az storage account network-rule add is not idempotent

[jurjenoskam]

(azure-cli 2.0.74, I did not try other versions)

az storage account network-rule add is not idempotent. The first time I run it it works, subsequent invocations result in:

Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id(unique). For more information, see - https://aka.ms/storagenetworkruleset

In the spirit of https://github.com/Azure/azure-cli/blob/dev/doc/command_guidelines.md#standard-command-types I believe the subsequent operations should not result in an error, but be a no-op instead (making this command idempotent).

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage

[Juliehzl]

Hi @jurjenoskam , thanks for your feedback. We are looking into it.

[toddplu]

Any updates?

[GeeWee]

I have also had to create custom workarounds for this error.
Seems like there are no errors when removing network rules that don't exists, so the workaround (powershell) we're using is this function:

function Create-Storage-Container-Network-Rule {
    param($StorageAccountName, $VnetName, $SubnetName)

    # Adding network rules is not idempotent, see https://github.com/Azure/azure-cli/issues/10673
    # but removing them does not fail if they do not exist
    # so to avoid errors, we always remove them first and then add them
    echo "Adding subnet '${VnetName}/${SubnetName}' to storage container '${StorageAccountName}'"
    
    az storage account network-rule remove -n ${StorageAccountName} --vnet-name=${VnetName} --subnet=${SubnetName} -o none
    
    az storage account network-rule add -n ${StorageAccountName} --vnet-name=${VnetName} --subnet=${SubnetName} -o none

}

[yonzhan]

add to S166.

[qianwens]

Hi @jurjenoskam , this error is thrown from the service side. "add" a network-rule in a storage account is a patch operation because it is a partial update of a resource which is not guaranteed to be idempotent -> https://docs.microsoft.com/en-us/azure/architecture/best-practices/api-design.
You can run az storage account network-rule list first to check if the networkrule exists first.

[jurjenoskam]

Hi @qianwens , thank you for your response. I understand the error is thrown from the service side, and I have been adding code to my scripts to circumvent that this operation is not idempotent. The issue is that I have to do this each time in every script where this operation is done, and this applies to everybody else writing Azure CLI scripts as well. In other words, lots and lots of duplicated work and code, while if this were done once (in Azure CLI itself) it would making writing scripts much simpler and make those script more robust.

Surely Azure CLI is not meant to be a direct passthrough of service API behavior? There are already many places where Azure CLI abstracts away service API behavior, from implementing retry logic when a service API call returns an error (e.g. many App Service commands) to building entire ARM templates and deploying them (VM commands).

It would really add value to Azure CLI if it would make its CLI commands idempotent, irrespective of the behavior of the underlying API call; so I hope you'll consider adding this logic in Azure CLI.

[qianwens]

@jurjenoskam , thanks for your feedback. This is a bug in Azure CLI and we will fix it.

[yonzhan]

PR merged and will be released in this Sprint.