Azure-cli: az storage account network-rule add is not idempotent

Created on 27 Sep 2019 · 9Comments · Source: Azure/azure-cli

(azure-cli 2.0.74, I did not try other versions)

az storage account network-rule add is not idempotent. The first time I run it it works, subsequent invocations result in:

Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id(unique). For more information, see - https://aka.ms/storagenetworkruleset

In the spirit of https://github.com/Azure/azure-cli/blob/dev/doc/command_guidelines.md#standard-command-types I believe the subsequent operations should not result in an error, but be a no-op instead (making this command idempotent).

Storage bug customer-reported

Source

jurjenoskam

👍4

Most helpful comment

Hi @qianwens , thank you for your response. I understand the error is thrown from the service side, and I have been adding code to my scripts to circumvent that this operation is not idempotent. The issue is that I have to do this each time in every script where this operation is done, and this applies to everybody else writing Azure CLI scripts as well. In other words, lots and lots of duplicated work and code, while if this were done once (in Azure CLI itself) it would making writing scripts much simpler and make those script more robust.

Surely Azure CLI is not meant to be a direct passthrough of service API behavior? There are already many places where Azure CLI abstracts away service API behavior, from implementing retry logic when a service API call returns an error (e.g. many App Service commands) to building entire ARM templates and deploying them (VM commands).

It would really add value to Azure CLI if it would make its CLI commands idempotent, irrespective of the behavior of the underlying API call; so I hope you'll consider adding this logic in Azure CLI.

jurjenoskam on 21 Feb 2020

👍2

All 9 comments

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage

msftbot[bot] on 28 Sep 2019

Hi @jurjenoskam , thanks for your feedback. We are looking into it.

Juliehzl on 30 Sep 2019

Any updates?

toddplu on 31 Dec 2019

I have also had to create custom workarounds for this error.
Seems like there are no errors when removing network rules that don't exists, so the workaround (powershell) we're using is this function:

function Create-Storage-Container-Network-Rule {
    param($StorageAccountName, $VnetName, $SubnetName)

    # Adding network rules is not idempotent, see https://github.com/Azure/azure-cli/issues/10673
    # but removing them does not fail if they do not exist
    # so to avoid errors, we always remove them first and then add them
    echo "Adding subnet '${VnetName}/${SubnetName}' to storage container '${StorageAccountName}'"

    az storage account network-rule remove -n ${StorageAccountName} --vnet-name=${VnetName} --subnet=${SubnetName} -o none

    az storage account network-rule add -n ${StorageAccountName} --vnet-name=${VnetName} --subnet=${SubnetName} -o none

}

GeeWee on 7 Jan 2020

add to S166.

yonzhan on 15 Feb 2020

Hi @jurjenoskam , this error is thrown from the service side. "add" a network-rule in a storage account is a patch operation because it is a partial update of a resource which is not guaranteed to be idempotent -> https://docs.microsoft.com/en-us/azure/architecture/best-practices/api-design.
You can run az storage account network-rule list first to check if the networkrule exists first.

qianwens on 21 Feb 2020

It would really add value to Azure CLI if it would make its CLI commands idempotent, irrespective of the behavior of the underlying API call; so I hope you'll consider adding this logic in Azure CLI.

jurjenoskam on 21 Feb 2020

👍2

@jurjenoskam , thanks for your feedback. This is a bug in Azure CLI and we will fix it.

qianwens on 23 Feb 2020

👍1

PR merged and will be released in this Sprint.

yonzhan on 5 Mar 2020

Was this page helpful?

0 / 5 - 0 ratings