WebApp: Tags removing after running Powershell cmdlet Set-AzAppServicePlan while implementing Policy

[Kotasudhakarreddy]

Description

• When the PS cmdlet Set-AzAppServicePlan is run, the request body does not include the collection of existing tags.

• This leads to the existing custom initiative, which contains policies to enforce required tags (Customer and Environment) on targeted resource types that include the App Service Plan resource type, to evaluate the required tags as missing.

• Since these tags are evaluated as missing (due to them not being included in the request body), the policy creates a completely new tags property object value that only contains the required tags (Customer/Environment) and submits this new object value to the Resource provider (Microsoft.Web) as part of the request body to update the App Service Plan.

• With that being the case, the new object value for the tags property (which only includes tags required by policy) replaces the existing tags property value and once the update operation is complete, the only tags present are the required tags that were added via policy.

• We believe if the response body would include the existing tags then this issue would not occur.

Steps to reproduce

Environment data

Module versions

Debug output

Error output

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @antcp, @AzureAppServiceCLI.

Issue Details

---

## Description • When the PS cmdlet Set-AzAppServicePlan is run, the request body does not include the collection of existing tags. • This leads to the existing custom initiative, which contains policies to enforce required tags (Customer and Environment) on targeted resource types that include the App Service Plan resource type, to evaluate the required tags as missing. • Since these tags are evaluated as missing (due to them not being included in the request body), the policy creates a completely new tags property object value that only contains the required tags (Customer/Environment) and submits this new object value to the Resource provider (Microsoft.Web) as part of the request body to update the App Service Plan. • With that being the case, the new object value for the tags property (which only includes tags required by policy) replaces the existing tags property value and once the update operation is complete, the only tags present are the required tags that were added via policy. • We believe if the response body would include the existing tags then this issue would not occur. ## Steps to reproduce ```powershell ``` ## Environment data ``` ``` ## Module versions ```powershell ``` ## Debug output ``` ``` ## Error output ``` ```

Author:	Kotasudhakarreddy
Assignees:	Kotasudhakarreddy
Labels:	`App Services`, `Service Attention`, `needs-triage`
Milestone:	-

[swapnil-kambli]

Set-AzAppServicePlan removes the tags from app service plan if no tags are passed. Also the behavior of the command vary when used on local powershell host vs Azure Automation Runbook.

Set-AzAppServicePlan -Name 'xxx-serviceplan' -ResourceGroupName 'xxx-rg' -Tier "Standard" -NumberofWorkers 1 -WorkerSize "medium" Set-AzAppServicePlan : Operation returned an invalid status code 'Forbidden'

At line:11 char:1

• Set-AzAppServicePlan -Name 'xxx-serviceplan' -Resou ...

• 
  + CategoryInfo          : CloseError: (:) [Set-AzAppServicePlan], DefaultErrorResponseException
  + FullyQualifiedErrorId : Microsoft.Azure.Commands.WebApps.Cmdlets.AppServicePlans.SetAzureAppServicePlanCmdlet

[Kotasudhakarreddy]

@swapnilrkambli can you please share the -debug log with error details and also give me the version of Az.Websites module you are using.

[panchagnula]

@Kotasudhakarreddy we are getting more cases or reports on this i.e SET is not passing existing tags to the API which is causing the tags to be remove after an update operation on the app using the command. If this was fixed, was this regressed by the latest version?

[panchagnula]

Re-opening to re-test & confirm, due to increasing of reports.

[Kotasudhakarreddy]

Looking in to it.

[Kotasudhakarreddy]

@panchagnula I am unable to repro this issue with the latest version of Az.websites module. Please find below for your reference

[Kotasudhakarreddy]

@swapnilrkambli can you please share the -debug log with error details and also give me the version of Az.Websites module you are using.

@swapnilrkambli please let us know the version of Az.Websites module you are using.

[swapnil-kambli]

PS C:\Users\techv> get-installedmodule az

Version Name Repository Description

---

7.3.2 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatible with PowerShell and Windows PowerShell…

PS C:\Users\techv> get-installedmodule az.websites

Version Name Repository Description

---

2.10.0 Az.Websites PSGallery Microsoft Azure PowerShell - App Service (Web Apps) service cmdlets for Azure Resource Manager in Windows PowerShell and PowerShell…

[swapnil-kambli]

Also using CLI to scaleup/scaledown works fine within the same environment/tags/policy. Also same behavior is noted using Portal. Something is broken/missing in powershell implementation.

[swapnil-kambli]

The issue was fixed with the March update. However, the issue regressed in May. We have Azure Automation runbooks using the same command 'Set-AzAppServicePlan' to scale up and scaledown App service plan over the weekend, which started failing 16-May onwards.

[Kotasudhakarreddy]

@swapnilrkambli can you please share me the -debug log.

[swapnil-kambli]

@Kotasudhakarreddy Here are the debug logs: Set-AzAppServicePlan -Name 'confdaspname-serviceplan' -ResourceGroupName 'confresourcegroupname' -Tier "PremiumV3" -NumberofWorkers 1 -WorkerSize "small" -debug

DEBUG: 12:53:04 - SetAzureAppServicePlanCmdlet begin processing with ParameterSet 'S1'.

DEBUG: 12:53:07 - using account id 'username@xxxxxxxx.onmicrosoft.com'...

DEBUG: [Common.Authentication]: Authenticating using Account: 'username@xxxxxxxx.onmicrosoft.com', environment: 'AzureCloud', tenant: 'conf-tenantid'

DEBUG: 12:53:09 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'conf-tenantid', Scopes:'https://management.core.windows.net//.default', Authority

Host:'https://login.microsoftonline.com/', UserId:'username@xxxxxxxx.onmicrosoft.com'

DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] Azure region was not configured or could not be discovered. Not using a regional authority.

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09] Found 1 cache accounts and 0 broker accounts

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09] Returning 1 accounts

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] MSAL MSAL.Desktop with assembly version '4.30.1.0'. CorrelationId(69bedec0-a23b-4b94-8270-85bc856026da)

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] === AcquireTokenSilent Parameters ===

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] LoginHint provided: False

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] Account provided: True

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] ForceRefresh: False

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ]

=== Request Data ===

Authority Provided? - True

Scopes - https://management.core.windows.net//.default

Extra Query Params Keys (space separated) -

ApiId - AcquireTokenSilent

IsConfidentialClient - False

SendX5C - False

LoginHint ? False

IsBrokerConfigured - False

HomeAccountId - False

CorrelationId - 69bedec0-a23b-4b94-8270-85bc856026da

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] === Token Acquisition (SilentRequest) started:

Authority Host: login.microsoftonline.com

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] Azure region was not configured or could not be discovered. Not using a regional authority.

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] Access token is not expired. Returning the found cache entry. [Current time (05/30/2022 10:53:09) - Expiration Time (05/30/

2022 11:02:25 +00:00) - Extended Expiration Time (05/30/2022 11:02:25 +00:00)]

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] Returning access token found in cache. RefreshOn exists ? False

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] Fetched access token from host login.microsoftonline.com.

DEBUG: (False) MSAL 4.30.1.0 MSAL.Desktop Windows 10 Pro [05/30/2022 10:53:09 - ] === Token Acquisition finished successfully. An access token was returned with Expiration Time: 05/30/2022 11:02:25 +00:00

and Scopes https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default

DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2022-05-30T11:02:25.0000000+00:00

DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'conf-tenantid', UserId: 'username@xxxxxxxx.onmicrosoft.com'

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:

GET

Absolute Uri:

https://management.azure.com/subscriptions/conf-subid/resourceGroups/confresourcegroupname/providers/Microsoft.Web/serverfarms/confdaspname-serviceplan?api-version=2021-

01-15

Headers:

x-ms-client-request-id : 101474f4-cef1-4dcb-8acf-5b3ebbb0d07e

accept-language : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:

OK

Headers:

Pragma : no-cache

Strict-Transport-Security : max-age=31536000; includeSubDomains

x-ms-request-id : baea997b-ab9d-4960-9ada-de509de4fb83

x-ms-ratelimit-remaining-subscription-reads: 11998

x-ms-correlation-request-id : 109fd683-3b5a-46ab-8a03-8987467d1e27

x-ms-routing-request-id : EASTUS2:20220530T105309Z:109fd683-3b5a-46ab-8a03-8987467d1e27

X-Content-Type-Options : nosniff

Cache-Control : no-cache

Date : Mon, 30 May 2022 10:53:08 GMT

Server : Microsoft-IIS/10.0

X-AspNet-Version : 4.0.30319

X-Powered-By : ASP.NET

Body:

{

"id": "/subscriptions/conf-subid/resourceGroups/confresourcegroupname/providers/Microsoft.Web/serverfarms/confdaspname-serviceplan",

"name": "confdaspname-serviceplan",

"type": "Microsoft.Web/serverfarms",

"kind": "app",

"location": "East US 2",

"tags": {

"gText": "gText"

},

"properties": {

"serverFarmId": 11788,

"name": "confdaspname-serviceplan",

"workerSize": "SmallV3",

"workerSizeId": 6,

"workerTierName": null,

"numberOfWorkers": 1,

"currentWorkerSize": "SmallV3",

"currentWorkerSizeId": 6,

"currentNumberOfWorkers": 1,

"status": "Ready",

"webSpace": "confresourcegroupname-EastUS2webspace",

"subscription": "conf-subid",

"adminSiteName": null,

"hostingEnvironment": null,

"hostingEnvironmentProfile": null,

"maximumNumberOfWorkers": 30,

"planName": "VirtualDedicatedPlan",

"adminRuntimeSiteName": null,

"computeMode": "Dedicated",

"siteMode": null,

"geoRegion": "East US 2",

"perSiteScaling": false,

"elasticScaleEnabled": false,

"maximumElasticWorkerCount": 1,

"numberOfSites": 9,

"hostingEnvironmentId": null,

"isSpot": false,

"spotExpirationTime": null,

"freeOfferExpirationTime": null,

"tags": {

  "gText": "gText"

},

"kind": "app",

"resourceGroup": "confresourcegroupname",

"reserved": false,

"isXenon": false,

"hyperV": false,

"mdmId": "waws-prod-bn1-127_11788",

"targetWorkerCount": 0,

"targetWorkerSizeId": 0,

"provisioningState": "Succeeded",

"webSiteId": null,

"existingServerFarmIds": null,

"kubeEnvironmentProfile": null,

"zoneRedundant": false

},

"sku": {

"name": "P1v3",

"tier": "PremiumV3",

"size": "P1v3",

"family": "Pv3",

"capacity": 1

}

}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:

PUT

Absolute Uri:

https://management.azure.com/subscriptions/conf-subid/resourceGroups/confresourcegroupname/providers/Microsoft.Web/serverfarms/confdaspname-serviceplan?api-version=2021-

01-15

Headers:

x-ms-client-request-id : 101474f4-cef1-4dcb-8acf-5b3ebbb0d07e

accept-language : en-US

Body:

{

"properties": {

"perSiteScaling": false,

"isSpot": false,

"reserved": false,

"isXenon": false,

"targetWorkerCount": 0,

"targetWorkerSizeId": 0

},

"sku": {

"name": "P1V3",

"tier": "PremiumV3",

"size": "P1V3",

"family": "P",

"capacity": 1

},

"kind": "app",

"location": "East US 2"

}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:

Forbidden

Headers:

Pragma : no-cache

x-ms-failure-cause : gateway

x-ms-request-id : 15877873-27b9-4642-b222-56199eae5b63

x-ms-correlation-request-id : 15877873-27b9-4642-b222-56199eae5b63

x-ms-routing-request-id : EASTUS2:20220530T105310Z:15877873-27b9-4642-b222-56199eae5b63

Strict-Transport-Security : max-age=31536000; includeSubDomains

X-Content-Type-Options : nosniff

Connection : close

Cache-Control : no-cache

Date : Mon, 30 May 2022 10:53:10 GMT

Body:

{

"error": {

"code": "RequestDisallowedByPolicy",

"target": "confdaspname-serviceplan",

"message": "Resource 'confdaspname-serviceplan' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Require a tag on gProjects Devops\",\"id\":\"/subscriptions/21

a95f45-2ee5-4187-92dd-7f24e557582d/providers/Microsoft.Authorization/policyAssignments/81e89195746d4809ae746f7d\"},\"policyDefinition\":{\"name\":\"Require a tag on gProjects Devops\",\"id\":\"/subscriptio

ns/conf-subid/providers/Microsoft.Authorization/policyDefinitions/56d1ff12-e4c3-445d-adee-d0078948de13\"}}]'.",

"additionalInfo": [

  {

    "type": "PolicyViolation",

    "info": {

      "policyDefinitionDisplayName": "Require a tag on gProjects Devops",

      "evaluationDetails": {

        "evaluatedExpressions": [

          {

            "result": "False",

            "expressionKind": "Field",

            "expression": "tags[eAPG]",

            "path": "tags[eAPG]",

            "targetValue": "true",

            "operator": "Exists"

          },

          {

            "result": "False",

            "expressionKind": "Field",

            "expression": "tags[gDoc]",

            "path": "tags[gDoc]",

            "targetValue": "true",

            "operator": "Exists"

          },

          {

            "result": "False",

            "expressionKind": "Field",

            "expression": "tags[gData2]",

            "path": "tags[gData2]",

            "targetValue": "true",

            "operator": "Exists"

          },

          {

            "result": "False",

            "expressionKind": "Field",

            "expression": "tags[gMeets]",

            "path": "tags[gMeets]",

            "targetValue": "true",

            "operator": "Exists"

          },

          {

            "result": "False",

            "expressionKind": "Field",

            "expression": "tags[UC]",

            "path": "tags[UC]",

            "targetValue": "true",

            "operator": "Exists"

          },

          {

            "result": "False",

            "expressionKind": "Field",

            "expression": "tags[gText]",

            "path": "tags[gText]",

            "targetValue": "true",

            "operator": "Exists"

          },

          {

            "result": "True",

            "expressionKind": "Field",

            "expression": "type",

            "path": "type",

            "expressionValue": "Microsoft.Web/serverfarms",

            "targetValue": [

              "Microsoft.Compute/virtualMachines/extensions",

              "Microsoft.Web/certificates",

              "Microsoft.OperationsManagement/solutions",

              "microsoft.insights/components",

              "microsoft.insights/scheduledqueryrules",

              "microsoft.insights/metricAlerts",

              "microsoft.insights/autoscalesettings",

              "microsoft.insights/activityLogAlerts",

              "Microsoft.Insights/dataCollectionRules",

              "microsoft.devtestlab/schedules",

              "microsoft.alertsmanagement/smartdetectoralertrules",

              "microsoft.insights/actionGroups",

              "Microsoft.Compute/restorePointCollections",

              "Microsoft.AAD/domainServices",

              "Microsoft.Automation/automationAccounts/configurations",

              "Microsoft.Network/privateDnsZones/virtualNetworkLinks",

              "Microsoft.Portal/dashboards",

              "Microsoft.Automation/automationAccounts/runbooks",

              "Microsoft.ContainerInstance/containerGroups",

              "microsoft.insights/webtests",

              "Microsoft.Web/sites/slots",

              "Microsoft.Migrate/MigrateProjects",

              "microsoft.network/networkprofiles",

              "Microsoft.Network/trafficmanagerprofiles",

              "Microsoft.SqlVirtualMachine/SqlVirtualMachines",

              "microsoft.operationalInsights/querypacks",

              "Microsoft.Network/networkInterfaces",

              "Microsoft.insights/workbooks"

            ],

            "operator": "NotIn"

          }

        ]

      },

      "policyDefinitionId": "/subscriptions/conf-subid/providers/Microsoft.Authorization/policyDefinitions/56d1ff12-e4c3-445d-adee-d0078948de13",

      "policyDefinitionName": "56d1ff12-e4c3-445d-adee-d0078948de13",

      "policyDefinitionEffect": "deny",

      "policyAssignmentId": "/subscriptions/conf-subid/providers/Microsoft.Authorization/policyAssignments/81e89195746d4809ae746f7d",

      "policyAssignmentName": "81e89195746d4809ae746f7d",

      "policyAssignmentDisplayName": "Require a tag on gProjects Devops",

      "policyAssignmentScope": "/subscriptions/conf-subid"

    }

  }

]

}

}

Set-AzAppServicePlan : Operation returned an invalid status code 'Forbidden'

At line:1 char:1

• Set-AzAppServicePlan -Name 'confdaspname-serviceplan' -Resou ...

• 
  
  + CategoryInfo          : CloseError: (:) [Set-AzAppServicePlan], DefaultErrorResponseException
  
  + FullyQualifiedErrorId : Microsoft.Azure.Commands.WebApps.Cmdlets.AppServicePlans.SetAzureAppServicePlanCmdlet

DEBUG: AzureQoSEvent: Module: Az.Websites:0.0; CommandName: Set-AzAppServicePlan; PSVersion: 5.1.25126.1000; IsSuccess: False; Duration: 00:00:15.3147307; Exception: Operation returned an invalid status co

de 'Forbidden';

DEBUG: Finish sending metric.

DEBUG: 12:53:22 - SetAzureAppServicePlanCmdlet end processing.