search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.22k stars 3.83k forks source link

New-AzWebAppSSLBinding blocked by Azure Policy (Public network access should be disabled for PaaS services) #23940

Open mgismaco opened 8 months ago

mgismaco commented 8 months ago

Description

Trying to use this command (New-AzWebAppSSLBinding) to upload and bind a certificate to an app service does not work with Azure Policy that blocks public network access from being enabled on App Services. I don't understand why this command would be trying to change the app service to use public network access?

Issue script & Debug output

New-AzWebAppSSLBinding -webAppName $webAppName -ResourceGroupName $webAppResourceGroupName -Name $appHostname `
-CertificateFilePath $certs.PfxFullChain -CertificatePassword $pfxPassword -SslState SniEnabled

EXCEPTION: Operation returned an invalid status code 'Forbidden' Exception : Type : Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponseException Request : Method : PUT RequestUri : https://management.azure.com/subscriptions/sub-id-here/resourceGroups/rg-name/providers/Microsoft.Web/sites/app-service-name?api-version=2021-01-15 Content : { "properties": { "hostNameSslStates": [ { "name": "example-url.com", "sslState": "SniEnabled", "thumbprint": "115D84AB3A3CAA6578CD960211F304129819D392", "toUpdate": true } ] }, "location": "Region Here", "tags": { "ApplicationName": "AppName", "ApplicationOwner": "placeholder", "BusinessArea": "placeholder", "CostCentre": "placeholder", "DataClassification": "1", "Environment": "dev", "SupportTeam": "placeholder", "TerraformModule": "placeholder" } } Headers : x-ms-client-request-id : 876855c4-06e9-4c58-8ffc-a4516c3c7f04 Accept-Language : REDACTED Authorization : … User-Agent : FxVersion/6.0.2423.51814 OSName/Windows OSVersion/Microsoft.Windows.10.0.14393 Microsoft.Azure.Management.WebSites.WebSiteManagementClient/3.1.2 Az.Websites/3.1.2 PSVersion/v7.2.13 AzurePowershell/v0.0.0 CommandName : REDACTED ParameterSetName : REDACTED Content-Type : application/json; charset=utf-8 Content-Length : 589 Response : StatusCode : Forbidden ReasonPhrase : Forbidden Content : {"error":{"code":"RequestDisallowedByPolicy","target":"app-service-name","message":"Resource 'app-service-name' was disallowed by policy. Reasons: 'Public network access must be disabled for PaaS services.'. See error details for policy resource IDs.","additionalInfo":[{"type":"PolicyViolation","info":{"evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.Web/sites","targetValue":"Microsoft.Web/sites","operator":"Equals"},{"result":"True","expressionKind":"Field","expression":"Microsoft.Web/sites/publicNetworkAccess","path":"properties.publicNetworkAccess","targetValue":"false","operator":"Exists"}],"reason":"Public network access must be disabled for PaaS services."},"policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policySetDefinitionId":"/providers/Microsoft.Management/managementGroups/org-name/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints","policyDefinitionReferenceId":"AsDenyPublicIP","policySetDefinitionName":"Deny-PublicPaaSEndpoints","policySetDefinitionDisplayName":"Public network access should be disabled for PaaS services","policyDefinitionName":"1b5ef780-c53c-4a64-87f3-bb9c8c8094ba","policyDefinitionDisplayName":"App Service apps should disable public network access","policyDefinitionEffect":"Deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/org-name-business-name-dev/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints","policyAssignmentName":"Deny-Public-Endpoints","policyAssignmentDisplayName":"Public network access should be disabled for PaaS services","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/org-name-business-name-dev","policyAssignmentParameters":{},"policyExemptionIds":[]}}]}} Headers : Cache-Control : no-cache Pragma : no-cache x-ms-failure-cause : gateway x-ms-request-id : f0e66eac-671c-4f4e-888a-d8e30d8cf9f5 x-ms-correlation-request-id : f0e66eac-671c-4f4e-888a-d8e30d8cf9f5 x-ms-routing-request-id : REGIONHERE:20240111T115510Z:f0e66eac-671c-4f4e-888a-d8e30d8cf9f5 Strict-Transport-Security : max-age=31536000; includeSubDomains X-Content-Type-Options : nosniff Date : Thu, 11 Jan 2024 11:55:10 GMT Connection : close Content-Type : application/json; charset=utf-8 Expires : -1 Content-Length : 1913 Body : Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponse TargetSite : Name : MoveNext DeclaringType : Microsoft.Azure.Management.WebSites.WebAppsOperations+<BeginCreateOrUpdateWithHttpMessagesAsync>d__396, Microsoft.Azure.Management.Websites, Version=3.1.2.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 MemberType : Method Module : Microsoft.Azure.Management.Websites.dll Message : Operation returned an invalid status code 'Forbidden' Source : Microsoft.Azure.Management.Websites HResult : -2146233088 StackTrace : at Microsoft.Azure.Management.WebSites.WebAppsOperations.BeginCreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String name, Site siteEnvelope, Dictionary`2 customHeaders, CancellationToken cancellationToken) at Microsoft.Azure.Management.WebSites.WebAppsOperations.CreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String name, Site siteEnvelope, Dictionary`2 customHeaders, CancellationToken cancellationToken) at Microsoft.Azure.Management.WebSites.WebAppsOperationsExtensions.CreateOrUpdateAsync(IWebAppsOperations operations, String resourceGroupName, String name, Site siteEnvelope, CancellationToken cancellationToken) at Microsoft.Azure.Management.WebSites.WebAppsOperationsExtensions.CreateOrUpdate(IWebAppsOperations operations, String resourceGroupName, String name, Site siteEnvelope) at Microsoft.Azure.Commands.WebApps.Utilities.WebsitesClient.UpdateHostNameSslState(String resourceGroupName, String webAppName, String slotName, String location, String hostName, SslState sslState, String thumbPrint) at Microsoft.Azure.Commands.WebApps.Cmdlets.WebApps.NewAzureWebAppSSLBinding.ProcessRecord() at System.Management.Automation.Cmdlet.DoProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord() CategoryInfo : NotSpecified: (:) [New-AzWebAppSSLBinding], DefaultErrorResponseException FullyQualifiedErrorId : Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponseException,Microsoft.Azure.Commands.WebApps.Cmdlets.WebApps.NewAzureWebAppSSLBinding InvocationInfo : MyCommand : New-AzWebAppSSLBinding ScriptLineNumber : 63 OffsetInLine : 1 HistoryId : 1 ScriptName : C:\home\site\wwwroot\cert-rotator\run.ps1 Line : New-AzWebAppSSLBinding -webApp $webApp -Name $appHostname ` PositionMessage : At C:\home\site\wwwroot\cert-rotator\run.ps1:63 char:1 + New-AzWebAppSSLBinding -webApp $webApp -Name $appHostname ` + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PSScriptRoot : C:\home\site\wwwroot\cert-rotator PSCommandPath : C:\home\site\wwwroot\cert-rotator\run.ps1 InvocationName : New-AzWebAppSSLBinding CommandOrigin : Internal ScriptStackTrace : at <ScriptBlock>, C:\home\site\wwwroot\cert-rotator\run.ps1: line 63 PipelineIterationInfo :

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.10
PSEdition                      Core
GitCommitId                    7.3.10
OS                             Microsoft Windows 10.0.17763
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.15.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     3.1.2                 Az.Websites                         {Add-AzWebAppAccessRestrictionRule, Add-AzWebAppTrafficRouting, Edit-Az…

Error output

No response

microsoft-github-policy-service[bot] commented 8 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @antcp, @AzureAppServiceCLI.

microsoft-github-policy-service[bot] commented 8 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @antcp, @AzureAppServiceCLI.