-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
az storage account network-rule add is not idempotent #10673
Comments
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage |
Hi @jurjenoskam , thanks for your feedback. We are looking into it. |
Any updates? |
I have also had to create custom workarounds for this error. function Create-Storage-Container-Network-Rule {
param($StorageAccountName, $VnetName, $SubnetName)
# Adding network rules is not idempotent, see https://github.com/Azure/azure-cli/issues/10673
# but removing them does not fail if they do not exist
# so to avoid errors, we always remove them first and then add them
echo "Adding subnet '${VnetName}/${SubnetName}' to storage container '${StorageAccountName}'"
az storage account network-rule remove -n ${StorageAccountName} --vnet-name=${VnetName} --subnet=${SubnetName} -o none
az storage account network-rule add -n ${StorageAccountName} --vnet-name=${VnetName} --subnet=${SubnetName} -o none
} |
add to S166. |
Hi @jurjenoskam , this error is thrown from the service side. "add" a network-rule in a storage account is a patch operation because it is a partial update of a resource which is not guaranteed to be idempotent -> https://docs.microsoft.com/en-us/azure/architecture/best-practices/api-design. |
Hi @qianwens , thank you for your response. I understand the error is thrown from the service side, and I have been adding code to my scripts to circumvent that this operation is not idempotent. The issue is that I have to do this each time in every script where this operation is done, and this applies to everybody else writing Azure CLI scripts as well. In other words, lots and lots of duplicated work and code, while if this were done once (in Azure CLI itself) it would making writing scripts much simpler and make those script more robust. Surely Azure CLI is not meant to be a direct passthrough of service API behavior? There are already many places where Azure CLI abstracts away service API behavior, from implementing retry logic when a service API call returns an error (e.g. many App Service commands) to building entire ARM templates and deploying them (VM commands). It would really add value to Azure CLI if it would make its CLI commands idempotent, irrespective of the behavior of the underlying API call; so I hope you'll consider adding this logic in Azure CLI. |
@jurjenoskam , thanks for your feedback. This is a bug in Azure CLI and we will fix it. |
PR merged and will be released in this Sprint. |
(azure-cli 2.0.74, I did not try other versions)
az storage account network-rule add
is not idempotent. The first time I run it it works, subsequent invocations result in:Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id(unique). For more information, see - https://aka.ms/storagenetworkruleset
In the spirit of https://github.com/Azure/azure-cli/blob/dev/doc/command_guidelines.md#standard-command-types I believe the subsequent operations should not result in an error, but be a no-op instead (making this command idempotent).
The text was updated successfully, but these errors were encountered: