Azure-cli: az cli failure due to policy restriction does not provide clear errors
As per the title, when performing a task with the az cli that fails due to a policy restriction, the default error back is too generic.
In my example, I had a subscription enforcing virtual machine size restrictions, however when trying to perform a az vm create for a size not allowed by the policy the error shown is only:
400 Client Error: Bad Request for url: https://management.azure.com/subscriptions/<sub-id>/resourcegroups/capside_amoore_test-rg/providers/Microsoft.Resources/deployments/vm_deploy_En5WJjDm85OzG336Za57U9fJIhas5KV6?api-version=2018-05-01
Re-running with --debug shows that the API call is returning clear reasoning, but this is not surfaced to the user, in this example it was returning:
{"error":{"code":"InvalidTemplateDeployment","message":"The template deployment failed because of policy violation. ....., including specific details regarding which policy and what the restrictions are.
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
Create a policy that restricts deployment based on VM size then attempt to deploy a new VM that violates that policy:
az vm create -g {} -n {} --image {} --size {}
Expected Behavior
Surfacing the policy violation including any relevant details to the user to resolve that issue.
Environment Summary
Linux-4.4.0-18362-Microsoft-x86_64-with-debian-buster-sid
Python 3.6.5
Shell: bash
azure-cli 2.0.64
Extensions:
azure-firewall 0.1.0
front-door 0.1.1
Additional Context
alexjmoore
All 7 comments
Thanks for the information @alexjmoore. One quick question, how did you set this policy?
We should be surfacing as much useful information as possible. I will work on this within the next few sprints.
adewaleo
on 20 May 2019
I experienced this same issue with vmss create.
tjprescott
on 21 May 2019
You can reproduce this by assigning the built-in policy "Allowed virtual machine SKUs", full policy I used to reproduce it here:
{
"properties": {
"displayName": "Allowed virtual machine SKUs",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.",
"metadata": {
"category": "Compute"
},
"parameters": {
"listOfAllowedSKUs": {
"type": "Array",
"metadata": {
"description": "The list of SKUs that can be specified for virtual machines.",
"displayName": "Allowed SKUs",
"strongType": "VMSKUs"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field": "Microsoft.Compute/virtualMachines/sku.name",
"in": "[parameters('listOfAllowedSKUs')]"
}
}
]
},
"then": {
"effect": "Deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "cccc23c7-8427-4f53-ad12-b6a63eb452b3"
}
alexjmoore
on 5 Jun 2019
@alexjmoore Thank you for your feedback. I have reproduced your problem. I agree that the error message is not detailed enough. I am solving it.
qwordy
on 2 Sep 2019
I came across this today, the debug option was able to tell me my issue, in my case it was that I had an unused parameter in my
So it may not just be related to policy.
unstableunicorn
on 12 Sep 2019
https://github.com/Azure/msrestazure-for-python/blob/master/msrestazure/azure_exceptions.py#L198
self.error = self.deserializer('CloudErrorRoot', response).error
I find the root cause. This line fails. msrestazure can't parse the response from server correctly. So it only returns a exception without useful information:
400 Client Error: Bad Request for url: https://management.azure.com/subscriptions/<id>/resourcegroups/fytest/providers/Microsoft.Resources/deployments/vm_deploy_uXu4PLKSd4d6TSmawb43GD9M1ehGHUsH?api-version=2019-05-10
response from server:
{
"error": {
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed because of policy violation. Please see details for more information.",
"details": [{
"code": "RequestDisallowedByPolicy",
"target": "vm1",
"message": "Resource 'vm1' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Allowed virtual machine SKUs\",\"id\":\"/subscriptions/<id>/resourceGroups/fytest/providers/Microsoft.Authorization/policyAssignments/9c95e7fe8227466b82f48228\"},\"policyDefinition\":{\"name\":\"Allowed virtual machine SKUs\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3\"}}]'.",
"additionalInfo": [{
"type": "PolicyViolation",
"info": {
"policyDefinitionDisplayName": "Allowed virtual machine SKUs",
"evaluationDetails": {
"evaluatedExpressions": [{
"result": "True",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Compute/virtualMachines",
"targetValue": "Microsoft.Compute/virtualMachines",
"operator": "Equals"
}, {
"result": "False",
"expression": "Microsoft.Compute/virtualMachines/sku.name",
"path": "properties.hardwareProfile.vmSize",
"expressionValue": "Standard_DS1_v2",
"targetValue": ["Basic_A0"],
"operator": "In"
}]
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3",
"policyDefinitionName": "cccc23c7-8427-4f53-ad12-b6a63eb452b3",
"policyDefinitionEffect": "Deny",
"policyAssignmentId": "/subscriptions/<id>/resourceGroups/fytest/providers/Microsoft.Authorization/policyAssignments/9c95e7fe8227466b82f48228",
"policyAssignmentName": "9c95e7fe8227466b82f48228",
"policyAssignmentDisplayName": "Allowed virtual machine SKUs",
"policyAssignmentScope": "/subscriptions/<id>/resourceGroups/fytest",
"policyAssignmentParameters": {
"listOfAllowedSKUs": {
"value": ["Basic_A0"]
}
}
}
}]
}]
}
}
I will contact msrestazure and service team.
qwordy
on 16 Sep 2019
msrestazure has fixed the bug:
https://github.com/Azure/msrestazure-for-python/pull/135
qwordy
on 19 Sep 2019
Related issues
idkjs
路
3Comments
jsturtevant
路
3Comments
troydai
路
3Comments
FumiakiNagano
路
3Comments
rlewkowicz
路
3Comments