Azure-cli: az webapp config access-restriction add is not idempotent

Created on 2 Mar 2020  路  8Comments  路  Source: Azure/azure-cli

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
Running the same command multiple times re-adds the same entry again. The command is not idempotent and shouldn't add duplicate entries.

Capture

To Reproduce
Run the following against any App Service...

az webapp config access-restriction add --resource-group RG-TestResourceGroup --name WA-MyTestAppService --description MyRule1 --rule-name MyRule1 --action Allow --ip-address 5.6.7.8/32 --priority 101

Re-run the same command a few times, a duplicate entry is made against the App Service's Access Restrictions list.

This is impossible to achieve in the Azure Portal GUI as it recognises the IP address range already exists.

Capture2

Expected behavior
First run, add's the rule. 2nd and subsequent runs, detects the rule is already configure correctly and passes/reports already exists, but doesn't fail

Environment summary
Azure CLI - current version / Cloud shell version

Additional context
Running az webapp config access-restriction show command after displays the duplicates....

{
  "action": "Allow",
  "additional_properties": {},
  "description": "MyRule1",
  "ip_address": "5.6.7.8/32",
  "name": "MyRule1",
  "priority": 101,
  "subnet_mask": null,
  "subnet_traffic_tag": null,
  "tag": "Default",
  "vnet_subnet_resource_id": null,
  "vnet_traffic_tag": null
},
{
  "action": "Allow",
  "additional_properties": {},
  "description": "MyRule1",
  "ip_address": "5.6.7.8/32",
  "name": "MyRule1",
  "priority": 101,
  "subnet_mask": null,
  "subnet_traffic_tag": null,
  "tag": "Default",
  "vnet_subnet_resource_id": null,
  "vnet_traffic_tag": null
},
{
  "action": "Allow",
  "additional_properties": {},
  "description": "MyRule1",
  "ip_address": "5.6.7.8/32",
  "name": "MyRule1",
  "priority": 101,
  "subnet_mask": null,
  "subnet_traffic_tag": null,
  "tag": "Default",
  "vnet_subnet_resource_id": null,
  "vnet_traffic_tag": null
}
Service Attention Web Apps
Source
picture mcalnd70
👍2

Most helpful comment

Hi @panchagnula , I still see this. issue in this CLI version:
azure-cli 2.0.80 *

command-modules-nspkg 2.0.3
core 2.0.80 *
nspkg 3.0.4
telemetry 1.0.4 *
Is there an API issue you can point to that will resolve this issue when fixed?
Thanks

picture gabriel-kohen-by on 11 Sep 2020
👍2

All 8 comments

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI @antcp

msftbot[bot] picture msftbot[bot] on 3 Mar 2020

webapp

yonzhan picture yonzhan on 3 Mar 2020

For anyone else struggling with this, the Powershell Az module now has the ability to do this, and it is idempotent.

You may need to update your installation of the Powershell Az module
https://github.com/Azure/azure-powershell/releases/tag/v3.5.0-February2020

e.g.

Add-AzWebAppAccessRestrictionRule -ResourceGroupName RG-TestResourceGroup -WebAppName WA-MyTestAppService -Name "MyRule1" -Priority 201 -Action Allow -IpAddress 5.6.7.8/32

There doesn't appear a way unfortunately to tick the box to say the same restrictions at the SCM site level, so you might need to do a duplicate rule to the above with the -TargetScmSite switch...e.g.

Add-AzWebAppAccessRestrictionRule -TargetScmSite -ResourceGroupName RG-TestResourceGroup -WebAppName WA-MyTestAppService -Name "MyRule1" -Priority 201 -Action Allow -IpAddress 5.6.7.8/32

mcalnd70 picture mcalnd70 on 3 Mar 2020

Once API updates to make this idempotent CLI will support it.

panchagnula picture panchagnula on 27 Mar 2020
👎2

@mcalnd70 tested your snippet and I have still duplicated ip addresses while I use same name and priority

ludovicbonivert picture ludovicbonivert on 28 Jul 2020

@ludovicbonivert which snippet? The Azure CLI one or the PowershellAz one?

mcalnd70 picture mcalnd70 on 28 Jul 2020

For anyone else struggling with this, the Powershell Az module now has the ability to do this, and it is idempotent.

You may need to update your installation of the Powershell Az module
https://github.com/Azure/azure-powershell/releases/tag/v3.5.0-February2020

e.g.

Add-AzWebAppAccessRestrictionRule -ResourceGroupName RG-TestResourceGroup -WebAppName WA-MyTestAppService -Name "MyRule1" -Priority 201 -Action Allow -IpAddress 5.6.7.8/32

There doesn't appear a way unfortunately to tick the box to say the same restrictions at the SCM site level, so you might need to do a duplicate rule to the above with the -TargetScmSite switch...e.g.

Add-AzWebAppAccessRestrictionRule -TargetScmSite -ResourceGroupName RG-TestResourceGroup -WebAppName WA-MyTestAppService -Name "MyRule1" -Priority 201 -Action Allow -IpAddress 5.6.7.8/32

I tested this in a Azure DevOps pipeline
My code looks like this

- task: AzurePowerShell@4
      displayName: network configuration
      inputs:
        azureSubscription: $(serviceConnection)
        azurePowerShellVersion: LatestVersion
        ScriptType: InlineScript
        inline: |

          $counter=0
          $ips=$("ip1", "ip2")

          ForEach($ip in $ips) {
            Add-AzWebAppAccessRestrictionRule -ResourceGroupName $(resourceGroupName) -WebAppName "functionName" -Name "microsoftip$counter" -Priority $counter -Action Allow -IpAddress $ip/32
            $counter=$counter+1;
          }
ludovicbonivert picture ludovicbonivert on 28 Jul 2020

Hi @panchagnula , I still see this. issue in this CLI version:
azure-cli 2.0.80 *

command-modules-nspkg 2.0.3
core 2.0.80 *
nspkg 3.0.4
telemetry 1.0.4 *
Is there an API issue you can point to that will resolve this issue when fixed?
Thanks

gabriel-kohen-by picture gabriel-kohen-by on 11 Sep 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dhermans picture dhermans  路  3Comments
williexu picture williexu  路  3Comments
rlewkowicz picture rlewkowicz  路  3Comments
seanknox picture seanknox  路  3Comments
derekperkins picture derekperkins  路  3Comments