search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.25k stars 4.58k forks source link

[BUG] Azure.ResourceManager.ResourceGraph 1.0.1 isn't querying correct tenant #45163

Closed AtOMiCNebula closed 1 week ago

AtOMiCNebula commented 1 month ago

Library name and version

Azure.ResourceManager.ResourceGraph 1.0.1

Describe the bug

My user account has access to multiple tenants, and the ResourceGraph SDK doesn't appear to be running queries on the correct tenant. I wrote the code when I only had access to a single tenant, but after gaining a second, running it as myself is double-reporting all resource results. Here's a minimal code snippet that tries to query for a list of key vaults in a tenant:

DefaultAzureCredential credential = new DefaultAzureCredential();
ArmClient client = new ArmClient(credential);
TenantCollection tenants = client.GetTenants();
await foreach (TenantResource tenant in tenants)
{
    Console.WriteLine($"Tenant {tenant.Data.TenantId}:");
    ResourceQueryContent query = new(@"
Resources
| where type =~ 'Microsoft.KeyVault/vaults'
| order by name asc
");
    ResourceQueryResult result = await tenant.GetResourcesAsync(query);
    IList<JsonObject> vaults = result.Data.ToObjectFromJson<IList<JsonObject>>();
    Console.WriteLine($"\tFound {vaults.Count} vaults");
}

When run, it returns the same number of vaults for both tenants, which is incorrect. Running the same query through the Azure Portal gives the expected results, so this appears to be an SDK issue, and not a service issue. This behavior is shown on both the latest stable SDK release (1.0.1), as well as latest prerelease (1.1.0-beta.2).

In case it matters, I'm a MSFT employee and you can reach out to me on Teams if you'd like. :smile:

Expected behavior

Tenant 39785c08-81c9-4b99-86e4-a1120510311c:
        Found 109 vaults
Tenant 1fb3bcca-5e87-41f8-beee-7940e47208f0:
        Found 0 vaults

(Tenant GUIDs altered, but that's not material to the log)

Actual behavior

Tenant 39785c08-81c9-4b99-86e4-a1120510311c:
        Found 109 vaults
Tenant 1fb3bcca-5e87-41f8-beee-7940e47208f0:
        Found 109 vaults

(Tenant GUIDs altered, but that's not material to the log)

Reproduction Steps

Run above code snippet, with DefaultAzureCredential selecting a user identity that has access to multiple Azure tenants.

Environment

.NET 8, Visual Studio 2022 17.10.4, latest stable Azure SDKs

github-actions[bot] commented 1 month ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

AtOMiCNebula commented 1 month ago

Bot got the assignment wrong, please link this to Resource Graph and not Key Vault. ☹️

HarveyLink commented 1 week ago

Hi @AtOMiCNebula , The list of tenant return results are only meant for view, we cannot actually operate on those tenants, this is by design. We could only operate on one single tenant in one ArmClient. If you need to operate other tenant, you may have to create different ArmClient with that tenant Id.