Azure RM WebAPP Permissions

Question

Does anyone know what permissions are required to create an Azure WebApp?

I have an Ansible playbook running via Azure-DevOps, which is supposed to create a resource group and App service:

- hosts: localhost

  vars:
    resource_group: foo
    webapp_name: app-foo123
    plan_name: asp-foobar123
    location: westus2

  tasks:
    - name: Create a resource group
      azure_rm_resourcegroup:
        name: "{{ resource_group }}"
        location: "{{ location }}"

    - name: Create an App Service
      azure_rm_webapp:
        resource_group: "{{ resource_group }}"
        name: "{{ webapp_name }}"
        plan:
          resource_group: "{{ resource_group }}"
          name: "{{ plan_name }}"
          sku: S1
          number_of_workers: 1
        frameworks:
          - name: "net_framework"
            version: "4.8"

The resource group gets created, but the App service fails with an authorization error:

raise models.DefaultErrorResponseException(self._deserialize, response)\nazure.mgmt.web.models.default_error_response_py3.DefaultErrorResponseException: Operation returned an invalid status code 'Unauthorized'\n", "module_stdout":

The service principal being used has contributor, Web Plan Contributor and Website Contributor permissions at the subscription level, do I need to grant it any additional permissions in order to get this to work, or have I completely missed something out?

Answer 1

I created one Service Principal and assigned it a contributor role at the Subscription level, Refer below:-

Created Azure DevOps Service connection with the above Service Principal:-

Used the same Service Principal as authentication in my azure Devops Ansible task.

When I ran the task, The resource group got created successfully, but the Web app errored out. Check the conflicting error message along with the error you got by enabling diagnostics while running your pipeline:-

Error:-

TASK [Create App Service on Linux with Java Runtime] ***************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error creating the Web App instance: Operation returned an invalid status 'Conflict'\nContent: {\"Code\":\"Conflict\",\"Message\":\"Website with given name myfirstWebApp123 already exists.\",\"Target\":null,\"Details\":[{\"Message\":\"Website with given name myfirstWebApp123 already exists.\"},{\"Code\":\"Conflict\"},{\"ErrorEntity\":{\"ExtendedCode\":\"54001\",\"MessageTemplate\":\"Website with given name {0} already exists.\",\"Parameters\":[\"myfirstWebApp123\"],\"Code\":\"Conflict\",\"Message\":\"Website with given name myfirstWebApp123 already exists.\"}}],\"Innererror\":null}"}

I used the below yaml script to run the ansible task with unique name of my Web app, Refer below:-

Code:-

# Starter pipeline

# Start with a minimal pipeline that you can customize to build and deploy your code.

# Add steps that build, run tests, deploy, and more:

# https://aka.ms/yaml

  

# Starter pipeline

# Start with a minimal pipeline that you can customize to build and deploy your code.

# Add steps that build, run tests, deploy, and more:

# https://aka.ms/yaml

  

# Ansible pipeline

# Tesing

  

trigger:

- master

  

pool:

vmImage: 'ubuntu-latest'

  

steps:

  

- task: UsePythonVersion@0

displayName: 'Install Python'

inputs:

versionSpec: '3.7'

  

- task: AzureCLI@2

displayName: 'Azure CLI'

inputs:

azureSubscription: 'ansible'

scriptType: 'bash'

scriptLocation: 'inlineScript'

inlineScript: |

echo "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$(az account show --query="id" -o tsv)"

echo "##vso[task.setvariable variable=ARM_CLIENT_ID]${servicePrincipalId}"

echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET]${servicePrincipalKey}"

echo "##vso[task.setvariable variable=ARM_TENANT_ID]${tenantId}"

addSpnToEnvironment: true

- script: pip install ansible

displayName: 'Install Ansible'

  

- script: pip install -r https://raw.githubusercontent.com/ansible-collections/azure/dev/requirements-azure.txt

displayName: 'Install Azure modules needed'

  

- script: ansible-galaxy collection install azure.azcollection

displayName: 'Install Ansible Azure Collection'

- script: ansible-playbook -i inv site.yml

displayName: 'Run Ansible Playbook'

env:

AZURE_CLIENT_ID: $(ARM_CLIENT_ID)

AZURE_SECRET: $(ARM_CLIENT_SECRET)

AZURE_TENANT: $(ARM_TENANT_ID)

AZURE_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)

I have added my service connection here:-

inputs:

azureSubscription: 'ansible'

My site.yml Ansible playbook:-

- hosts: localhost

connection: local

vars:

resource_group: valleyrg45678

webapp_name: valleywebapp098754

plan_name: valleyappserviceplan3452

location: eastus

tasks:

- name: Create a resource group

azure_rm_resourcegroup:

name: "{{ resource_group }}"

location: "{{ location }}"

  

- name: Create App Service on Linux with Java Runtime

azure_rm_webapp:

resource_group: "{{ resource_group }}"

name: "{{ webapp_name }}"

plan:

resource_group: "{{ resource_group }}"

name: "{{ plan_name }}"

is_linux: true

sku: S1

number_of_workers: 1

frameworks:

- name: "java"

version: "8"

settings:

java_container: tomcat

java_container_version: 8.5

Output:-

Web app creation task ran successfully like below:-

Portal:-

Reference:-

Azure DevOps Ansible Pipeline | by Russ Mckendrick | Media Glasses | Medium