Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65171

Creating VM Modifies Existing Storage Account?

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: _unsorted
    • Labels:
    • Environment:
      Jenkins 2.249.1 on Ubuntu 16.04
      Azure VM Agents plugin 1.5.1
    • Similar Issues:

      Description

      A new Azure policy was recently put in place which enforces that no Public Blob Access is allowed, so we had to manually update a bunch of Azure storage accounts, including the one we'd been using for our implementation of the Azure VM Agents plugin. However, since the policy was put in place, the plugin is unable to create VMs, providing the following error message:

      Mar 18, 2021 3:58:35 PM SEVERE com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate createDeploymentAzureVMManagementServiceDelegate: deployment: Unable to deploy com.microsoft.azure.CloudException: Status code 400, {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment failed because of policy violation. Please see details for more information.","details":[{"code":"RequestDisallowedByPolicy","target":"cmjenkinscloudsa","message":"Resource 'cmjenkinscloudsa' was disallowed by policy. Reasons: 'ISRM Policy Violation | Public exposure with anynamous access requires security exception. Please contact your BISO for further guidance.'. See error details for policy resource IDs.","additionalInfo":[{"type":"PolicyViolation","info":{"policyDefinitionDisplayName":"DENY - Storage Account Public Access","evaluationDetails":

      Unknown macro: {"evaluatedExpressions"}

      ,{"result":"True","expressionKind":"Field","expression":"id","path":"id","expressionValue":"/subscriptions/a5280073-bceb-4175-9bfd-c51134647c8b/resourceGroups/cmjenkinscloud/providers/Microsoft.Storage/storageAccounts/cmjenkinscloudsa","targetValue":"/resourceGroups/databricks-rg-","operator":"NotContains"},{"result":"False","expressionKind":"Field","expression":"Microsoft.Storage/storageAccounts/allowBlobPublicAccess","path":"properties.allowBlobPublicAccess","targetValue":"false","operator":"Equals"}],"reason":"ISRM Policy Violation | Public exposure with anynamous access requires security exception. Please contact your BISO for further guidance."},"policyDefinitionId":"/providers/Microsoft.Management/managementGroups/da67ef1b-ca59-4db2-9a8c-aa8d94617a16/providers/Microsoft.Authorization/policyDefinitions/87f89257-04b6-4ce5-96e5-104feeae78e8","policyDefinitionName":"87f89257-04b6-4ce5-96e5-104feeae78e8","policyDefinitionEffect":"deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/da67ef1b-ca59-4db2-9a8c-aa8d94617a16/providers/Microsoft.Authorization/policyAssignments/53068ff566354cf8b96e3dbe","policyAssignmentName":"53068ff566354cf8b96e3dbe","policyAssignmentDisplayName":"DENY - Storage Account Public Access","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/da67ef1b-ca59-4db2-9a8c-aa8d94617a16","policyAssignmentParameters":{"effect":{"value":"deny"}}}}]}]}}: The template deployment failed because of policy violation. Please see details for more information. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.microsoft.rest.ServiceResponseBuilder.build(ServiceResponseBuilder.java:122) at com.microsoft.azure.AzureResponseBuilder.build(AzureResponseBuilder.java:56) at com.microsoft.azure.management.resources.implementation.DeploymentsInner.beginCreateOrUpdateDelegate(DeploymentsInner.java:540) at com.microsoft.azure.management.resources.implementation.DeploymentsInner.access$200(DeploymentsInner.java:46) at com.microsoft.azure.management.resources.implementation.DeploymentsInner$14.call(DeploymentsInner.java:526) at com.microsoft.azure.management.resources.implementation.DeploymentsInner$14.call(DeploymentsInner.java:522) at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:69) at retrofit2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter.java:120) at retrofit2.adapter.rxjava.CallArbiter.emitResponse(CallArbiter.java:102) at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:46) at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24) at rx.Observable.unsafeSubscribe(Observable.java:10327) at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) at rx.Observable.subscribe(Observable.java:10423) at rx.Observable.subscribe(Observable.java:10390) at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:443) at rx.observables.BlockingObservable.single(BlockingObservable.java:340) at com.microsoft.azure.management.resources.implementation.DeploymentsInner.beginCreateOrUpdate(DeploymentsInner.java:457) at com.microsoft.azure.management.resources.implementation.DeploymentImpl.beginCreate(DeploymentImpl.java:308) at com.microsoft.azure.management.resources.implementation.DeploymentImpl.beginCreate(DeploymentImpl.java:40) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:553) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:174) at com.microsoft.azure.vmagent.AzureVMAgentTemplate.provisionAgents(AzureVMAgentTemplate.java:1188) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:794) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:790) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

      Our config is using an existing resource group and existing storage account (with 'Allow public blob access' disabled). I don't understand why it would be trying to make any changes to the existing storage account, especially to that flag. I can see the attempt in Azure's event log

      Note: I can't find any instance of that flag being set or changed in the code, though I admit I've had a lot of trouble combing through it in general.

      I get a different error if I have the plugin create a new Storage Account

      Mar 18, 2021 5:19:12 PM SEVERE com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate createDeploymentAzureVMManagementServiceDelegate: deployment: Unable to deploy com.microsoft.azure.vmagent.exceptions.AzureCloudException: Failed to create storage account with account name jna0s7doorcelmq2o9fo0r6a, location eastus, resourceGroupName cmjenkinscloud: Resource 'jna0s7doorcelmq2o9fo0r6a' was disallowed by policy. Reasons: 'ISRM Policy Violation | Public exposure with anynamous access requires security exception. Please contact your BISO for further guidance.'. See error details for policy resource IDs. at com.microsoft.azure.vmagent.exceptions.AzureCloudException.create(AzureCloudException.java:49) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createStorageAccount(AzureVMManagementServiceDelegate.java:2538) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:229) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:174) at com.microsoft.azure.vmagent.AzureVMAgentTemplate.provisionAgents(AzureVMAgentTemplate.java:1188) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:794) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:790) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

        Attachments

          Activity

          Hide
          timja Tim Jacomb added a comment -

          All issues have been transferred to GitHub.

          See https://github.com/jenkinsci/azure-vm-agents-plugin/issues

          Search the issue title to find it.

          (This is a bulk comment and can't link to the specific issue)

          Show
          timja Tim Jacomb added a comment - All issues have been transferred to GitHub. See https://github.com/jenkinsci/azure-vm-agents-plugin/issues Search the issue title to find it. (This is a bulk comment and can't link to the specific issue)

            People

            Assignee:
            azure_devops Azure DevOps
            Reporter:
            profiction Steve
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: