search

ansible-collections / azure

Development area for Azure Collections
https://galaxy.ansible.com/azure/azcollection
GNU General Public License v3.0
244 stars 325 forks source link

Unable to create storage account just after successful creation of resource group on azurecloud #1007

Open manikantavasupalli opened 1 year ago

manikantavasupalli commented 1 year ago
ISSUE TYPE
COMPONENT NAME
SUMMARY

We are trying to create an azure resource_group followed by the creation of a storage account within that resource group using the block as shown below. Block1 is able to create the resource group and block2 is failing to create the storage account. This part is working for more than a year now and we started getting this issue in the past week only.

- name: Create a resource group
  azure.azcollection.azure_rm_resourcegroup:
    name: "{{ project.resource_group_name }}"
    location: "{{ project.region }}"
    subscription_id: "{{ azure_env.ARM_SUBSCRIPTION_ID }}"
    tenant: "{{ azure_env.ARM_TENANT_ID }}"
    client_id: "{{ azure_env.ARM_CLIENT_ID }}"
    secret: "{{ azure_env.ARM_CLIENT_SECRET }}"
  tags:
    - init
    - never

- name: Create Storage account
  azure.azcollection.azure_rm_storageaccount:
    resource_group: "{{ project.resource_group_name }}"
    name: "{{ project.storage_account_name }}"
    type: Standard_RAGRS
    kind: BlobStorage
    access_tier: Cool
    subscription_id: "{{ azure_env.ARM_SUBSCRIPTION_ID }}"
    tenant: "{{ azure_env.ARM_TENANT_ID }}"
    client_id: "{{ azure_env.ARM_CLIENT_ID }}"
    secret: "{{ azure_env.ARM_CLIENT_SECRET }}"
  tags:
    - init
    - never
ENVIRONMENT
STEPS TO REPRODUCE

Just execute the ansible playbook with tags

EXPECTED RESULTS

Resource group and storage account has to be created without fail...

TASK [azure_blob_backend : Create Storage account] *****************************
task path: /home/jenkins/workspace/Test-jobs/test_ad_access/azure_blob_backend/tasks/init.yml:14
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1666760433.7945178-2913-39937774618206 `" && echo ansible-tmp-1666760433.7945178-2913-39937774618206="` echo /root/.ansible/tmp/ansible-tmp-1666760433.7945178-2913-39937774618206 `" ) && sleep 0'
Using module file /home/jenkins/workspace/Test-jobs/test_ad_access/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageaccount.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-2678qy69kqjs/tmpv24glik6 TO /root/.ansible/tmp/ansible-tmp-1666760433.7945178-2913-39937774618206/AnsiballZ_azure_rm_storageaccount.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1666760433.7945178-2913-39937774618206/ /root/.ansible/tmp/ansible-tmp-1666760433.7945178-2913-39937774618206/AnsiballZ_azure_rm_storageaccount.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/jenkins/workspace/Test-jobs/test_ad_access/env/bin/python /root/.ansible/tmp/ansible-tmp-1666760433.7945178-2913-39937774618206/AnsiballZ_azure_rm_storageaccount.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1666760433.7945178-2913-39937774618206/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_azure.azcollection.azure_rm_storageaccount_payload_elb_6pwt/ansible_azure.azcollection.azure_rm_storageaccount_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageaccount.py", line 544, in check_name_availability
  File "/home/jenkins/workspace/Test-jobs/test_ad_access/env/lib/python3.7/site-packages/azure/mgmt/storage/v2021_06_01/operations/_storage_accounts_operations.py", line 100, in check_name_availability
    map_error(status_code=response.status_code, response=response, error_map=error_map)
  File "/home/jenkins/workspace/Test-jobs/test_ad_access/env/lib/python3.7/site-packages/azure/core/exceptions.py", line 107, in map_error
    raise error
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_tier": "Cool",
            "account_type": "Standard_RAGRS",
            "ad_user": null,
            "adfs_authority_url": null,
            "allow_blob_public_access": null,
            "api_profile": "latest",
            "append_tags": true,
            "auth_source": "auto",
            "blob_cors": null,
            "cert_validation_mode": null,
            "client_id": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "cloud_environment": "AzureCloud",
            "custom_domain": null,
            "force_delete_nonempty": false,
            "https_only": null,
            "kind": "BlobStorage",
            "location": null,
            "log_mode": null,
            "log_path": null,
            "minimum_tls_version": null,
            "name": "testaclmanidev",
            "network_acls": null,
            "password": null,
            "profile": null,
            "resource_group": "testaclmani-dev-state",
            "secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "state": "present",
            "subscription_id": "XXXXX-XXXXX-XXXXXX-XXXXX",
            "tags": null,
            "tenant": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "type": "Standard_RAGRS"
        }
    },
    "msg": "Error checking name availability: (SubscriptionNotFound) Subscription XXXXX-XXXXX-XXXXXX-XXXXX was not found.\nCode: SubscriptionNotFound\nMessage: Subscription XXXXX-XXXXX-XXXXXX-XXXXX was not found."
ADDITIONAL INFORMATION

It used to been working in condition for the past 1 and half years and the issue was found in the last 10 days only and there is no recent change in the ansible code block.

Fred-sun commented 1 year ago

@manikantavasupalli Can you help confirm your subscription ID is available? Thank you very much!

manikantavasupalli commented 1 year ago

Yes it's available... and as I said above, ansible 1st block was able to create a resource group in the same subscription, and then the 2nd block only getting failed to create a storage account in the resource group

manikantavasupalli commented 1 year ago

@Fred-sun

We also found the following workaround solution:

  1. Create a dummy storage account on any new resource group in the same subscription manually (through the portal)
  2. Now run the same ansible stuff

This time ansible code block was able to create a resource group and then a storage account inside the resource group.

Fred-sun commented 1 year ago

@manikantavasupalli I'm sorry to reply you so late! I have repeatedly tried to copy your question, but I have not been able to reproduce it. Could you please provide more detailed information? Such as the version you installed, the test environment, and the complete use case! Thank you very much!

manikantavasupalli commented 1 year ago

@Fred-sun Thanks for spending time on it. Versions have added in the issue description. Use case is to create resource group and then create storage account in it using ansible blocks as shown in the issue description. This pipeline runs on a Jenkin tool where worker node is an ubuntu machine. We are also testing from the same jenkin job.

Fred-sun commented 1 year ago

@manikantavasupalli Can you try updating azcollection by force? Thank you very much!


ansible versions are higher than 2.9
Update command:
      ansible-galaxy collection install azure.azcollection --force
R4153 commented 1 year ago

Hi, im not sure if you have the same problem like me, but the workaround was the same for me with the portal. I am not sure why this happen to us since some months, because we never had this kind of problem before, but it seems azure changed something.

reproduce steps: new azure subscription and first storage account in that subscription workaround was: create a dummy storage account in portal, after that the automation and ansible module worked fine solution: active azure ressource provider for storage for that subscription (if multiple, use Select-AzSubscription before) Register-AzResourceProvider -ProviderNamespace microsoft.storage

Analyse:

new-AzResourceGroup -Name test -Location germanywestcentral

ResourceGroupName : test Location : germanywestcentral ProvisioningState : Succeeded Tags : ResourceId : /subscriptions/xxxxxxxxxx/resourceGroups/test

New-AzStorageAccount -ResourceGroupName test -Name st32312631 -Location germanywestcentral -SkuName Standard_LRS New-AzStorageAccount: Subscription xxxxxxxxxxxxx was not found.

Register-AzResourceProvider -ProviderNamespace microsoft.storage

ProviderNamespace : Microsoft.Storage RegistrationState : Registering ResourceTypes : {storageAccounts/storageTaskAssignments, storageAccounts/encryptionScopes, deletedAccounts, locations/deletedAccounts…} Locations : {East US, East US 2, West US, West Europe…}

New-AzStorageAccount -ResourceGroupName test -Name st32312631 -Location germanywestcentral -SkuName Standard_LRS

StorageAccountName ResourceGroupName PrimaryLocation SkuName Kind AccessTier CreationTime
st32312631 test germanywestcentral Standard_LRS StorageV2 Hot Succeeded True

Maybe it helps you or others.

Fred-sun commented 1 year ago

I'm sorry, but I still can't repeat your question. Thank you!

Fred-sun commented 1 year ago

@manikantavasupalli Will there be another case where your subscription is restricted by the policy and you cannot create a subscription account, thank you!