Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"az webapp config ssl bind" command passes partial site object causing Azure policy enforcement to fail when it shouldn't #30357

Open
joerob-msft opened this issue Nov 14, 2024 · 2 comments
Open

"az webapp config ssl bind" command passes partial site object causing Azure policy enforcement to fail when it shouldn't #30357

joerob-msft opened this issue Nov 14, 2024 · 2 comments
Assignees
@yutanglin16 @seligj95
Labels
app-service-certs-domains app-service-general Auto-Assign Auto assign by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. Service Attention This issue is responsible by Azure service team. Web Apps az webapp

Comments

@joerob-msft
Copy link
Member

Describe the bug

Create an Azure Policy set to Deny when HTTPS Only is not set on an app

Image

Use CLI to bind certificate to app

EXPECTED
Command succeeds

ACTUAL
Command fails with policy exception even though HTTPS Only is set on site

Image

This bug appears due to the following code:

The code here to update bindings is passing a partial object for the site, which causes the policy to fail

https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/appservice/custom.py

def _update_host_name_ssl_state(cmd, resource_group_name, webapp_name, webapp,
                                host_name, ssl_state, thumbprint, slot=None):
    Site, HostNameSslState = cmd.get_models('Site', 'HostNameSslState')
    updated_webapp = Site(host_name_ssl_states=[HostNameSslState(name=host_name,
                                                                 ssl_state=ssl_state,
                                                                 thumbprint=thumbprint,
                                                                 to_update=True)],
                          location=webapp.location, tags=webapp.tags)
    return _generic_site_operation(cmd.cli_ctx, resource_group_name, webapp_name, 'begin_create_or_update',
                                   slot, updated_webapp)

Related command

az webapp config ssl bind

Errors

ARM 403 response, Policy Deny is applied

Issue script & Debug output

az webapp config ssl bind --certificate-thumbprint 9C224080A35F070CF5D8B10C6A06FF15B82141A9 --name auedevbuidad01legacyauth01 --resource-group bluekey-ad01-rg01 --ssl-type SNI --debug
cli.knack.cli: Command arguments: ['webapp', 'config', 'ssl', 'bind', '--certificate-thumbprint', '9C224080A35F070CF5D8B10C6A06FF15B82141A9', '--name', 'auedevbuidad01legacyauth01', '--resource-group', 'bluekey-ad01-rg01', '--ssl-type', 'SNI', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f1161116160>, <function OutputProducer.on_global_arguments at 0x7f1161030d30>, <function CLIQuery.on_global_arguments at 0x7f1160fc7310>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'webapp': ['azure.cli.command_modules.appservice', 'azure.cli.command_modules.serviceconnector']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: appservice 0.322 79 270
cli.azure.cli.core: serviceconnector 0.114 20 309
cli.azure.cli.core: Total (2) 0.436 99 579
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: ai-examples 0.149 1 1 /usr/lib/python3.9/site-packages/azure-cli-extensions/ai-examples
cli.azure.cli.core: Total (1) 0.149 1 1
cli.azure.cli.core: Loaded 98 groups, 580 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : webapp config ssl bind
cli.azure.cli.core: Command table: webapp config ssl bind
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f116048c280>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/bhupinder/.azure/commands/2024-09-05.01-47-37.webapp_config_ssl_bind.316.log'.
az_command_data_logger: command args: webapp config ssl bind --certificate-thumbprint {} --name {} --resource-group {} --ssl-type {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f1160429e50>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f116044fe50>, <function register_cache_arguments..add_cache_arguments at 0x7f11603b5d30>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f1161030dc0>, <function CLIQuery.handle_query_parameter at 0x7f1160fc73a0>, <function register_ids_argument..parse_ids_arguments at 0x7f11603b5ca0>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=WebSiteManagementClient
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 5024
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'}
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 5024
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'}
cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1725505500' -> 1725505500
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01?api-version=2023-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'd40db3f4-6b28-11ef-94f0-00155db282d8'
cli.azure.cli.core.sdk.policies: 'CommandName': 'webapp config ssl bind'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--certificate-thumbprint --name --resource-group --ssl-type --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.63.0 (RPM) azsdk-python-core/1.28.0 Python/3.9.19 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.35) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01?api-version=2023-01-01 HTTP/1.1" 200 8590
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '8590'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'ETag': '"1DAFE79137B5A40"'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '6e310f17-9313-4ad0-95db-ac838db7ed4d'
cli.azure.cli.core.sdk.policies: 'X-AspNet-Version': '4.0.30319'
cli.azure.cli.core.sdk.policies: 'X-Powered-By': 'ASP.NET'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '499'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '7499'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '84ca52ef-ee36-4a41-b2bc-5afd854d688c'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240905T014739Z:84ca52ef-ee36-4a41-b2bc-5afd854d688c'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 9AFB57B97C604437857FD9052304B3D9 Ref B: MAA201060516021 Ref C: 2024-09-05T01:47:38Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 05 Sep 2024 01:47:38 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01","name":"auedevbuidad01legacyauth01","type":"Microsoft.Web/sites","kind":"api","location":"Australia East","tags":{"Application":"BlueKey","Cost Centre":"381794 Cloud Platform & DevOps","Environment":"Dev","Stream":"Shared Services","Technical Contact":"[email protected]"},"properties":{"name":"auedevbuidad01legacyauth01","state":"Running","hostNames":["ad-identity-migration-api.np.bupa.com.au","auedevbuidad01tfm01identity-migration-api.trafficmanager.net","auedevbuidad01legacyauth01.azurewebsites.net"],"webSpace":"bluekey-ad01-rg01-AustraliaEastwebspace","selfLink":"https://waws-prod-sy3-077.api.azurewebsites.windows.net:454/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/webspaces/bluekey-ad01-rg01-AustraliaEastwebspace/sites/auedevbuidad01legacyauth01","repositorySiteName":"auedevbuidad01legacyauth01","owner":null,"usageState":"Normal","enabled":true,"adminEnabled":true,"siteScopedCertificatesEnabled":false,"afdEnabled":false,"enabledHostNames":["ad-identity-migration-api.np.bupa.com.au","auedevbuidad01legacyauth01.azurewebsites.net","auedevbuidad01legacyauth01.scm.azurewebsites.net"],"siteProperties":{"metadata":null,"properties":[{"name":"LinuxFxVersion","value":""},{"name":"WindowsFxVersion","value":null}],"appSettings":null},"availabilityState":"Normal","sslCertificates":null,"csrs":[],"cers":null,"siteMode":null,"hostNameSslStates":[{"name":"ad-identity-migration-api.np.bupa.com.au","sslState":"SniEnabled","ipBasedSslResult":null,"virtualIP":null,"virtualIPv6":null,"thumbprint":"9C224080A35F070CF5D8B10C6A06FF15B82141A9","certificateResourceId":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/certificates/auedevbuidad01kv01-bluekeynpcert","toUpdate":null,"toUpdateIpBasedSsl":null,"ipBasedSslState":"NotConfigured","hostType":"Standard"},{"name":"auedevbuidad01legacyauth01.azurewebsites.net","sslState":"Disabled","ipBasedSslResult":null,"virtualIP":null,"virtualIPv6":null,"thumbprint":null,"certificateResourceId":null,"toUpdate":null,"toUpdateIpBasedSsl":null,"ipBasedSslState":"NotConfigured","hostType":"Standard"},{"name":"auedevbuidad01legacyauth01.scm.azurewebsites.net","sslState":"Disabled","ipBasedSslResult":null,"virtualIP":null,"virtualIPv6":null,"thumbprint":null,"certificateResourceId":null,"toUpdate":null,"toUpdateIpBasedSsl":null,"ipBasedSslState":"NotConfigured","hostType":"Repository"}],"computeMode":null,"serverFarm":null,"serverFarmId":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/serverfarms/auedevbuidad01asp01","reserved":false,"isXenon":false,"hyperV":false,"lastModifiedTimeUtc":"2024-09-04T03:18:13.22","storageRecoveryDefaultState":"Running","contentAvailabilityState":"Normal","runtimeAvailabilityState":"Normal","dnsConfiguration":{"dnsLegacySortOrder":true},"vnetRouteAllEnabled":false,"containerAllocationSubnet":null,"useContainerLocalhostBindings":null,"vnetImagePullEnabled":false,"vnetContentShareEnabled":false,"outboundVnetRouting":null,"siteConfig":{"numberOfWorkers":1,"defaultDocuments":null,"netFrameworkVersion":null,"phpVersion":null,"pythonVersion":null,"nodeVersion":null,"powerShellVersion":null,"linuxFxVersion":"","windowsFxVersion":null,"windowsConfiguredStacks":null,"requestTracingEnabled":null,"remoteDebuggingEnabled":null,"remoteDebuggingVersion":null,"httpLoggingEnabled":null,"azureMonitorLogCategories":null,"acrUseManagedIdentityCreds":false,"acrUserManagedIdentityID":null,"logsDirectorySizeLimit":null,"detailedErrorLoggingEnabled":null,"publishingUsername":null,"publishingPassword":null,"appSettings":null,"metadata":null,"connectionStrings":null,"machineKey":null,"handlerMappings":null,"documentRoot":null,"scmType":null,"use32BitWorkerProcess":null,"webSocketsEnabled":null,"alwaysOn":true,"javaVersion":null,"javaContainer":null,"javaContainerVersion":null,"appCommandLine":null,"managedPipelineMode":null,"virtualApplications":null,"winAuthAdminState":null,"winAuthTenantState":null,"customAppPoolIdentityAdminState":null,"customAppPoolIdentityTenantState":null,"runtimeADUser":null,"runtimeADUserPassword":null,"loadBalancing":null,"routingRules":null,"experiments":null,"limits":null,"autoHealEnabled":null,"autoHealRules":null,"tracingOptions":null,"vnetName":null,"vnetRouteAllEnabled":null,"vnetPrivatePortsCount":null,"publicNetworkAccess":null,"cors":null,"push":null,"apiDefinition":null,"apiManagementConfig":null,"autoSwapSlotName":null,"localMySqlEnabled":null,"managedServiceIdentityId":null,"xManagedServiceIdentityId":null,"keyVaultReferenceIdentity":null,"ipSecurityRestrictions":null,"ipSecurityRestrictionsDefaultAction":null,"scmIpSecurityRestrictions":null,"scmIpSecurityRestrictionsDefaultAction":null,"scmIpSecurityRestrictionsUseMain":null,"http20Enabled":true,"minTlsVersion":null,"minTlsCipherSuite":null,"scmMinTlsCipherSuite":null,"supportedTlsCipherSuites":null,"scmSupportedTlsCipherSuites":null,"scmMinTlsVersion":null,"ftpsState":null,"preWarmedInstanceCount":null,"functionAppScaleLimit":0,"elasticWebAppScaleLimit":null,"healthCheckPath":null,"fileChangeAuditEnabled":null,"functionsRuntimeScaleMonitoringEnabled":null,"websiteTimeZone":null,"minimumElasticInstanceCount":1,"azureStorageAccounts":null,"http20ProxyFlag":null,"sitePort":null,"antivirusScanEnabled":null,"storageType":null,"sitePrivateLinkHostEnabled":null,"clusteringEnabled":false},"functionAppConfig":null,"daprConfig":null,"deploymentId":"auedevbuidad01legacyauth01","slotName":null,"trafficManagerHostNames":["auedevbuidad01tfm01identity-migration-api.trafficmanager.net"],"sku":"Basic","scmSiteAlsoStopped":false,"targetSwapSlot":null,"hostingEnvironment":null,"hostingEnvironmentProfile":null,"clientAffinityEnabled":false,"clientAffinityProxyEnabled":false,"blockPathTraversal":false,"clientCertEnabled":false,"clientCertMode":"Required","clientCertExclusionPaths":null,"hostNamesDisabled":false,"ipMode":"IPv4","domainVerificationIdentifiers":null,"customDomainVerificationId":"BEE3E7DE44A83DA9F590563295AA9FE3AD4D6906C815979D7AA98BBA6A9547F4","kind":"api","managedEnvironmentId":null,"workloadProfileName":null,"resourceConfig":null,"inboundIpAddress":"20.211.64.3","possibleInboundIpAddresses":"20.211.64.3","ftpUsername":"auedevbuidad01legacyauth01\\$auedevbuidad01legacyauth01","ftpsHostName":"ftps://waws-prod-sy3-077.ftp.azurewebsites.windows.net/site/wwwroot","outboundIpAddresses":"20.53.80.153,20.53.124.133,20.53.130.174,20.53.131.181,20.53.131.217,20.53.132.47,20.211.64.3","possibleOutboundIpAddresses":"20.53.80.153,20.53.124.133,20.53.130.174,20.53.131.181,20.53.131.217,20.53.132.47,20.53.129.35,20.53.132.78,20.53.132.107,20.53.125.110,20.53.132.117,20.53.132.125,20.53.131.73,20.53.126.230,20.53.132.140,20.53.132.153,20.53.132.163,20.53.132.230,20.53.133.8,20.53.133.34,20.53.133.97,20.53.133.131,20.53.133.154,20.53.133.193,20.193.11.198,20.53.133.212,20.53.133.253,20.193.31.39,20.53.133.254,20.53.134.32,20.211.64.3","containerSize":0,"dailyMemoryTimeQuota":0,"suspendedTill":null,"siteDisabledReason":0,"functionExecutionUnitsCache":null,"maxNumberOfWorkers":null,"homeStamp":"waws-prod-sy3-077","cloningInfo":null,"hostingEnvironmentId":null,"tags":{"Application":"BlueKey","Cost Centre":"381794 Cloud Platform & DevOps","Environment":"Dev","Stream":"Shared Services","Technical Contact":"[email protected]"},"resourceGroup":"bluekey-ad01-rg01","defaultHostName":"auedevbuidad01legacyauth01.azurewebsites.net","slotSwapStatus":null,"httpsOnly":true,"endToEndEncryptionEnabled":false,"functionsRuntimeAdminIsolationEnabled":false,"redundancyMode":"None","inProgressOperationId":null,"geoDistributions":null,"privateEndpointConnections":[],"publicNetworkAccess":null,"buildVersion":null,"targetBuildVersion":null,"migrationState":null,"eligibleLogCategories":"AppServiceAppLogs,AppServiceAuditLogs,AppServiceConsoleLogs,AppServiceHTTPLogs,AppServiceIPSecAuditLogs,AppServicePlatformLogs,ScanLogs,AppServiceAuthenticationLogs","inFlightFeatures":["SiteContainers"],"storageAccountRequired":false,"virtualNetworkSubnetId":null,"keyVaultReferenceIdentity":"SystemAssigned","autoGeneratedDomainNameLabelScope":null,"defaultHostNameScope":"Global","privateLinkIdentifiers":null,"sshEnabled":null},"identity":{"type":"SystemAssigned","tenantId":"fee9c112-179f-46e3-ab98-f8d58602cf19","principalId":"354bef53-ee56-4b91-aa07-c4a46e2904cc"}}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/certificates?api-version=2023-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'd40db3f4-6b28-11ef-94f0-00155db282d8'
cli.azure.cli.core.sdk.policies: 'CommandName': 'webapp config ssl bind'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--certificate-thumbprint --name --resource-group --ssl-type --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.63.0 (RPM) azsdk-python-core/1.28.0 Python/3.9.19 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.35) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/certificates?api-version=2023-01-01 HTTP/1.1" 200 4181
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '4181'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'd74470c8-6603-4dab-8893-d3b2e77d2c52'
cli.azure.cli.core.sdk.policies: 'X-AspNet-Version': '4.0.30319'
cli.azure.cli.core.sdk.policies: 'X-Powered-By': 'ASP.NET'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '499'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '7499'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '200fe8ed-d3d9-49e5-a26b-b81c239c4a9a'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240905T014740Z:200fe8ed-d3d9-49e5-a26b-b81c239c4a9a'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: D72846157E3B4B40B710727D637A7182 Ref B: MAA201060516021 Ref C: 2024-09-05T01:47:39Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 05 Sep 2024 01:47:39 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[{"id":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/certificates/auedevbuidad01kv01-bluekeynpcert","name":"auedevbuidad01kv01-bluekeynpcert","type":"Microsoft.Web/certificates","location":"Australia East","tags":{"Application":"BlueKey","Cost Centre":"381794 Cloud Platform & DevOps","Environment":"Dev","Stream":"Shared Services","Technical Contact":"[email protected]"},"properties":{"password":null,"friendlyName":"np.bupa.com.au","subjectName":"np.bupa.com.au,ad-account.np.bupa.com.au,ad-identity-api.np.bupa.com.au,ad-account-assets.np.bupa.com.au,ad-identity-migration-api.np.bupa.com.au,ad-identity-management.np.bupa.com.au,ad-identity-audit-api.np.bupa.com.au,at-account.np.bupa.com.au,at-identity-api.np.bupa.com.au,at-account-assets.np.bupa.com.au,at-identity-migration-api.np.bupa.com.au,at-identity-management.np.bupa.com.au,at-identity-audit-api.np.bupa.com.au,prpd-account.np.bupa.com.au,prpd-identity-api.np.bupa.com.au,prpd-account-assets.np.bupa.com.au,prpd-identity-migration-api.np.bupa.com.au,prpd-identity-management.np.bupa.com.au,prpd-identity-audit-api.np.bupa.com.au","hostNames":["np.bupa.com.au","ad-account.np.bupa.com.au","ad-identity-api.np.bupa.com.au","ad-account-assets.np.bupa.com.au","ad-identity-migration-api.np.bupa.com.au","ad-identity-management.np.bupa.com.au","ad-identity-audit-api.np.bupa.com.au","at-account.np.bupa.com.au","at-identity-api.np.bupa.com.au","at-account-assets.np.bupa.com.au","at-identity-migration-api.np.bupa.com.au","at-identity-management.np.bupa.com.au","at-identity-audit-api.np.bupa.com.au","prpd-account.np.bupa.com.au","prpd-identity-api.np.bupa.com.au","prpd-account-assets.np.bupa.com.au","prpd-identity-migration-api.np.bupa.com.au","prpd-identity-management.np.bupa.com.au","prpd-identity-audit-api.np.bupa.com.au"],"pfxBlob":null,"siteName":null,"selfLink":null,"issuer":"DigiCert Global G2 TLS RSA SHA256 2020 CA1","issueDate":"2024-01-31T00:00:00+00:00","expirationDate":"2025-02-01T23:59:59+00:00","thumbprint":"9C224080A35F070CF5D8B10C6A06FF15B82141A9","valid":null,"toDelete":null,"cerBlob":null,"publicKeyHash":null,"hostingEnvironment":null,"hostingEnvironmentProfile":null,"keyVaultId":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourcegroups/bluekey-ad01-rg01/providers/microsoft.keyvault/vaults/auedevbuidad01kv01","keyVaultSecretName":"bluekeynpcert","keyVaultSecretStatus":"OperationNotPermittedOnKeyVault","webSpace":"bluekey-ad01-rg01-AustraliaEastwebspace","serverFarmId":null,"tags":{"Application":"BlueKey","Cost Centre":"Bluekey:382431","Environment":"Dev","Stream":"Shared Services","Technical Contact":"[email protected]"},"resourceGroup":"bluekey-ad01-rg01"}},{"id":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/certificates/bluekey-ad01-rg01-AustraliaEastwebspace-240108064948","name":"bluekey-ad01-rg01-AustraliaEastwebspace-240108064948","type":"Microsoft.Web/certificates","location":"Australia East","tags":{"Application":"BlueKey","Cost Centre":"381794 Cloud Platform & DevOps","Environment":"Dev","Stream":"Shared Services","Technical Contact":"[email protected]"},"properties":{"password":null,"friendlyName":".webaks.bupa.com.au","subjectName":".webaks.bupa.com.au,webaks.bupa.com.au","hostNames":["*.webaks.bupa.com.au","webaks.bupa.com.au"],"pfxBlob":null,"siteName":null,"selfLink":null,"issuer":"DigiCert Global G2 TLS RSA SHA256 2020 CA1","issueDate":"2023-07-26T00:00:00+00:00","expirationDate":"2024-08-20T23:59:59+00:00","thumbprint":"44F058AC4941CA8C9689ED533D0D2EFC7148FD7D","valid":null,"toDelete":null,"cerBlob":null,"publicKeyHash":null,"hostingEnvironment":null,"hostingEnvironmentProfile":null,"keyVaultSecretStatus":"Initialized","webSpace":"bluekey-ad01-rg01-AustraliaEastwebspace","serverFarmId":null,"tags":{"Application":"BlueKey","Cost Centre":"Bluekey:382431","Environment":"DEV","Stream":"Shared Services","Technical Contact":"[email protected]"},"resourceGroup":"bluekey-ad01-rg01"}}],"nextLink":null,"id":null}
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=WebSiteManagementClient
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 5024
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'}
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 5024
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'}
cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1725505500' -> 1725505500
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01/hostNameBindings?api-version=2023-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'd40db3f4-6b28-11ef-94f0-00155db282d8'
cli.azure.cli.core.sdk.policies: 'CommandName': 'webapp config ssl bind'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--certificate-thumbprint --name --resource-group --ssl-type --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.63.0 (RPM) azsdk-python-core/1.28.0 Python/3.9.19 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.35) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01/hostNameBindings?api-version=2023-01-01 HTTP/1.1" 200 1536
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '1536'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'ETag': '"1DAFE79137B5A40"'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '5e5ab49f-ec10-4382-8dc8-45ac948b2cd5'
cli.azure.cli.core.sdk.policies: 'X-AspNet-Version': '4.0.30319'
cli.azure.cli.core.sdk.policies: 'X-Powered-By': 'ASP.NET'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '499'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '7499'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '08ce9acf-8f33-49c4-9267-e717f13f031d'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240905T014741Z:08ce9acf-8f33-49c4-9267-e717f13f031d'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 3692A7E84B80402CA46452AD1E1CBBDE Ref B: MAA201060516049 Ref C: 2024-09-05T01:47:40Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 05 Sep 2024 01:47:40 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[{"id":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01/hostNameBindings/auedevbuidad01legacyauth01.azurewebsites.net","name":"auedevbuidad01legacyauth01/auedevbuidad01legacyauth01.azurewebsites.net","type":"Microsoft.Web/sites/hostNameBindings","location":"Australia East","properties":{"siteName":"auedevbuidad01legacyauth01","domainId":null,"hostNameType":"Verified"}},{"id":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01/hostNameBindings/ad-identity-migration-api.np.bupa.com.au","name":"auedevbuidad01legacyauth01/ad-identity-migration-api.np.bupa.com.au","type":"Microsoft.Web/sites/hostNameBindings","location":"Australia East","properties":{"siteName":"auedevbuidad01legacyauth01","domainId":null,"hostNameType":"Verified","sslState":"SniEnabled","thumbprint":"9C224080A35F070CF5D8B10C6A06FF15B82141A9"}},{"id":"/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01/hostNameBindings/auedevbuidad01tfm01identity-migration-api.trafficmanager.net","name":"auedevbuidad01legacyauth01/auedevbuidad01tfm01identity-migration-api.trafficmanager.net","type":"Microsoft.Web/sites/hostNameBindings","location":"Australia East","properties":{"siteName":"auedevbuidad01legacyauth01","domainId":null,"hostNameType":"Verified"}}],"nextLink":null,"id":null}
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=WebSiteManagementClient
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 5024
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'}
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 5024
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'}
cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1725505500' -> 1725505500
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01?api-version=2023-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '508'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'd40db3f4-6b28-11ef-94f0-00155db282d8'
cli.azure.cli.core.sdk.policies: 'CommandName': 'webapp config ssl bind'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--certificate-thumbprint --name --resource-group --ssl-type --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.63.0 (RPM) azsdk-python-core/1.28.0 Python/3.9.19 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.35) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "Australia East", "tags": {"Application": "BlueKey", "Cost Centre": "381794 Cloud Platform & DevOps", "Environment": "Dev", "Stream": "Shared Services", "Technical Contact": "[email protected]"}, "properties": {"hostNameSslStates": [{"name": "ad-identity-migration-api.np.bupa.com.au", "sslState": "SniEnabled", "thumbprint": "9C224080A35F070CF5D8B10C6A06FF15B82141A9", "toUpdate": true}], "reserved": false, "isXenon": false, "hyperV": false, "scmSiteAlsoStopped": false}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/875f5086-7cf0-423f-80a9-1041a0a35b54/resourceGroups/bluekey-ad01-rg01/providers/Microsoft.Web/sites/auedevbuidad01legacyauth01?api-version=2023-01-01 HTTP/1.1" 403 3154
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '3154'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '3ce9927b-3af8-4c02-9dbb-7fb160bf08ce'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '3ce9927b-3af8-4c02-9dbb-7fb160bf08ce'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240905T014741Z:3ce9927b-3af8-4c02-9dbb-7fb160bf08ce'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: A309F47AB78A4056A7B1FEF28C329DC2 Ref B: MAA201060514053 Ref C: 2024-09-05T01:47:41Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 05 Sep 2024 01:47:40 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"RequestDisallowedByPolicy","target":"auedevbuidad01legacyauth01","message":"Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c"},"policyDefinition":{"name":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service"},"policySetDefinition":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c"}}]'.","additionalInfo":[{"type":"PolicyViolation","info":{"evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.Web/sites","targetValue":"Microsoft.Web/sites","operator":"Equals"},{"result":"True","expressionKind":"Field","expression":"kind","path":"kind","targetValue":"functionapp","operator":"NotContains"},{"result":"True","expressionKind":"Field","expression":"Microsoft.Web/sites/httpsOnly","path":"properties.httpsOnly","targetValue":"false","operator":"Exists"}]},"policyDefinitionId":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service","policySetDefinitionId":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c","policyDefinitionReferenceId":"banz-pol-cis-cis14-azure-092-app-service","policySetDefinitionName":"banz-ini-apps-380c","policySetDefinitionDisplayName":"BupaANZ - ResourceCSB-AppService-Enforce","policyDefinitionName":"banz-pol-cis-cis14-azure-092-app-service","policyDefinitionDisplayName":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","policyDefinitionEffect":"Deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c","policyAssignmentName":"banzasnapps380c","policyAssignmentDisplayName":"BupaANZ - ResourceCSB-AppService-Enforce","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/bupaanz","policyAssignmentParameters":{"cis14azure053aeffects":"Audit","cis14azure053arequiredRetentionDays":"365","cis14azure0910aeffects":"AuditIfNotExists","cis14azure0910beffects":"AuditIfNotExists","cis14azure091aeffects":"AuditIfNotExists","cis14azure091beffects":"AuditIfNotExists","cis14azure092effect":"Deny","cis14azure093aeffects":"AuditIfNotExists","cis14azure093beffects":"AuditIfNotExists","cis14azure094effect":"AuditIfNotExists","cis14azure095aeffects":"AuditIfNotExists","cis14azure095beffects":"AuditIfNotExists","cis14azure099aeffects":"AuditIfNotExists","cis14azure099beffects":"AuditIfNotExists"},"policyExemptionIds":[]}}]}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job
return cmd_copy.exception_handler(ex)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/commands.py", line 46, in _ex_handler
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job
result = cmd_copy(params)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 334, in call
return self.handler(*args, **kwargs)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/custom.py", line 3798, in bind_ssl_cert
return _update_ssl_binding(cmd, resource_group_name, name, certificate_thumbprint,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/custom.py", line 3788, in _update_ssl_binding
_update_host_name_ssl_state(cmd, resource_group_name, name, webapp,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/custom.py", line 3748, in _update_host_name_ssl_state
return _generic_site_operation(cmd.cli_ctx, resource_group_name, webapp_name, 'begin_create_or_update',
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/_appservice_utils.py", line 21, in _generic_site_operation
if extra_parameter is None else operation(resource_group_name,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/mgmt/web/v2023_01_01/operations/_web_apps_operations.py", line 17008, in begin_create_or_update
raw_result = self._create_or_update_initial(
File "/usr/lib64/az/lib/python3.9/site-packages/azure/mgmt/web/v2023_01_01/operations/_web_apps_operations.py", line 16870, in _create_or_update_initial
raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (RequestDisallowedByPolicy) Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c"},"policyDefinition":{"name":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service"},"policySetDefinition":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c"}}]'.
Code: RequestDisallowedByPolicy
Message: Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c"},"policyDefinition":{"name":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service"},"policySetDefinition":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c"}}]'.
Target: auedevbuidad01legacyauth01
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Web/sites",
"targetValue": "Microsoft.Web/sites",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "kind",
"path": "kind",
"targetValue": "functionapp",
"operator": "NotContains"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "Microsoft.Web/sites/httpsOnly",
"path": "properties.httpsOnly",
"targetValue": "false",
"operator": "Exists"
}
]
},
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service",
"policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c",
"policyDefinitionReferenceId": "banz-pol-cis-cis14-azure-092-app-service",
"policySetDefinitionName": "banz-ini-apps-380c",
"policySetDefinitionDisplayName": "BupaANZ - ResourceCSB-AppService-Enforce",
"policyDefinitionName": "banz-pol-cis-cis14-azure-092-app-service",
"policyDefinitionDisplayName": "BupaANZ - CIS-App Service apps should only be accessible over HTTPS",
"policyDefinitionEffect": "Deny",
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c",
"policyAssignmentName": "banzasnapps380c",
"policyAssignmentDisplayName": "BupaANZ - ResourceCSB-AppService-Enforce",
"policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/bupaanz",
"policyAssignmentParameters": {
"cis14azure053aeffects": "Audit",
"cis14azure053arequiredRetentionDays": "365",
"cis14azure0910aeffects": "AuditIfNotExists",
"cis14azure0910beffects": "AuditIfNotExists",
"cis14azure091aeffects": "AuditIfNotExists",
"cis14azure091beffects": "AuditIfNotExists",
"cis14azure092effect": "Deny",
"cis14azure093aeffects": "AuditIfNotExists",
"cis14azure093beffects": "AuditIfNotExists",
"cis14azure094effect": "AuditIfNotExists",
"cis14azure095aeffects": "AuditIfNotExists",
"cis14azure095beffects": "AuditIfNotExists",
"cis14azure099aeffects": "AuditIfNotExists",
"cis14azure099beffects": "AuditIfNotExists"
},
"policyExemptionIds": []
}

cli.azure.cli.core.azclierror: (RequestDisallowedByPolicy) Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c"},"policyDefinition":{"name":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service"},"policySetDefinition":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c"}}]'.
Code: RequestDisallowedByPolicy
Message: Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c"},"policyDefinition":{"name":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service"},"policySetDefinition":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c"}}]'.
Target: auedevbuidad01legacyauth01
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Web/sites",
"targetValue": "Microsoft.Web/sites",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "kind",
"path": "kind",
"targetValue": "functionapp",
"operator": "NotContains"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "Microsoft.Web/sites/httpsOnly",
"path": "properties.httpsOnly",
"targetValue": "false",
"operator": "Exists"
}
]
},
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service",
"policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c",
"policyDefinitionReferenceId": "banz-pol-cis-cis14-azure-092-app-service",
"policySetDefinitionName": "banz-ini-apps-380c",
"policySetDefinitionDisplayName": "BupaANZ - ResourceCSB-AppService-Enforce",
"policyDefinitionName": "banz-pol-cis-cis14-azure-092-app-service",
"policyDefinitionDisplayName": "BupaANZ - CIS-App Service apps should only be accessible over HTTPS",
"policyDefinitionEffect": "Deny",
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c",
"policyAssignmentName": "banzasnapps380c",
"policyAssignmentDisplayName": "BupaANZ - ResourceCSB-AppService-Enforce",
"policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/bupaanz",
"policyAssignmentParameters": {
"cis14azure053aeffects": "Audit",
"cis14azure053arequiredRetentionDays": "365",
"cis14azure0910aeffects": "AuditIfNotExists",
"cis14azure0910beffects": "AuditIfNotExists",
"cis14azure091aeffects": "AuditIfNotExists",
"cis14azure091beffects": "AuditIfNotExists",
"cis14azure092effect": "Deny",
"cis14azure093aeffects": "AuditIfNotExists",
"cis14azure093beffects": "AuditIfNotExists",
"cis14azure094effect": "AuditIfNotExists",
"cis14azure095aeffects": "AuditIfNotExists",
"cis14azure095beffects": "AuditIfNotExists",
"cis14azure099aeffects": "AuditIfNotExists",
"cis14azure099beffects": "AuditIfNotExists"
},
"policyExemptionIds": []
}
az_command_data_logger: (RequestDisallowedByPolicy) Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c"},"policyDefinition":{"name":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service"},"policySetDefinition":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c"}}]'.
Code: RequestDisallowedByPolicy
Message: Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c"},"policyDefinition":{"name":"BupaANZ - CIS-App Service apps should only be accessible over HTTPS","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service"},"policySetDefinition":{"name":"BupaANZ - ResourceCSB-AppService-Enforce","id":"/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c"}}]'.
Target: auedevbuidad01legacyauth01
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Web/sites",
"targetValue": "Microsoft.Web/sites",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "kind",
"path": "kind",
"targetValue": "functionapp",
"operator": "NotContains"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "Microsoft.Web/sites/httpsOnly",
"path": "properties.httpsOnly",
"targetValue": "false",
"operator": "Exists"
}
]
},
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyDefinitions/banz-pol-cis-cis14-azure-092-app-service",
"policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policySetDefinitions/banz-ini-apps-380c",
"policyDefinitionReferenceId": "banz-pol-cis-cis14-azure-092-app-service",
"policySetDefinitionName": "banz-ini-apps-380c",
"policySetDefinitionDisplayName": "BupaANZ - ResourceCSB-AppService-Enforce",
"policyDefinitionName": "banz-pol-cis-cis14-azure-092-app-service",
"policyDefinitionDisplayName": "BupaANZ - CIS-App Service apps should only be accessible over HTTPS",
"policyDefinitionEffect": "Deny",
"policyAssignmentId": "/providers/Microsoft.Management/managementGroups/bupaanz/providers/Microsoft.Authorization/policyAssignments/banzasnapps380c",
"policyAssignmentName": "banzasnapps380c",
"policyAssignmentDisplayName": "BupaANZ - ResourceCSB-AppService-Enforce",
"policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/bupaanz",
"policyAssignmentParameters": {
"cis14azure053aeffects": "Audit",
"cis14azure053arequiredRetentionDays": "365",
"cis14azure0910aeffects": "AuditIfNotExists",
"cis14azure0910beffects": "AuditIfNotExists",
"cis14azure091aeffects": "AuditIfNotExists",
"cis14azure091beffects": "AuditIfNotExists",
"cis14azure092effect": "Deny",
"cis14azure093aeffects": "AuditIfNotExists",
"cis14azure093beffects": "AuditIfNotExists",
"cis14azure094effect": "AuditIfNotExists",
"cis14azure095aeffects": "AuditIfNotExists",
"cis14azure095beffects": "AuditIfNotExists",
"cis14azure099aeffects": "AuditIfNotExists",
"cis14azure099beffects": "AuditIfNotExists"
},
"policyExemptionIds": []
}
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f116048c4c0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 4.721 seconds (init: 0.213, invoke: 4.508)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 8561 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3.9 /usr/lib/az/lib/python3.9/site-packages/azure/cli/telemetry/init.py /home/bhupinder/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Binding call succeeds

Environment Summary

AZURECLI/2.63.0 (RPM)
azsdk-python-core/1.28.0
Python/3.9.19 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.35)
cloud-shell/1.0

Additional context

Incident 541939186
@joerob-msft joerob-msft added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Nov 14, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Web Apps az webapp Service Attention This issue is responsible by Azure service team. Auto-Assign Auto assign by bot app-service-certs-domains labels Nov 14, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 14, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yutanglin16 yutanglin16

@seligj95 seligj95

Labels
app-service-certs-domains app-service-general Auto-Assign Auto assign by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. Service Attention This issue is responsible by Azure service team. Web Apps az webapp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yutanglin16 @seligj95 @joerob-msft @yonzhan