az signalr upstream update fails when the target has a location policy

[NollaigShea]

Describe the bug

Looks to have been introduced with #27542. An empty location string is added to the request body being sent to 'https://management.azure.com/subscriptions/<...>/resourceGroups/<...>/providers/Microsoft.SignalRService/signalR/<...>?api-version=2023-06-01-preview'

{
  "location": "",
  "properties": {
    "upstream": {
      "templates": [
        { "urlTemplate": "https://<redacted>/runtime/webhooks/signalr?code=***" }
      ]
    },
    "publicNetworkAccess": "Enabled",
    "disableLocalAuth": false,
    "disableAadAuth": false
  }
}

If you also have a location policy on the target resource, the request will fail and also the command.

Related command

az signalr upstream update

Errors

Code: RequestDisallowedByPolicy
Message: Resource '' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Allowed locations","id":"/providers/Microsoft.Management/managementGroups//providers/Microsoft.Authorization/policyAssignments/"},"policyDefinition":{"name":"Allowed locations","id":"/providers/Microsoft.Authorization/policyDefinitions/"}}]'.
Target:
Additional Information:Type: PolicyViolation
Info:

{
    "evaluationDetails": {
        "evaluatedExpressions": [
            {
                "result": "True",
                "expressionKind": "Field",
                "expression": "location",
                "path": "location",
                "expressionValue": "",
                "targetValue": [
                    "westeurope",
                    "southcentralus",
                    "southeastasia",
                    "northeurope",
                    "northcentralus",
                    "eastasia"
                ],
                "operator": "NotIn"
            },
            {
                "result": "True",
                "expressionKind": "Field",
                "expression": "location",
                "path": "location",
                "expressionValue": "",
                "targetValue": "global",
                "operator": "NotEquals"
            },
            {
                "result": "True",
                "expressionKind": "Field",
                "expression": "type",
                "path": "type",
                "expressionValue": "Microsoft.SignalRService/signalR",
                "targetValue": "Microsoft.AzureActiveDirectory/b2cDirectories",
                "operator": "NotEquals"
            }
        ]
    },
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/<redacted>",
    "policyDefinitionName": "<redacted>",
    "policyDefinitionDisplayName": "Allowed locations",
    "policyDefinitionEffect": "deny",
    "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/<redacted>/providers/Microsoft.Authorization/policyAssignments/09a<redacted>",
    "policyAssignmentName": "<redacted>",
    "policyAssignmentDisplayName": "Allowed locations",
    "policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/<redacted>",
    "policyAssignmentParameters": {
        "listOfAllowedLocations": [
            "westeurope",
            "southcentralus",
            "southeastasia",
            "northeurope",
            "northcentralus",
            "eastasia"
        ]
    },
    "policyExemptionIds": []
}

Issue script & Debug output

Heavily redacted for obvious reasons, but it contains the key information:

az signalr upstream update --name <...> --resource-group <...> --template url-template="https://<...>/runtime/webhooks/signalr?code=<...>" --debug
...
az_command_data_logger: command args: signalr upstream update --name {} --resource-group {} --template {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000002150F3D4180>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000002150F3D4220>, <function register_cache_arguments..add_cache_arguments at 0x000002150F3D4360>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x000002151149FEC0>]
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000002150C145E40>, <function CLIQuery.handle_query_parameter at 0x000002150C1739C0>, <function register_ids_argument..parse_ids_arguments at 0x000002150F3D42C0>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=SignalRManagementClient
...
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: <...>
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<...>/resourceGroups/<...>/providers/Microsoft.SignalRService/signalR/<...>?api-version=2023-06-01-preview'
cli.azure.cli.core.sdk.policies: Request method: 'PATCH'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '306'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '6cb48646-9275-11ee-930c-ac1a3db7fa8b'
cli.azure.cli.core.sdk.policies: 'CommandName': 'signalr upstream update'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --resource-group --template --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.54.0 (MSI) azsdk-python-mgmt-signalr/2.0.0b1 Python/3.11.5 (Windows-10-10.0.22621-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "", "properties": {"upstream": {"templates": [{"urlTemplate": "https://<...>/runtime/webhooks/signalr?code=<...>"}]}, "publicNetworkAccess": "Enabled", "disableLocalAuth": false, "disableAadAuth": false}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PATCH /subscriptions/<...>/resourceGroups/<...>/providers/Microsoft.SignalRService/signalR/<...>?api-version=2023-06-01-preview HTTP/1.1" 403 2016
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '2016'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '<...>'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '<...>'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': '<...>'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: <...> Ref B: <...> Ref C: <...>'
cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 04 Dec 2023 07:19:15 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"RequestDisallowedByPolicy","target":"<...>","message":"Resource '<...>' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Allowed locations","id":"/providers/Microsoft.Management/managementGroups/<...>/providers/Microsoft.Authorization/policyAssignments/<...>"},"policyDefinition":{"name":"Allowed locations","id":"/providers/Microsoft.Authorization/policyDefinitions/<...>"}}]'.","additionalInfo":[{"type":"PolicyViolation","info":{"evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"location","path":"location","expressionValue":"","targetValue":["westeurope","southcentralus","southeastasia","northeurope","northcentralus","eastasia"],"operator":"NotIn"},{"result":"True","expressionKind":"Field","expression":"location","path":"location","expressionValue":"","targetValue":"global","operator":"NotEquals"},{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.SignalRService/signalR","targetValue":"Microsoft.AzureActiveDirectory/b2cDirectories","operator":"NotEquals"}]},"policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/<...>","policyDefinitionName":"<...>","policyDefinitionDisplayName":"Allowed locations","policyDefinitionEffect":"deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/<...>/providers/Microsoft.Authorization/policyAssignments/<...>","policyAssignmentName":"<...>","policyAssignmentDisplayName":"Allowed locations","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/<...>","policyAssignmentParameters":{"listOfAllowedLocations":["westeurope","southcentralus","southeastasia","northeurope","northcentralus","eastasia"]},"policyExemptionIds":[]}}]}}
...

Expected behavior

The command should offer the user a possibility to change the default location "" to an allowed location so that the CLI can be used in conjunction with a target resource that has a location policy attached to it.

or

Internally the command should acquire the location of the target resource and attach it to the PATCH request.

or

simply don't send the location with an update command. The target already exists and this command does not change the location.

Environment Summary

azure-cli 2.54.0

core 2.54.0
telemetry 1.1.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users<...>.azure\cliextensions'

Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:38:34) [MSC v.1936 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[NollaigShea]

@yonzhan Is there any update on this? We currently have to downgrade to an older verison of azure-cli to keep our production environment alive. Thanks.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @sffamily, @chenkennt.

[chenkennt]

@zackliu please help take a look

[zackliu]

It's fixed in the latest patch but still need to wait for the release

[NollaigShea]

Tried the fix on 2.64.0 and it works. Thanks