Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

az fails to set mysql firewall rule with resource lock, Portal works fine #11162

Open
BenjaminAbt opened this issue Nov 8, 2019 · 2 comments

Comments

@BenjaminAbt
Copy link

@BenjaminAbt BenjaminAbt commented Nov 8, 2019

CLI version 2.0.75

Describe the bug
We want to perform database deployments via Azure DevOps and have to temporarily add the AzD agent to the database firewall exemptions.
After deployment - no matter if successful or not - the agent should be removed from the firewall permissions in any case.

Apparently the currently recommended way is to get the IP address of the agent in the build and add it via Azure CLI.
Azure DevOps is not considered as "Azure Service" in the firewall exception rules...

I have a MySQL database in Azure that has a delete lock.
image

If I try to set the firewall via Azure DevOps and an Azure CLI task, the task throws an error:

ERROR: The scope '...../MyServerHere/firewallRules/Azd' cannot perform delete operation because following scope(s) are locked: '...../MyServerHere'. Please remove the lock and try again.
##[error]Script failed with error: Error: The process '/bin/bash' failed with exit code 1

Despite the lock, it is no problem to add or remove firewall rules in the portal via the browser. So there is obviously a different behavior between browser and Azure CLI.

To Reproduce

  • Azure MySQL
  • Add Delete Lock
  • Execute AzD YAML:
pool:
  name: Azure Pipelines
  SubscriptionName: Hello
  MySql.FirewallRuleName: AzD
  MySql.ResourceGroup: 'ResourceGroup'
  MySql.ServerName: 'MySqlServer'

steps:
- task: AzureCLI@1
  displayName: 'Soft Delete Firewall Rule if exists'
  inputs:
    azureSubscription: $(SubscriptionName)
    scriptLocation: inlineScript
    inlineScript: 'az mysql server firewall-rule delete -n $(MySql.FirewallRuleName) -g $(MySql.ResourceGroup) -s $(MySql.ServerName) --yes'
  continueOnError: true

- powershell: |
   $ip = Invoke-RestMethod https://ipinfo.io/json | select -ExpandProperty ip
   Write-Host ("##vso[task.setvariable variable=AgentIPAddress;]$ip")
  displayName: 'Get IP Address'

- task: AzureCLI@1
  displayName: 'Add Firewall Rule'
  inputs:
    azureSubscription: $(SubscriptionName)
    scriptLocation: inlineScript
    inlineScript: 'az mysql server firewall-rule create -g $(MySql.ResourceGroup) -s $(MySql.ServerName) -n $(MySql.FirewallRuleName) --start-ip-address $(AgentIPAddress) --end-ip-address $(AgentIPAddress)  --yes'

# some DB Deployment Tasks here

- task: AzureCLI@1
  displayName: 'Remove Firewall Rule'
  inputs:
    azureSubscription: $(SubscriptionName)
    scriptLocation: inlineScript
    inlineScript: 'az mysql server firewall-rule delete -n $(MySql.FirewallRuleName) -g $(MySql.ResourceGroup) -s $(MySql.ServerName) --yes'
  condition: succeededOrFailed()

Expected behavior
CLI should have the same behavior like the portal.
I would expect to be able to add and remove a rule despite the lock.

Environment summary
Azure DevOps - ubuntu-18.04 Agent
Default AzCli capabilities (2.0.75)

Should this not be a recommended way, I would be grateful for a corresponding hint :-)
Thanks.

@msftbot

This comment has been minimized.

Copy link

@msftbot msftbot bot commented Nov 9, 2019

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @ajlam

@ajlam

This comment has been minimized.

Copy link

@ajlam ajlam commented Nov 12, 2019

@BenjaminAbt, thanks for filing this issue. We were able to successfully reproduce the issue. Following up with portal and CLI teams to understand expected behaviors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.