Skip to content

[Preflight] allow option out feature #4932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hemarina opened this issue Mar 12, 2025 · 3 comments · May be fixed by #4947
Open

[Preflight] allow option out feature #4932

hemarina opened this issue Mar 12, 2025 · 3 comments · May be fixed by #4947
Assignees
@hemarina
Labels
core enhancement
Milestone
Backlog

Comments

@hemarina
Copy link
Contributor

hemarina commented Mar 12, 2025
edited
Loading

We need to provide a way to option out preflight validation.

User reported an issue where the preflight validation failed because he is trying to provision to azure, but he doesn't have enough access for role assignment. Preflight validation API is not checking user's permission on specific resource group, so this will not serve for the needs where admin want to only grant specific access to a user on individual resource group.

Template used: Azure-Samples/get-started-with-ai-chat: Basic sample for deploying chat web apps with Azure AI Foundry and SDKs

ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: validating deployment to subscription:
Validation Error Details:
InvalidTemplateDeployment: 
Deployment failed with multiple errors: 'Authorization failed for template resource '...' of type 'Microsoft.Authorization/roleAssignments'. 
The client '...' with object id '...' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/.../resourceGroups/rg-.../providers/Microsoft.Authorization/roleAssignments/...'.:
Authorization failed for template resource '...' of type 'Microsoft.Authorization/roleAssignments'. 
The client '...' with object id '...' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/.../resourceGroups/rg-.../providers/Microsoft.Authorization/roleAssignments/f...'.:
Authorization failed for template resource '...' of type 'Microsoft.Authorization/roleAssignments'....
@hemarina hemarina self-assigned this Mar 12, 2025
@hemarina hemarina linked a pull request Mar 15, 2025 that will close this issue
Open
@weikanglim
Copy link
Contributor

weikanglim commented Mar 17, 2025
edited
Loading

User reported an issue where the preflight validation failed because he is trying to provision to azure, but he doesn't have enough access for role assignment. Preflight validation API is not checking user's permission on specific resource group, so this will not serve for the needs where admin want to only grant specific access to a user on individual resource group.

Just expanding a little further here, my current understanding of the issue is that some users are relying the current provision behavior where in a partial success scenario, the resource group would be created but the provision would fail after the RG creation. This is when the user would ask the admin to grant permissions. The ARM deployment validate behavior is working as expected.

From a workflow perspective, this all makes sense but it does rely on observing a partial success behavior.

A resource-group scoped deployment would mimic this behavior and fit the use-case here. Unfortunately, as a template author, this may not make a lot of sense to make a deployment resource-group scoped based on some users.

@rajeshkamal5050
Copy link
Contributor

Still don't understand the use case where opting out of pre-validation checks makes sense. A failure caught during pre-validation is better than having the system in a partial success state by opting out. This might put us into other unknown scenarios from which recovery and/or cleanup might become harder. Would still push for us not to provide options to opt out.

@hemarina
Copy link
Contributor Author

hemarina commented Mar 21, 2025
edited
Loading

Still don't understand the use case where opting out of pre-validation checks makes sense. A failure caught during pre-validation is better than having the system in a partial success state by opting out. This might put us into other unknown scenarios from which recovery and/or cleanup might become harder. Would still push for us not to provide options to opt out.

As Wei mentioned, in this specific case, user is trying to use a subscription for which he is not the owner, and the preflight error message occurs as expected. Without preflight, same error message is displayed during provision. Then user asked the owner of the subscription to add the necessary permissions for the user for the specific resource group. Since user have no control of how template author makes the deployment, this will block the user of provision the templates.

IMO This may not create extra unknow scenarios for recovery or clean up case. Not sure if my explanation helps for the alignment. Let's discuss any concerns in parking lot.

@hemarina hemarina added this to the Backlog milestone Mar 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hemarina hemarina

Labels
core enhancement
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

allow user to disable provision preflight hemarina/azure-dev
3 participants
@weikanglim @rajeshkamal5050 @hemarina