ResourceModules
ResourceModules copied to clipboard
Published
20 hours ago •
Azure
Azure
[Bug Report]: AppConfiguration private endpoint recreated on each deploy causing a name conflict
trafficstars
Describe the bug
We're using microsoft.appconfiguration.configurationstores:v0.6.0 and adding a private endpoint. When we deploy it the first time, everything works as expected. When deploying it the second time, we get a name conflict during the private endpoint deployment. It appears to be while linking the private endpoint to the app config.
Are we missing something that we should be doing?
Thanks in advance Michael
To reproduce
Deploy an App Configuration more than once with a private endpoint defined. When it runs the second time it will try to create the link to the specified resource and get a name conflict.
Code snippet
module appConfig 'br/Sharred:bicep/modules/microsoft.appconfiguration.configurationstores:v0.6.0' = {
name: 'deployment-${appConfigName}'
params: {
name: appConfigName
location: location
sku: 'Standard'
systemAssignedIdentity: true
publicNetworkAccess: 'Disabled'
roleAssignments: [
{
roleDefinitionIdOrName: 'App Configuration Data Reader'
principalIds: appConfigurationDataReaderPrincipalIds
} ]
privateEndpoints: [
{
privateDnsZoneGroups: [
{
privateDNSResourceIds: [
'/subscriptions/${appConfigSubscriptionId}/resourceGroups/${privateDNSResourceGroupName}/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io'
]
}
]
subnetResourceId: appConfigPrivateEndpointSubnetResourceId
service: 'configurationStores'
}
]
}
scope: acrg
}
Relevant log output
Operation ID
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/p-rg-01-rg/providers/Microsoft.Resources/deployments/fivpm7my7sgfi-configurationStore-PrivateEndpoint-0/operations/00000000
Provisioning operation
Create
Provisioning state
Failed
Duration
1 second
Status
Conflict
Status message
12345678
{
"status": "Failed",
"error": {
"code": "NameUnavailable",
"message": "Call to Microsoft.AppConfiguration/configurationStores failed. Error message: The specified name is already in use.",
"details": []
}
}
Type
Microsoft.Network/privateEndpoints
Resource ID
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/p-rg-01-rg/providers/Microsoft.Network/privateEndpoints/pe-p-service-ac-sdsv-configurationStores-0
Resource
pe-p-service-ac-sdsv-configurationStores-0
Hey @MichaelJRogersGM,
I just tested it with the default parameters.json with the following output:
PS CARML> . "c:\testLocal.ps1"
VERBOSE: Using local tokens [namePrefix]
VERBOSE: Deploy module [configurationStores] with parameter file [parameters.json]
VERBOSE: Performing the operation "Trigger" on target "Deployment for parameter file [C:\dev\ip\Azure-ResourceModules\ResourceModules\modules\Microsoft.AppConfiguration\configurationStores\.test\parameters.json]".
VERBOSE: Deploying with deployment name [configurationStores-20220716T2007038248Z]
VERBOSE: Determined deployment scope [resourcegroup]
VERBOSE: Setting context to subscription [<<subscriptionId>>]
VERBOSE: Using Bicep v0.8.9
VERBOSE: Performing the operation "Creating Deployment" on target "validation-rg".
VERBOSE: 20:51:22 - Template is valid.
VERBOSE: 20:51:24 - Create template deployment 'configurationStores-20220716T2007038248Z'
VERBOSE: 20:51:24 - Checking deployment status in 5 seconds
VERBOSE: 20:51:29 - Resource Microsoft.Resources/deployments 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-xmtg5ve5s3j7w' provisioning status is running
VERBOSE: 20:51:29 - Resource Microsoft.Network/virtualNetworks 'adp-carml-az-vnet-x-001' provisioning status is succeeded
VERBOSE: 20:51:29 - Checking deployment status in 13 seconds
VERBOSE: 20:51:42 - Resource Microsoft.AppConfiguration/configurationStores 'carml-az-appcs-x-002' provisioning status is running
VERBOSE: 20:51:42 - Resource Microsoft.Resources/deployments 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-xmtg5ve5s3j7w' provisioning status is succeeded
VERBOSE: 20:51:43 - Checking deployment status in 5 seconds
VERBOSE: 20:51:48 - Resource Microsoft.Authorization/locks 'carml-az-appcs-x-002-CanNotDelete-lock' provisioning status is succeeded
VERBOSE: 20:51:48 - Resource Microsoft.AppConfiguration/configurationStores 'carml-az-appcs-x-002' provisioning status is succeeded
VERBOSE: 20:51:48 - Resource Microsoft.AppConfiguration/configurationStores 'carml-az-appcs-x-002' provisioning status is succeeded
VERBOSE: 20:51:48 - Checking deployment status in 5 seconds
VERBOSE: 20:51:54 - Resource Microsoft.Insights/diagnosticSettings 'carml-az-appcs-x-002-diagnosticSettings' provisioning status is succeeded
VERBOSE: 20:51:54 - Resource Microsoft.Resources/deployments 'xmtg5ve5s3j7w-appConfig-KeyValues-0' provisioning status is running
VERBOSE: 20:51:54 - Resource Microsoft.AppConfiguration/configurationStores/keyValues 'carml-az-appcs-x-002/keyName' provisioning status is succeeded
VERBOSE: 20:51:54 - Resource Microsoft.Resources/deployments 'xmtg5ve5s3j7w-AppConfig-Rbac-0' provisioning status is running
VERBOSE: 20:51:54 - Resource Microsoft.Resources/deployments 'xmtg5ve5s3j7w-configurationStore-PrivateEndpoint-0' provisioning status is running
VERBOSE: 20:51:54 - Checking deployment status in 12 seconds
VERBOSE: 20:52:07 - Resource Microsoft.Resources/deployments 'xmtg5ve5s3j7w-appConfig-KeyValues-0' provisioning status is succeeded
VERBOSE: 20:52:07 - Resource Microsoft.Resources/deployments 'xmtg5ve5s3j7w-AppConfig-Rbac-0' provisioning status is succeeded
VERBOSE: 20:52:07 - Resource Microsoft.Authorization/roleAssignments 'de1fb33e-ddf7-5f81-9007-9b5f8a94921e' provisioning status is succeeded
VERBOSE: 20:52:07 - Resource Microsoft.Network/privateEndpoints 'pe-carml-az-appcs-x-002-configurationStores-0' provisioning status is running
VERBOSE: 20:52:07 - Checking deployment status in 14 seconds
VERBOSE: 20:52:22 - Resource Microsoft.Authorization/locks 'pe-carml-az-appcs-x-002-configurationStores-0-CanNotDelete-lock' provisioning status is succeeded
VERBOSE: 20:52:22 - Resource Microsoft.Network/privateEndpoints 'pe-carml-az-appcs-x-002-configurationStores-0' provisioning status is succeeded
VERBOSE: 20:52:22 - Resource Microsoft.Network/privateEndpoints 'pe-carml-az-appcs-x-002-configurationStores-0' provisioning status is succeeded
VERBOSE: 20:52:22 - Checking deployment status in 15 seconds
VERBOSE: 20:52:38 - Resource Microsoft.Resources/deployments 'xmtg5ve5s3j7w-configurationStore-PrivateEndpoint-0' provisioning status is succeeded
VERBOSE: Result
VERBOSE: ------
VERBOSE:
DeploymentName : configurationStores-20220716T2007038248Z
ResourceGroupName : validation-rg
ProvisioningState : Succeeded
Timestamp : 16.07.2022 18:52:35
Mode : Incremental
TemplateLink :
Parameters :
Name Type Value
======================================= ========================= ==========
name String "carml-az-appcs-x-002"
location String "westeurope"
systemAssignedIdentity Bool true
userAssignedIdentities Object {}
sku String "Standard"
createMode String "Default"
disableLocalAuth Bool false
enablePurgeProtection Bool false
publicNetworkAccess String "Enabled"
softDeleteRetentionInDays Int 1
keyValues Array [{"name":"keyName","value":"valueName","contentType":"contentType","roleAssignments":[{"roleDefinitionIdOrName":"Reader","principalIds":["e58511af-4da2-449c-a5cd-6a10271cfb83"]}]}]
diagnosticLogsRetentionInDays Int 7
diagnosticStorageAccountId String "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpcarmlazsax001"
diagnosticWorkspaceId String "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-carml-az-law-x-001"
diagnosticEventHubAuthorizationRuleId String "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-carml-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
diagnosticEventHubName String "adp-carml-az-evh-x-001"
lock String "CanNotDelete"
roleAssignments Array [{"roleDefinitionIdOrName":"Reader","principalIds":["e58511af-4da2-449c-a5cd-6a10271cfb83"]}]
tags Object {}
enableDefaultTelemetry Bool true
diagnosticLogCategoriesToEnable Array ["HttpRequest","Audit"]
diagnosticMetricsToEnable Array ["AllMetrics"]
diagnosticSettingsName String "carml-az-appcs-x-002-diagnosticSettings"
privateEndpoints Array [{"subnetResourceId":"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-carml-az-vnet-x-001/subnets/carml-az-subnet-x-005-privateEndpoints","service":"configurationStores"}]
Outputs :
Name Type Value
=========================== ========================= ==========
name String "carml-az-appcs-x-002"
resourceId String "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.AppConfiguration/configurationStores/carml-az-appcs-x-002"
resourceGroupName String "validation-rg"
systemAssignedPrincipalId String "9105c965-3fc6-4a92-b583-ebb423efc296"
location String "westeurope"
DeploymentDebugLogLevel :
Name Value
---- -----
deploymentOutput {[name, …
deploymentName configurationStores-20220716T2007038248Z
PS CARML> . "c:\testLocal.ps1"
VERBOSE: Using local tokens [namePrefix]
VERBOSE: Deploy module [configurationStores] with parameter file [parameters.json]
VERBOSE: Performing the operation "Trigger" on target "Deployment for parameter file [C:\dev\ip\Azure-ResourceModules\ResourceModules\modules\Microsoft.AppConfiguration\configurationStores\.test\parameters.json]".
VERBOSE: Deploying with deployment name [configurationStores-20220716T2007435576Z]
VERBOSE: Determined deployment scope [resourcegroup]
VERBOSE: Setting context to subscription [<<subscriptionId>>]
VERBOSE: Using Bicep v0.8.9
VERBOSE: Performing the operation "Creating Deployment" on target "validation-rg".
VERBOSE: 20:53:02 - Template is valid.
VERBOSE: 20:53:03 - Create template deployment 'configurationStores-20220716T2007435576Z'
VERBOSE: 20:53:03 - Checking deployment status in 5 seconds
VERBOSE: 20:53:09 - Resource Microsoft.Resources/deployments 'dgmji3j6ucg2o-configurationStore-PrivateEndpoint-0' provisioning status is running
VERBOSE: 20:53:09 - Resource Microsoft.Network/privateEndpoints 'pe-carml-az-appcs-x-002-configurationStores-0' provisioning status is succeeded
VERBOSE: 20:53:09 - Resource Microsoft.Resources/deployments 'dgmji3j6ucg2o-appConfig-KeyValues-0' provisioning status is running
VERBOSE: 20:53:09 - Resource Microsoft.AppConfiguration/configurationStores/keyValues 'carml-az-appcs-x-002/keyName' provisioning status is succeeded
VERBOSE: 20:53:09 - Resource Microsoft.Resources/deployments 'dgmji3j6ucg2o-AppConfig-Rbac-0' provisioning status is running
VERBOSE: 20:53:09 - Resource Microsoft.Resources/deployments 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-dgmji3j6ucg2o' provisioning status is running
VERBOSE: 20:53:09 - Resource Microsoft.Authorization/locks 'carml-az-appcs-x-002-CanNotDelete-lock' provisioning status is succeeded
VERBOSE: 20:53:09 - Resource Microsoft.AppConfiguration/configurationStores 'carml-az-appcs-x-002' provisioning status is succeeded
VERBOSE: 20:53:09 - Resource Microsoft.AppConfiguration/configurationStores 'carml-az-appcs-x-002' provisioning status is succeeded
VERBOSE: 20:53:09 - Resource Microsoft.Network/virtualNetworks 'adp-carml-az-vnet-x-001' provisioning status is succeeded
VERBOSE: 20:53:09 - Checking deployment status in 15 seconds
VERBOSE: 20:53:25 - Resource Microsoft.Insights/diagnosticSettings 'carml-az-appcs-x-002-diagnosticSettings' provisioning status is succeeded
VERBOSE: 20:53:25 - Resource Microsoft.Resources/deployments 'dgmji3j6ucg2o-configurationStore-PrivateEndpoint-0' provisioning status is succeeded
VERBOSE: 20:53:25 - Resource Microsoft.Authorization/locks 'pe-carml-az-appcs-x-002-configurationStores-0-CanNotDelete-lock' provisioning status is succeeded
VERBOSE: 20:53:25 - Resource Microsoft.Network/privateEndpoints 'pe-carml-az-appcs-x-002-configurationStores-0' provisioning status is succeeded
VERBOSE: 20:53:25 - Resource Microsoft.Resources/deployments 'dgmji3j6ucg2o-appConfig-KeyValues-0' provisioning status is succeeded
VERBOSE: 20:53:25 - Resource Microsoft.Resources/deployments 'dgmji3j6ucg2o-AppConfig-Rbac-0' provisioning status is succeeded
VERBOSE: 20:53:25 - Resource Microsoft.Authorization/roleAssignments 'de1fb33e-ddf7-5f81-9007-9b5f8a94921e' provisioning status is succeeded
VERBOSE: 20:53:25 - Resource Microsoft.Resources/deployments 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-dgmji3j6ucg2o' provisioning status is succeeded
VERBOSE: Result
VERBOSE: ------
VERBOSE:
DeploymentName : configurationStores-20220716T2007435576Z
ResourceGroupName : validation-rg
ProvisioningState : Succeeded
Timestamp : 16.07.2022 18:53:24
Mode : Incremental
TemplateLink :
Parameters :
Name Type Value
======================================= ========================= ==========
name String "carml-az-appcs-x-002"
location String "westeurope"
systemAssignedIdentity Bool true
userAssignedIdentities Object {}
sku String "Standard"
createMode String "Default"
disableLocalAuth Bool false
enablePurgeProtection Bool false
publicNetworkAccess String "Enabled"
softDeleteRetentionInDays Int 1
keyValues Array [{"name":"keyName","value":"valueName","contentType":"contentType","roleAssignments":[{"roleDefinitionIdOrName":"Reader","principalIds":["e58511af-4da2-449c-a5cd-6a10271cfb83"]}]}]
diagnosticLogsRetentionInDays Int 7
diagnosticStorageAccountId String "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpcarmlazsax001"
diagnosticWorkspaceId String "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-carml-az-law-x-001"
diagnosticEventHubAuthorizationRuleId String "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-carml-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
diagnosticEventHubName String "adp-carml-az-evh-x-001"
lock String "CanNotDelete"
roleAssignments Array [{"roleDefinitionIdOrName":"Reader","principalIds":["e58511af-4da2-449c-a5cd-6a10271cfb83"]}]
tags Object {}
enableDefaultTelemetry Bool true
diagnosticLogCategoriesToEnable Array ["HttpRequest","Audit"]
diagnosticMetricsToEnable Array ["AllMetrics"]
diagnosticSettingsName String "carml-az-appcs-x-002-diagnosticSettings"
privateEndpoints Array [{"subnetResourceId":"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-carml-az-vnet-x-001/subnets/carml-az-subnet-x-005-privateEndpoints","service":"configurationStores"}]
Outputs :
Name Type Value
=========================== ========================= ==========
name String "carml-az-appcs-x-002"
resourceId String "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.AppConfiguration/configurationStores/carml-az-appcs-x-002"
resourceGroupName String "validation-rg"
systemAssignedPrincipalId String "9105c965-3fc6-4a92-b583-ebb423efc296"
location String "westeurope"
DeploymentDebugLogLevel :
Name Value
---- -----
deploymentOutput {[name, …
deploymentName configurationStores-20220716T2007435576Z
It seems everything seems to work as expected. HOWEVER, upon my first test, I did get an error that the name was already taken. It seems somebody already deployed the parameters.json file with the namePrefix carml. Any chance you may also have a general naming conflict? From your description it sounds like you deployed the service successfully once - hence it's a bit odd that the above test worked.
Also note, AppConfig stores are purge-protected. So if you delete one manually - it is only soft-deleted and you have to purge it explicitely (which should be done automatically via the CI environment, if you're using it).
I don't think it is a naming conflict. I've created a new one that hasn't been used as a test, and it deploys the first time correctly. Then the next run it starts getting the conflict. The same code works fine for Key Vault. In the activity log I'm seeing an error that is happening at the same time:
"action": "Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/validate/action",
Operation name Validate Private Endpoint Connection Proxy Time stamp Sun Jul 17 2022 21:45:47 GMT-0400 (Eastern Daylight Time) Event initiated by Azure Traffic Manager and DNS Error code NameUnavailable Message The specified name is already in use.
Thanks Michael
I am experiencing exactly the same issue. It started last week. Before everything was working fine. Thanks, Alexander
Hey @MichaelJRogersGM, @alexanderogorodnikov,
Thanks for raising this issue.
I confirm I'm experiencing the same. Also tried the following:
- Deploy the configurationStore resource without private endpoints (OK)
- Re-deployed the configurationStore resource without private endpoints (OK)
- Used the private endpoint module to deploy private endpoint to the configurationStore resource (OK)
- Re-deployed the private endpoint to the configurationStore resource (Failed with
Status Message: Call to Microsoft.AppConfiguration/configurationStores failed. Error message: The specified name is already in use. (Code: NameUnavailable))
It looks indeed like applying private endpoints on the configurationStore resource is not idempotent.
We'll have the team look into this more thoroughly. Probably the first step would be to check if the issue relies on the service itself.
@eriqua @ArielRam99 Thanks for your response.
I was trying to narrow it down some more and went back to the base bicep modules, and am getting the same result.
As far as I can tell all of those are correct on how it should be done.
param peName string = 'p-1234567891-ac-sdsv-pe'
param csName string = 'p-1234567891-ac-sdsv'
param vnetIdWithSubnet string = '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/apconfig-test/providers/Microsoft.Network/virtualNetworks/vn-appconfig-test/subnets/default'
param pDnsZoneId string = '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/apconfig-test/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io'
param location string = 'eastus2'
resource config_store_resource 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {
name: csName
location: location
sku: {
name: 'standard'
}
identity: {
type: 'SystemAssigned'
}
properties: {
encryption: {
}
publicNetworkAccess: 'Disabled'
disableLocalAuth: false
softDeleteRetentionInDays: 1
enablePurgeProtection: false
}
}
resource private_endpoint_resource 'Microsoft.Network/privateEndpoints@2020-11-01' = {
name: peName
location: location
properties: {
privateLinkServiceConnections: [
{
name: peName
properties: {
privateLinkServiceId: config_store_resource.id
groupIds: [
'configurationStores'
]
privateLinkServiceConnectionState: {
status: 'Approved'
description: 'Auto-Approved'
actionsRequired: 'None'
}
}
}
]
manualPrivateLinkServiceConnections: []
subnet: {
id: vnetIdWithSubnet
}
customDnsConfigs: []
}
}
resource private_dns_zone_group_resource 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-11-01' = {
parent: private_endpoint_resource
name: 'default'
properties: {
privateDnsZoneConfigs: [
{
name: 'privatelink.azconfig.io'
properties: {
privateDnsZoneId: pDnsZoneId
}
}
]
}
}
resource config_store_private_endpoint_connection_resource 'Microsoft.AppConfiguration/configurationStores/privateEndpointConnections@2022-05-01' = {
parent: config_store_resource
name: '${csName}-pe'
properties: {
privateEndpoint: {
id: private_endpoint_resource.id
}
privateLinkServiceConnectionState: {
status: 'Approved'
description: 'Auto-Approved'
}
}
}
Hi. I just wanted to add that I'm hitting the same issue with ARM templates. I don't think the issue is related to bicep.
Similar Discussion: https://docs.microsoft.com/en-us/answers/questions/928797/index.html
Thanks all for the updates. They are really helpful!
As per @MayankBargali-MSFT shared discussion, the resolution of this bug looks to be on the service side and planned to be solved on 1st Aug.
We're keeping the bug open and will retest after the fix will be implemented.
A service update was released today and re-deploying private endpoints should no longer cause a conflict. Please let us know if there are any further issues.
A service update was released today and re-deploying private endpoints should no longer cause a conflict. Please let us know if there are any further issues.
Thanks! It is working now.