Validate workflow "hangs" on unauthorized template deployment #628
-
SummaryI am continuing to PoC the concept of implementing AzOps Repos with various levels of permissions. Our intention would be to recommend something like the following: Foundation Repo
Landing Zones Repo(s)
Workload/App Repos
Based on this structure, the Workload/App Repo would utilize an SPN with limited permissions. For example, it would not have permission to read/write certain network resources. IssueI implemented the above setup and have tested it to pretty good success, however when I attempted to test making an unauthorized change from the Workload/App Repo (a change to the virtualNetwork subnet), the Validate pipeline appeared to "hang" during the Validate Step. I let it run for about 20 minutes before I manually cancelled the Workflow. Upon cancellation, you can see in the Validate Step log that it actually worked as intended, returning the following authorization error:
The issue or unexpected behavior is that the pipeline didn't fail "quickly". Admittedly, this is a fairly minor issue, but nevertheless, an authorization error should probably fail the pipeline/workflow immediately. Expected BehaviorWhen a Workflow attempts to validate or execute a deployment containing an unauthorized action, the workflow fails almost immediately. Observed BehaviorThe Workflow continued to run, appearing to hang during the Validate Step. Workflow ran for 20 minutes before manual cancellation. Manually cancelling the Workflow worked and revealed the expected authorization error. Steps to Reproduce
Full Log from Validate Step
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Thank you for reporting. Converted it to an issue #629 so we can further triage and look at potential fix there. |
Beta Was this translation helpful? Give feedback.
Thank you for reporting. Converted it to an issue #629 so we can further triage and look at potential fix there.