan_id" `
--resource-group "$resource_group" `
--functions-version "$functions_version" `
--image "$registry_name.azurecr.io/$image_name" `
--registry-password "$password" `
--registry-username "$username"

where the App Services Plan is a B3 Linux plan and the function version is 4.

Errors

cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.

Running the functionapp create command with --debug:

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01'
...
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01 HTTP/1.1" 403 462
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '462'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
...
cli.azure.cli.core.sdk.policies:     'Date': 'Mon, 24 Jun 2024 21:31:55 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxxxx@xxxxxxxx' with object id xxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.

Issue script & Debug output

Command:

az functionapp create --name "$function_name" `
--storage-account "$storage_account_id" `
--plan "$plan_id" `
--resource-group "$resource_group" `
--functions-version "$functions_version" `
--image "$registry_name.azurecr.io/$image_name" `
--registry-password "$password" `
--registry-username "$username"
--debug

Error message:

cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.

Source of error:

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01'
...
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK?api-version=2022-09-01 HTTP/1.1" 403 462
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '462'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
...
cli.azure.cli.core.sdk.policies:     'Date': 'Mon, 24 Jun 2024 21:31:55 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxxx@xxxxxx' with object id xxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxxxxxxx/resourcegroups/DefaultResourceGroup-SUK' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.command_modules.appservice.custom: Error while trying to create and configure an Application Insights for the FunctionApp. Please use the Azure Portal to create and configure the Application Insights, if needed.

Expected behavior

The application insights should be created in the resource group that is specified when the function is created.

Environment Summary

azure-cli                         2.61.0

core                              2.61.0
telemetry                          1.1.0

Extensions:
application-insights               1.2.1

Dependencies:
msal                              1.28.0
azure-mgmt-resource               23.1.1

Python location 'C:\Users\xxxxx\AppData\Local\Programs\Python\Python311\python.exe'
Extensions directory 'C:\Users\xxxxx\.azure\cliextensions'

Python (Windows) 3.11.7 (tags/v3.11.7:fa7a6f2, Dec  4 2023, 19:24:49) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

yonzhan commented 1 week ago

Thank you for opening this issue, we will look into it.

azure-client-tools-bot-prd[bot] commented 1 week ago
Hi @williamhbell Find similar issue https://github.com/Azure/azure-cli/issues/15176.
Issue title "az functionapp create --app-insights" doesn't link Application Insights
Create time 2020-09-16
Comment number 10

Possible solution: The issue is caused by the application insights not using the specified resource group. When an Azure function is created, the CLI attempts to create the application insights in the default resource group rather than within the resource group specified. If the user has the right to create the application insights in the specified resource group, but not in the default resource group the command fails. The solution is to manually create the application insights with the az monitor app-insights component create command.

Please confirm if this resolves your issue.

microsoft-github-policy-service[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @SameergMS, @yairgil.

microsoft-github-policy-service[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AnatoliB, @Francisco-Gamino, @shreyabatra4.

microsoft-github-policy-service[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @SameergMS, @yairgil.

microsoft-github-policy-service[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AnatoliB, @Francisco-Gamino, @shreyabatra4.

microsoft-github-policy-service[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AnatoliB, @Francisco-Gamino, @shreyabatra4.

microsoft-github-policy-service[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @SameergMS, @yairgil.