Azure CLI Command for Deleting all the files in Blob storage not working for firewall enabled AZ storage

1
votes

I have configured a CICD pipelines for build and deploy the front end files into azure blob storage.

I configured my release pipeline to clear all files before uploading the new flies using az copy.

  IP=`curl -s http://ipinfo.io/json | jq -r '.ip'`
    
   echo "firewall - Agent IP: $IP"
   sleep 50 

    az storage account network-rule add -g Test_RG --account-name "Test_RG_1" --ip-address $IP
    sleep 30           
    az storage blob delete-batch --account-name  "Test_RG_1" --source '$web' 
          
    echo "Removing :$IP" 
    
    az storage account network-rule remove --account-name "Test_RG_1" --ip-address $IP

Above script is working fine for sometimes without any changes but its getting failed many times, throwing a error like

ERROR: BadRequestError: (InvalidValuesForRequestParameters) Values for request parameters are invalid: networkAcls.ipRule[*].value. For more information, see - https://aka.ms/storagenetworkruleset

The request may be blocked by network rules of storage account. Please check network rule set

enter image description here

Any one can you please advise me on this ?

Reference

Azure Devops MS-hosted agent IP address

How to get the IP Address for Azure DevOps Hosted Agents to add to the white list

Azure DevOps pipeline cannot copy to Azure storage

https://docs.microsoft.com/en-us/cli/azure/ext/storage-preview/storage?view=azure-cli-latest

VSTS Release - Delete Azure BLOB Container / Contents

https://matthewleak.medium.com/deploying-a-static-website-to-azure-storage-using-azure-devops-fa0bed457d07

Uploading File in Azure using CLI

Network Rules of storage account blocking container creation

1
azureazure-devopscontinuous-deploymentazure-blob-storageazure-cli

1 Answers

2
votes

Based on the error message, the root cause of this issue is that the IP obtained by the script is invalid.

I have encountered the same issue in the past, but it could work with the same script (IP=curl -s http://ipinfo.io/json | jq -r '.ip').

When you execute the script, you could see the IP in the task log.

enter image description here

You can try to manually add this IP in the Storage Account -> Networking -> firewall.

If you could see the error like the screenshot below, this means that the IP has issue.

enter image description here

But based on my test, this script could work fine. The IP can also be added manually.

In addition, I run these scripts on the Microsoft-hosted agent(e.g. Ubuntu 16.04, 18.04, 20.04,windows-2019) You could change to use these agents and check if it could work.

Update:

You could use Azure PowerShell task to set the firewall and use the Azure CLI task to execute the az cli script:

Here is an example:

steps:
- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: Set Rule'
  inputs:
    azureSubscription: kevin0215
    ScriptType: InlineScript
    Inline: |
     $IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
     
     $IP
     
     Add-AzStorageAccountNetworkRule -ResourceGroupName "ResourceGroup" -AccountName "kevin0204" -IPAddressOrRange "$IP"
     
     
     
    preferredAzurePowerShellVersion: ' 3.1.0'

- task: AzureCLI@2
  displayName: 'Azure CLI  Remove files'
  inputs:
    azureSubscription: kevin0215
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: 'az storage blob delete-batch --account-name kevin0204  --source kevin0204   --auth-mode login'

- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: Remove Rule'
  inputs:
    azureSubscription: kevin0215
    ScriptType: InlineScript
    Inline: |
     $IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
     
     $IP
     
     Remove-AzStorageAccountNetworkRule -ResourceGroupName "ResourceGroup" -AccountName "kevin0204" -IPAddressOrRange "$IP"
     
     
    preferredAzurePowerShellVersion: ' 3.1.0'

Classic:

enter image description here