search

JulianHayward / Azure-MG-Sub-Governance-Reporting

Azure Governance Visualizer aka AzGovViz is a PowerShell script that captures Azure Governance related information such as Azure Policy, RBAC (a lot more) by polling Azure ARM, Storage and Microsoft Graph APIs.
MIT License
817 stars 295 forks source link

Publishing to Static Web App is not working #166

Closed reza8iucs closed 1 year ago

reza8iucs commented 1 year ago

I am getting the following error in Publish HTML to Web App stage. I am pretty sure the web app exists in the right subscription and I can see the correct Az context is being set in the job's output screen:

[AzAPICallErrorHandler] AzAPICall - Check if WebApp (stapp-xyz-prod-001) has Authentication enabled try #1; return: (StatusCode: '404' (NotFound)) <.code: ''> <.error.code: 'ResourceNotFound'> | <.message: ''> <.error.message: 'The Resource 'Microsoft.Web/sites/stapp-xyz-prod-001' under resource group 'rg-governance-prod-001' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix'>  - unhandledErrorAction: Stop
Exception: 
Line |
 836 |              Throw 'Error - check the last console output for details'
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error - check the last console output for details
Error: Error: The process '/usr/bin/pwsh' failed with exit code 1_

Earlier in the execution I can see the following error in RunGovViz which I think is telling me that workflow was not able to obtain an access token. Could that be the reason it cannot find the Static Web App? My static web app is wide open and has no authentication ebaled. 

Dumping 4 Errors (handled by AzGovViz):
Invoke-WebRequest: /home/runner/.local/share/powershell/Modules/AzAPICall/1.1.68/functions/AzAPICallFunctions.ps1:241
Line |
 241 |  … PIRequest = Invoke-WebRequest -Uri $uri -Method $method -Headers $Hea …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | {"error":{"code":"InvalidAuthenticationTokenTenant","message":"The
     | access token is from the wrong issuer
     | 'https://sts.windows.net/***/'. It must
     | match the tenant
     | 'https://sts.windows.net/33e01[921](https://github.com/Contoso/AzGovViz/actions/runs/4098222852/jobs/7067171339#step:5:922)-4d64-4f8c-a055-5bdaffd5e33d/'
     | associated with this subscription. Please use the authority (URL)
     | 'https://login.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d' to get
     | the token. Note, if the subscription is transferred to another tenant
     | there is no impact to the services, but information about new tenant
     | could take time to propagate (up to an hour). If you just transferred
     | your subscription and see this error message, please try back later."}}

Invoke-WebRequest: /home/runner/.local/share/powershell/Modules/AzAPICall/1.1.68/functions/AzAPICallFunctions.ps1:241
Line |
 241 |  … PIRequest = Invoke-WebRequest -Uri $uri -Method $method -Headers $Hea …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | {"error":{"code":"InvalidAuthenticationTokenTenant","message":"The
     | access token is from the wrong issuer
     | 'https://sts.windows.net/***/'. It must
     | match the tenant
     | 'https://sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/'
     | associated with this subscription. Please use the authority (URL)
     | 'https://login.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d' to get
     | the token. Note, if the subscription is transferred to another tenant
     | there is no impact to the services, but information about new tenant
     | could take time to propagate (up to an hour). If you just transferred
     | your subscription and see this error message, please try back later."}}

Exception: /home/runner/work/AzGovViz/AzGovViz/pwsh/AzGovVizParallel.ps1:28355
 Line |
28355 |  …             throw "  $($module.ModuleName) - Deviating module version …
      |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |   AzAPICall - Deviating module version 

Get-Package: No match was found for the specified search criteria and module names
'AzAPICall'._
JulianHayward commented 1 year ago

seems you have deployed a static web app, whilst the pipeline is designed for a web app. Please check the setup guide. FYI: the errors from the 'Run AzGovViz' step are just dumps (handled by the script)

reza8iucs commented 1 year ago

Thanks @JulianHayward . You are correct! I made a mistake!

Changed it to the Web App and was able to deploy. I would make it clearer that this wont work with static web app, especially these days that Static Web App is being presented as a "valid sku" when you are creating your Web App ( I know it's for marketing , but still :))

A few more feedbacks for your consideration:

1) It would be great to clarify on Management Group ID and Tenant ID in the guide (e.g. same if you want the tool to analyze from the root, could be different otherwise? ) 2) Subscription ID. What subscription ID should be specified? Where the Web App is deployed Or the scope the tool should starts the analysis? I know you have WebAppSubscriptionId in the YAML, but was a bit confused what to use at the beginning . 3) I'd also clarify that if you don't have the authentication enabled on the web app, the tool highly encourages you to enable it before publishing the HTMLs. This is an important behavior (and guideline) which is not very front and visible in the guide. 4) Specify which html file needs to go to the default document section of the web app. there are a few in the generated content and I was not sure which one to use. Finally ended up using the one in the root of Wiki library.
5) Add recommendations that in addition to authentication you encourage people to enable private networking (and think about making the pipeline still being able to publish to the web app) 6) In the guide, you have Linux shown as the platform chosen for the deployment of the web app but it seems you have deployed it using Windows platform. That is because later on you are showing how to change the default document of the app under configuration which is not visible in Linux based web app. Got me scratching my head for a few mins :) 7) Specify the name of "wiki" library as the location of where the html content is being published. Not the Wiki of the GitHub repository. Reading the guide I thought it would go there. 8) Provide some guidance to the advanced users who want to use Git to understand the change to output of what your tool generates by Diffing the artefacts. Would you even recommend this as an auditing/notification mechanism?

Thanks for this awesome tool @JulianHayward...I am loving it!

JulianHayward commented 1 year ago

thanks for the valuable feedback @reza8iucs

Changed it to the Web App and was able to deploy. I would make it clearer that this wont work with static web app, especially these days that Static Web App is being presented as a "valid sku" when you are creating your Web App ( I know it's for marketing , but still :))

valid, please feel free to update the setup guide / contribute with PR A few more feedbacks for your consideration:

  1. It would be great to clarify on Management Group ID and Tenant ID in the guide (e.g. same if you want the tool to analyze from the root, could be different otherwise? )

well, the root management group by default comes with the same id as the tenant id, not exactly sure what to update and where

  1. Subscription ID. What subscription ID should be specified? Where the Web App is deployed Or the scope the tool should starts the analysis? I know you have WebAppSubscriptionId in the YAML, but was a bit confused what to use at the beginning .

there are two parameters that are relevant to subIds

  1. -SubscriptionId4AzContext you can use this to ensure that the context is established against that sub
  2. -WebAppSubscriptionId that is the subId where your webApp is deployed
  3. I'd also clarify that if you don't have the authentication enabled on the web app, the tool highly encourages you to enable it before publishing the HTMLs. This is an important behavior (and guideline) which is not very front and visible in the guide.

well, yes - assuming that enabling authentication is a no-question, but in case authentication is not enabled the pipeline will refuse to publish the html files and provides reasoning..

  1. Specify which html file needs to go to the default document section of the web app. there are a few in the generated content and I was not sure which one to use. Finally ended up using the one in the root of Wiki library.

they pipeline should handle that for you.. ?!

  1. Add recommendations that in addition to authentication you encourage people to enable private networking (and think about making the pipeline still being able to publish to the web app)

good one.. have not tried publishing against private networking enabled webApp, yet

  1. In the guide, you have Linux shown as the platform chosen for the deployment of the web app but it seems you have deployed it using Windows platform. That is because later on you are showing how to change the default document of the app under configuration which is not visible in Linux based web app. Got me scratching my head for a few mins :)

ok

  1. Specify the name of "wiki" library as the location of where the html content is being published. Not the Wiki of the GitHub repository. Reading the guide I thought it would go there.

ok

  1. Provide some guidance to the advanced users who want to use Git to understand the change to output of what your tool generates by Diffing the artefacts. Would you even recommend this as an auditing/notification mechanism?

Seeing all sorts of solutions here, some create alerts for certain files changing, other ingest everything to LA and create alerts..

please feel free to contribute with PR, appreciated :)