WebApp:az webapp deploy --src-url should use ARM Proxy

[JasonFreeberg]

The command az webapp deploy has an optional parameter, --src-url, where the user can specify a remote URL for the file they want to deploy to their Web App. If this parameter is used, the CLI should use the ARM proxy API for the deployment request so that if the user has any networking restrictions such as Private Endpoints or ILB ASEs, then this deployment request will go through the management plane and circumvent any networking restrictions. Today the CLI sends the request directly to Kudu, and does not use this ARM proxy.

• Swagger PR with the API spec: https://github.com/Azure/azure-rest-api-specs/pull/17408/files
• Python SDK release request: https://github.com/Azure/sdk-release-request/issues/2397
  • https://pypi.org/project/azure-mgmt-web/6.1.0/

[ghost]

Thank you for your feedback. This has been routed to the support team for assistance.

[ghost]

Thank you for your feedback. This has been routed to the support team for assistance.

[yonzhan]

route to CXP team to help with

[Kotasudhakarreddy]

@panchagnula can you please take a look and give your inputs on this.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

Issue Details

---

The command az webapp deploy has an optional parameter, --src-url, where the user can specify a remote URL for the file they want to deploy to their Web App. If this parameter is used, the CLI should use the ARM proxy API for the deployment request so that if the user has any networking restrictions such as Private Endpoints or ILB ASEs, then this deployment request will go through the management plane and circumvent any networking restrictions. Today the CLI sends the request directly to Kudu, and does not use this ARM proxy.

• Swagger PR with the API spec: https://github.com/Azure/azure-rest-api-specs/pull/17408/files
• Python SDK release request: https://github.com/Azure/sdk-release-request/issues/2397
  • https://pypi.org/project/azure-mgmt-web/6.1.0/

Author:	JasonFreeberg
Assignees:	-
Labels:	Web Apps, Service Attention
Milestone:	-

[panchagnula]

We need new SDK drop for us to support this.

[JasonFreeberg]

@panchagnula , Satish's request for a new Python SDK build was approved. Is that what you mean? --> https://pypi.org/project/azure-mgmt-web/6.1.0/

https://github.com/Azure/sdk-release-request/issues/2397

[panchagnula]

@panchagnula , Satish's request for a new Python SDK build was approved. Is that what you mean? --> https://pypi.org/project/azure-mgmt-web/6.1.0/

Azure/sdk-release-request#2397

@JasonFreeberg yes, we need to update CLI to use the new SDK & ensure no breaking changes or handle it correctly, this will take time, before we support the changes in the deploy API. hope this clarifies, the work involved & timelines. Thanks!

[panchagnula]

@StrawnSC assigning this to you to take care of next miestone once we have the new SDK

[dpolivy]

@JasonFreeberg @StrawnSC Is this the missing piece to enable this workflow to work properly?

https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html

Any way we can consume this updated SDK currently from Azure DevOps so we can get our pipeline working with a private endpoint? (Also, I assume this would still work for a functionapp as well, or the equivalent az functionapp deploy command will also get the update.)

[smisaacs]

Having the same issue as @dpolivy. @JasonFreeberg @StrawnSC

[smisaacs]

With #21701 being closed with no ETA, any suggested work around to deploy to a private endpoint in this fashion?

[damiencarol]

we're facing this bug also in my company, Is any news on this one?

[kautsig]

Same here. For us, also the workaround using az rest does not work. We currently have a microsoft support ticket open.

[jlieow]

Hi,

In case anyone is still struggling with this, I managed to deploy a simple nodejs app to an app service using private endpoints via the workaround az rest command. You may reference this deployment yaml file:
https://github.com/jlieow/node-hello/blob/master/.github/workflows/deploy_linux_storage_account.yml

The example follows the guide here: https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html
The az rest command was fixed thanks to this stackoverflow thread here: https://stackoverflow.com/questions/71558607/deploy-to-an-azure-web-app-with-a-private-endpoint

[mpalmahsf]

@jlieow any chance the az rest --method PUT could be done without the storage account? Possibly by specifying the github artifact zip url?

[jlieow]

Hi @mpalmahsf. I have not tried it myself but I don’t see why it wouldn’t work. You could try depositing your artifacts into a location which generates a url download link like Google Drive and run the az run command with that url to see if it works.

I tried googling but I don’t think GitHub provides a url to download artifacts during the build process natively which I think is the reason why the guide uses storage accounts.

[cveld]

@jlieow any chance you have guidance how to update the deployment message as well?

When we run:
az rest --method PUT --uri /subscriptions/mysubscription/resourceGroups/myresourcegroup/providers/Microsoft.Web/sites/mywebapp/deployments/mydeployment?api-version=2022-03-01 --body '{ ... }'

we get the error:

Not Found({"Message":"Repository could not be found."})

We are fiddling with an appropriate body payload as based on the source code in https://github.com/microsoft/azure-pipelines-tasks/blob/master/common-npm-packages/azure-arm-rest-v2/azure-arm-app-service-kudu.ts
but so far no luck.

Traced from https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/AzureRmWebAppDeploymentV3/azurermwebappdeployment.ts

[SteveDevOps]

I am running into this as well. We are running github actions to do two things:

1. upload a startup script to app service (on private endpoint) -- production slot
2. config set startup script as startup setting in config. -- production slot

Can someone help me write these as az rest calls ?
Effectively I'm wanting to replicate these az webapp deploy commands as az rest calls:

az webapp deploy --resource-group ${{ inputs.TARGET_RG }} --name ${{ inputs.TARGET_APP }} --src-path ".github/scripts/startup.sh" --type=startup --subscription "xxxxx"

az webapp config set --startup-file="/home/site/scripts/startup.sh" --resource-group ${{ inputs.TARGET_RG }} --name ${{ inputs.TARGET_APP }} --subscription "xxxxx"

[jlieow]

Hi @cveld I just noticed this. Not sure if this is still useful, but this is the API documentation to reference for the az rest command for webapps (https://learn.microsoft.com/en-us/rest/api/appservice/web-apps). In the example I provided, I used the "Create One Deploy Operation" (https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-one-deploy-operation).

In your az rest command, you seem to be calling the "Web Apps - Get Deployment" (https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-deployment) which uses a GET request instead of a PUT request.

Unfortunately the documentation does not mention any body payload parameters and it is probably best to reach out to Azure support for clarification on this. The API call I made has body parameters but it wasn't mentioned in the documentation as can be seen from my example where I used:

--body` '{"properties": {"type": "zip", "packageUri": "'"${ZIP_URL}"'" }}'

I also realised my original example link was broken and have updated it in case it proves useful to you.

[jlieow]

Hi @SteveDevOps you can reference the API documentation for web apps here (https://learn.microsoft.com/en-us/rest/api/appservice/web-apps). Unfortunately you might need to reach out to Azure support as I can't seem to find which of the APIs is equivalent to az webapp deploy.

[SteveDevOps]

ya api docs lacking in the publish calls.. opened support case, thx @jlieow

[cveld]

@SteveDevOps you can put the --debug switch and that will verbosely log the rest api calls that the cli makes. Does that help?

[cveld]

Unfortunately we got confirmation from support that the onedeploy endpoint is not capable of updating the deployment logs like the Azure Pipelines task does. In the current state of app service we therefore require a private agent to deploy to a private endpoint.

[SteveDevOps]

In our case we were trying to affect the startup setting and supplant a startup script as part of our deploys. For staging slot (our PR slot) we were good -- as those endpoints were out in the open and not part of the native association with private endpoint (from a dns perspective) -- when it came to the production slot we could not affect. What ended up working was employing a SWAP via az cli as part of our 'merge to development branch' CI (which deploys to primary/production slot to our staging env app) -- in the SWAP the setting and file are brought over as part of the SWAP process.
We did open a support case with Azure support as part of our troubleshooting and this article was presented to us for future ref: https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html

[mnadher]

We are trying to deploy a Function App where private endpoint is enabled. We are using Azure/functions-action@v1 to deploy from GitHub workflow using self hosted agents. The runners and Function App are in same subnet but still getting 403 forbidden error. Is the issue with scm url is fixed in Azure cli ?

Please help me how can we do zip deployment from GitHub to private endpoint enabled azure resource without the need of storage account or any intermediate resources ?

[SteveDevOps]

@mnadher check your access restriction under network -- are you using that as well? We were for frontdoor and had to whitelist the runner's private ip address. Are you trying to deploy to production slot? If you are using a staging slot, it needs a separate private endpoint -- and does NOT inherit production slot private endpoint settings. Also verify that your .scm. and/or your whatever.azurewebsites.net address has a private address from your runner's perspective. Do a nslookup on the name. Also verify ftp setting for slot you are targeting. We use ftps and toggle on during deploy step, then back off.

[btardif]

hey @tulika can we check on the current status for this? lets understand what is missing.