acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

Cannot deploy scope-maps with bicep/arm when having more than one "folder" in the hierarchy

Open chriswue opened this issue 2 years ago • 2 comments

Describe the bug Bicep/arm deployment for this fails:

resource scope_map 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'myMap'
  parent: my_container_registry
  properties: {
    actions: [
      'some/complex/repo/content/read'
    ]
    description: ''
  }
}

Fails with

Scope map action: 'some/complex/repo/content/read' is invalid or not supported. 
Supported format is <resource type>/<resource name>/<resource action>, 
all characters should be in lowercase. Please refer to the ACR Scopemap 
documentation at https://aka.ms/acr/repo-permissions to find the supported resources and actions.

However it works on the Azure CLI and the permissions and tokens attached work perfectly:

az acr scope-map create --name myMap --registry my_container_registry --repository some/complex/repo content/read

You can also do this through the Azure Portal and it works.

When writing a new API there is no valid excuse of making it based around string parsing that adds weird additional restrictions and assumptions that are completely beside the point. The ARM API should be like this:

resource scope_map 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'myMap'
  parent: my_container_registry
  properties: {
    actions: [
        {
            repo: 'some/complex/repo'
            permission: 'content/read'
        }
    ]
    description: ''
  }
}

There is never ever a valid reason when writing a new API from scratch to make it about string parsing when you are in control of all the components. Full stop.

Now I have to go and write a shell script to deploy this.

chriswue avatar Aug 12 '22 00:08 chriswue

@chriswue we can analyze the API for future changes, but can you elaborate more on the bug that you are hitting? I'm currently deploying a scope map with the following action via ARM and Bicep, but I cannot hit the issue that you are seeing. repositories/redis/with/some/long/path/content/read and repositories/redis/neque/porro/quisquam/est/qui/dolorem/ipsum/quia/dolor/sit/amet/consectetur/adipisci/velit/content/read

Can you provide more context on how you hit the issue?

cegraybl avatar Aug 26 '22 20:08 cegraybl

@cegraybl sorry for the delay on this, will circle back to this soon-ish

chriswue avatar Sep 22 '22 00:09 chriswue

@chriswue, do you have any updates for this item or are we able to close this issue?

terencet-dev avatar Nov 17 '22 20:11 terencet-dev

@terencet-dev @cegraybl

Bicep:

resource container_registry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
  name: 'testcr${uniqueString('scope-mapbug-test')}'
  location: resourceGroup().location
  sku: {
    name: 'Premium'
  }
  properties: {
    adminUserEnabled: false
    dataEndpointEnabled: true
    publicNetworkAccess: 'Enabled'
    networkRuleBypassOptions: 'AzureServices'
    zoneRedundancy: 'Disabled'
  }
}

resource testScopeMap 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'testscope'
  parent: container_registry
  properties: {
    actions: [
      'area/application/component1/content/read'
      'area/application/component2/content/read'
    ]
  }
}

Save it as container-registry.bicep

Run

az deployment group create -g SOME-RESOURCE-GROUP --template-file container-registry.bicep

Output:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n  \"error\": {\r\n    \"code\": \"InvalidScopeMapAction\",\r\n    \"message\": \"Scope map action: 'area/application/component1/content/read' is invalid or not supported. Supported format is <resource type>/<resource name>/<resource action>, all characters should be in lowercase. Please refer to the ACR Scopemap documentation at https://aka.ms/acr/repo-permissions to find the supported resources and actions.\"\r\n  },\r\n  \"status\": \"Failed\"\r\n}"}]}}

chriswue avatar Nov 21 '22 00:11 chriswue

Any progress on this?

chriswue avatar May 08 '23 08:05 chriswue

@chriswue sorry for the delays with this. I took a look at your template, and got it working by adding repositories/ to each action:

resource testScopeMap 'Microsoft.ContainerRegistry/registries/scopeMaps@2022-02-01-preview' = {
  name: 'testscope'
  parent: container_registry
  properties: {
    actions: [
      'repositories/area/application/component1/content/read'
      'repositories/area/application/component2/content/read'
    ]
  }

I got this from exporting an ARM template from an existing registry with tokens and scope maps, but I'm wondering if you got this from following a doc (that we need to update)

cegraybl avatar May 08 '23 20:05 cegraybl

did a search but couldn't find specific documentation on this, so it might be an issue of creating it to specify what is needed on the template.

cegraybl avatar May 08 '23 20:05 cegraybl

Hm, indeed - double checking the bicep documentation for scopeMaps does include the repositories prefix. I suppose it wasn't entirely clear to me what the significance was. The ARM error message also wasn't the most helpful.

chriswue avatar May 09 '23 22:05 chriswue