Describe the bug

Run azure/login@v1
19
Using OIDC authentication...
20
Federated token details:
21
issuer - https://token.actions.githubusercontent.com/
22
subject claim - repo:fbomb111/parallel:ref:refs/heads/main
23
/usr/bin/az cloud set -n azurecloud
24
Done setting cloud: "azurecloud"
25
Error: : AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://token.actions.githubusercontent.com/'. Assertion Subject: 'repo:fbomb111/parallel:ref:refs/heads/main'. Assertion Audience: 'api://AzureADTokenExchange'. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation
26
Trace ID: 5495a11c-c510-44fd-8a12-136449eeb500
27
Correlation ID: efa78f32-75c0-4c33-992f-2a17d501d4d3
28
Timestamp: 2023-08-27 16:20:08Z
29

30
Error: Interactive authentication is needed. Please run:
31
az login
32

33
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows

To Reproduce
Steps to reproduce the behavior:

1. Deployed identity module per readme
2. Deployed permissions module per readme
3. Ran workflow trigger on permissions GitHub action

Expected behavior
Expected no az login error

Desktop (please complete the following information):

• MacOS Ventura 13.0 M1 Pro chip (but GitHub action running on standard GitHub runner)

Additional context
I have not used the az login action before and am not sure where to start troubleshooting. Looks like the 3 GitHub secrets were set correctly from what I can tell.

I successfully deployed Identity Foundation Services and m attempting to run the SaaS Permissions API deployment script.

cd /mnt/.../azure-saas/src/Saas.Identity/SaaS.Permissions/deployment
./setup.sh
./run.sh

Running the script fails with the following results,

### SaaS Administration Service API ###
Provisioning the SaaS Administration Service API...
Deploying App Service: Downloading Identity Foundation outputs from Resource Group 'rg-asdk-test-****' deployment named 'IdentityFoundationDeployment'...
ERROR: User '****@****.com' does not exist in MSAL token cache. Run `az login`.

### Critical Error ###
Failed to get Identity Bicep deployment output parameters

I tried logging into the Azure CLI with az login --use-device-code and setting the subscription with az account set -s subscriptionId.

I'm using Windows 11, WSL 2, Azure CLI 2.56.0, and GitHub CLI 2.41.0.

Describe the bug
When I deploy this repository from script, the predefined GitHub actions will not work. I get the following error message:

I took a look at the created OIDC app and found out that the subject is set up differently:

(screenshot in german, sorry :-) )

I changed the "Antragstellerbezeichner" from repo:[email protected]:myorganization/azure-saas.git:ref:refs/heads/main to repo:myorganization/azure-saas:ref:refs/heads/main and then it worked.

So the script creates the OIDC federation credentials with the wrong parameters.

Expected behavior

When running script create-oidc-workflow-github-action.sh, it should correctly setup the federation credentials .

Desktop (please complete the following information):

• OS: Ubuntu on WSL
• Browser -
• Version -

When attempting to go through the Deploy to Azure button on https://azuresaas.net/, you get to the "Review and Create" button in the Azure portal and the validation fails with this error:

{"code":"MultipleErrorsOccurred","details":[{"code":"InvalidContentLink","message":"Unable to download deployment content from 'https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.OnboardingFlow/Saas.OnboardingFlow.CosmosDb.Deployment/azuredeploy.json'. The tracking Id is '5d3369dd-6212-4f2d-b838-304570b8d808'. Please see https://aka.ms/arm-deploy for usage details."},{"code":"InvalidContentLink","message":"Unable to download deployment content from 'https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.Data/Saas.Data.Sql.Deployment/azuredeploy.json'. The tracking Id is '5d3369dd-6212-4f2d-b838-304570b8d808'. Please see https://aka.ms/arm-deploy for usage details."}],"message":"Multiple error occurred: BadRequest,BadRequest. Please see details."}

It apperas to be due to a broken link for:

• https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.OnboardingFlow/Saas.OnboardingFlow.CosmosDb.Deployment/azuredeploy.json
• https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.Data/Saas.Data.Sql.Deployment/azuredeploy.json

A few month back, Azure Entra has been announced and Azure Entra External ID is in preview. Is there a plan to switch this project over to use Azure Entra External ID? Or is there an alternative SAAS toolkit in planning which will integrate with Entra External ID?

{
"code": "MultipleErrorsOccurred",
"details": [
{
"code": "InvalidContentLink",
"message": "Unable to download deployment content from 'https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.OnboardingFlow/Saas.OnboardingFlow.CosmosDb.Deployment/azuredeploy.json'. The tracking Id is 'cf99b363-c6d7-454e-802e-3aa691c95358'. Please see https://aka.ms/arm-deploy for usage details."
},
{
"code": "InvalidContentLink",
"message": "Unable to download deployment content from 'https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.Data/Saas.Data.Sql.Deployment/azuredeploy.json'. The tracking Id is 'cf99b363-c6d7-454e-802e-3aa691c95358'. Please see https://aka.ms/arm-deploy for usage details."
}
],
"message": "Multiple error occurred: BadRequest,BadRequest. Please see details."
}

Describe the bug
A policy PasswordReset.xml has been installed on the Azure AD B2C instance but it doesn't seem to take effect.

To Reproduce
Steps to reproduce the behavior:

1. Go to any of the web applications that require signin/signup
2. Click on Forgot Password?
3. Nothing happens

Expected behavior
User should be redirected to an Azure AD B2C page where he/she can reset password.

All 3 of the View on GitHub links on https://azuresaas.net/components#provider are broken. They all link to src directories in this repo which don't exist.

• https://github.com/Azure/azure-saas/tree/main/src/Saas.Provider
• https://github.com/Azure/azure-saas/tree/main/src/Saas.Onboarding
• https://github.com/Azure/azure-saas/tree/main/src/Saas.Identity

When running the "run.sh" script the script fails after logging into the Azure tenent

Login to Azure

Log into you Azure tenant
Setting account subscription to ""

You are logged in to tenant: ""

Critical error

Initilization failed
cp: cannot stat '/asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/config/certificate-policy.json': No such file or directory

Configuration Validation

Validating Initial Configuration Settings...
All required initial configuration settings exist.

Cleaning up

Starting cleaning up...

Deleting locally stored service principal credentials.
Deleting service principal credentials using user 'null'
No known service principal to delete.
Service principal credentials have been removed locally and in Azure AD.
User context for null have been deleted.
User context for null have been deleted.
Clean up has completed.

Backup to Azure Blob Storage

Backing up logs in '/asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/log/2023-10-20--17-47-03' to Azure Blob Storage 'null/null'.
ERROR: Operation returned an invalid status 'Server failed to authenticate the request. Please refer to the information in the www-authenticate header.'
ErrorCode:InvalidAuthenticationInfo

Deployment script completion

Identity Foundation deployed with errors. Sometimes this is due to an error happening with the Azure Resource Manager. Try running the script once more to see if it continues past the point of failure.

Describe the bug

The B2C-Create powershell script does not check to see if the name has been taken first before attempting to create a new tenant. It does, however, check to see if the tenant exists inside the user's current resource group. What that means is that if the tenant already exists in that resource group, the script will proceed fine as the create operation is idempotent. If the tenant name is taken by another user (or exists in another RG or sub), however, the operation does not succeed but the creation script will wait forever until the tenant is created.

We need to modify the check on line 332 of B2C-Create.ps1 to check for ALL tenants, not just the ones inside that particular RG.

The documentation discusses setting up notification using a logic app:

https://azure.github.io/azure-saas/components/saas-notifications/

There appears to be no evidence of this within the repository, am I missing something, or has this been removed?

HI team,

glad to see MS starts focusing on this area. Keen to see more and often updates soon.

Thanks,

Wen

I would like to deploy, but have the devops side in azuredevops rather than github. Can some documentation be added for this?

Describe the bug
Clicking on "Deploy to Azure" on https://azuresaas.net/ results in:
There was an error downloading from URI 'https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.Deployment/Saas.Deployment.Root/createUiDefinition.json'. Ensure that the template is publicly accessible and that the publisher has enabled CORS policy on the endpoint.
There was an error downloading the template from URI 'https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.Deployment/Saas.Deployment.Root/azuredeploy.json'. Ensure that the template is publicly accessible and that the publisher has enabled CORS policy on the endpoint. To deploy this template, download the template manually and paste the contents in the 'Build your own template in the editor' option below.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on 'Deploy to Azure'
3. See error
   Following the link https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.Deployment/Saas.Deployment.Root/createUiDefinition.json manually results in a 404.

Expected behavior
The custom deployment should start.

Screenshots
n/a

Desktop

• OS: Windows 11
• Browser Edge
• Version 104.0.1293.54

Additional context
n/a

./run.sh
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested

Welcome

Welcome to the Azure SaaS Dev Kit - Azure B2C Identity Provider deployment script.

Preparing

Working in directory /asdk/src/Saas.Identity/Saas.IdentityProvider/deployment.

Sudo

Please log in with sudo to run this script.
You are logged in with sudo.

Checking prerequisites

Checking prerequisites...

Checking OS

Supported operating system: linux

Checking Repo forked

Forked repository true: [email protected]:bhanupublicis/azure-saas.git

Checking bash version

Pass: '5.1.16(1)-release > 5.0.0'

Checking az cli version

Pass: '2.55.0 > 2.46.0'

Checking jq version

Pass: '1.6 > 1.5'

Configation Settings

Initializing Configuration

Backup Configuration

Backing up existing configuration file to: /asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/log/2023-12-12--16-41-02/config.begin.json
Configuration settings: /asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/config/config.json.

Postfix

Using existing postfix to continue or patch existing deployment: xlb8

Configuration Validation

Validating Initial Configuration Settings...
All required initial configuration settings exist.

Login to Azure

Log into you Azure tenant
Setting account subscription to ff09016f-c122-*******.

You are logged in to tenant: d52c9ea1-7c21-*******.

Critical error

Initilization failed
cp: cannot stat '/asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/config/certificate-policy.json': No such file or directory

Configuration Validation

Validating Initial Configuration Settings...

All required initial configuration settings exist.

Login to Azure

Log into you Azure tenant
Setting account subscription to ff09016f-c122-*******.

You are logged in to tenant: d52c9ea1-7c21-*******

Critical error

Initilization failed
cp: cannot stat '/asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/config/certificate-policy.json': No such file or directory

Configuration Validation

Validating Initial Configuration Settings...
All required initial configuration settings exist.

Cleaning up

Starting cleaning up...

Deleting locally stored service principal credentials.
Deleting service principal credentials using user 'null'
No known service principal to delete.
Service principal credentials have been removed locally and in Azure AD.
User context for null have been deleted.
User context for null have been deleted.
Clean up has completed.

Backup to Azure Blob Storage

Backing up logs in '/asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/log/2023-12-12--16-41-02' to Azure Blob Storage 'null/null'.
ERROR: Operation returned an invalid status 'Server failed to authenticate the request. Please refer to the information in the www-authenticate header.'
ErrorCode:InvalidAuthenticationInfo

Deployment script completion

Identity Foundation deployed with errors. Sometimes this is due to an error happening with the Azure Resource Manager. Try running the script once more to see if it continues past the point of failure.
Please review the log file for more details: /asdk/src/Saas.Identity/Saas.IdentityProvider/deployment/log/2023-12-12--16-41-02

deploySQL still in progress after 75 minutes - is that as expected? thanks.

Is your feature request related to a problem? Please describe.

After running src/Saas.Identity/Saas.IdentityProvider/deployment/run.sh, the user's home directory contains an ~/asdk/.cache/.../ folder owned by root.root.

Describe the solution you'd like

It would be good if the whole setup experience on the user's computer could run without the user being able to sudo.

chgeuer@beam:~/asdk/.cache/asdk-usr-b2c-hbtt$ ls -als
total 20
4 drwxr-xr-x 2 root    root 4096 Aug 23 14:36 .
4 drwxr-xr-x 3 chgeuer root 4096 Aug 23 14:36 ..
4 -rw-r--r-- 1 root    root  354 Aug 23 14:36 azureProfile.json
8 -rw------- 1 root    root 7632 Aug 23 14:36 msal_token_cache.json

Certainly going through the .../*.sh files and checking where we're calling sudo.

Update GCM to detect when it is running in a CI environment and use the appropriate token(s) for authentication. For the initial iteration, this effort will be scoped to GitHub and Azure DevOps.

Originally posted by @ldennington in git-ecosystem/git-credential-manager#1271

Slide deck URL in the readme is not working.

Deploying to Azure failed on "deployProviderWebApp" citing Conflict. Seems to be a different issue from the previous Issue report.

deployAdminWebApp, deployCosmosDb and deploySql went through fine.

deployOnboardingApiApp didn't get to start deployment

,

{
"id": "/subscriptions/1025d215-b6df-4367-bd07-a08675ac1f6c/resourceGroups/ProjectHello/providers/Microsoft.Resources/deployments/Microsoft.Template-20220307215935/operations/282F126A0A11DC4D",
"operationId": "282F126A0A11DC4D",
"properties": {
"provisioningOperation": "Create",
"provisioningState": "Failed",
"timestamp": "2022-03-07T12:07:57.1635327Z",
"duration": "PT1M4.5937449S",
"trackingId": "647ee7c1-d84b-45f8-b04d-77ace9ba3154",
"serviceRequestId": "d7a6eda9-574e-4bc0-83c3-b1ef0cdc19d6",
"statusCode": "Conflict",
"statusMessage": {
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n "status": "failed",\r\n "error": {\r\n "code": "ResourceDeploymentFailure",\r\n "message": "The resource operation completed with terminal provisioning state 'failed'.",\r\n "details": [\r\n {\r\n "code": "Failed",\r\n "message": "Failed to download package.\r\nARM-MSDeploy Deploy Failed: 'System.AggregateException: One or more errors occurred. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.\r\n at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)\r\n at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)\r\n --- End of inner exception stack trace ---\r\n at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)\r\n at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)\r\n at System.Threading.Tasks.Task.Wait(TimeSpan timeout)\r\n at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.<Download>d__17.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Web.Deployment.WebApi.AppGalleryPackage.<Download>d__15.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadPackageAndSettings>d__27.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Web.Deployment.WebApi.DeploymentController.<DownloadAndDeployPackage>d__25.MoveNext()\r\n---> (Inner Exception #0) System.Net.WebException: The remote server returned an error: (404) Not Found.\r\n at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)\r\n at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)<---\r\n'"\r\n }\r\n ]\r\n }\r\n}"
}
]
}
},
"targetResource": {
"id": "/subscriptions/1025d215-b6df-4367-bd07-a08675ac1f6c/resourceGroups/ProjectHello/providers/Microsoft.Resources/deployments/deployProviderWebApp",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployProviderWebApp"
}
}
}

After running through setup procedure and attempting to deploy/test the Admin Service / API locally. Receiving build error:

An unhandled exception of type 'System.InvalidOperationException' occurred in Microsoft.Extensions.Configuration.Abstractions.dll
Section 'SaasAuthorization' not found in configuration.

It looks like this may have been in introduced in recent permissions updates. I don't quite know what the configuration was supposed to be pointing at or looking for. Not able to move forward with testing.

Hello,
I deployed the template to Azure and the admin portal is not working. It returns Http 500 error.
Also, I feel the deployment template is incomplete as it doesn't deploy any application gateway as mentioned in the reference architecture.

Add these to documentation:

1. The location specified on the initConfig section of the config.json file must be a valid name within the locations displayed once you run the command (az account list-locations --output table). This must be within the name column of the output and not the displayname column e.g francecentral is valid but using France Central will prevent the certificate-policy.json file from being generated.
2. Uninstall previous versions of CLI and follow the installation guide provided here. If you had installed the windows msi version of the az-cli previously while working with PowerShell, your container might be unable to pull az-cli credentials if proper configurations are not done within WSL. In my case I uninstalled all previous versions of az-cli and run(
   curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash) for the container to persist the credentials.
3. Uninstall all previous versions of gh cli before running the gh cli install command provided here . I was running on version 2.4 of gh cli that caused the deployment to generate GH_Token exceptions and running gh auth token command could not generate the authentication token required to complete the deployment. Remember to run gh --version to confirm your gh cli version before attempting to execute ./run.sh. The current stable version of gh cli which is yielding a seamless deployment is 2.29.0

Originally posted by @jwanyeki in #217 (reply in thread)

Hi,

Deployment "SecretsGenerator" seems to be hanging for me. This in turn possibly failing other two deployments looks like.
Note that I needed to delete resource group from the first attempt due to wrong location in config, which had left few resources soft deleted and needed purging.

Thanks

Azure AD B2C recently released the ability to secure custom connectors with an API key. The communication is currently secured using mTLS (mutual TLS) authentication. Migrate the relevant ASDK code to take advantage of API keys instead.

The following changes are needed:

• Update B2C custom policies to use the new authentication scheme
• Update the identity bicep deployment to generate an API key and deploy it to the permissions API and remove the certificate generation
• Update the Permissions API code to be secured via an API key and remove the mTLS authentication
• Update Documentation:
  • Remove reference to certificate based auth
  • Add reference to API key auth
  • Add instructions for re-generating the API key and changing it in both the API and B2C

Hi,

Following the quick start guide using Docker fails early in the script on setting up the identity framework. It looks like the script is trying to validate against the wrong path. Is there a work around or do I ned to forget using Docker?

Error message....

Waiting for 30 seconds for B2C tenant creation...
ERROR: (NotFound) Resource with ID '*********************01/saas-identity/bastechllc.onmicrosoft.com' does not exist.
Code: NotFound
Message: Resource with ID '*********************01/saas-identity/bastechllc.onmicrosoft.com' does not exist.
Target: resource

My Azure resource group that was created by the script...

{
    "id": "/subscriptions/*********************01/resourceGroups/saas-identity",
    "name": "saas-identity",
    "location": "eastus",
    "properties": {
        "provisioningState": "Succeeded"
    }
}

Using Docker image, proess repeated the following, with an error of 'Bad Request' until interrupted:

Creating B2C tenant ratnest...
*** B2C Tenant creation started. It can take a moment to complete.
Waiting for 30 seconds for B2C tenant creation...

Using .\Saas.IdentityProvider\scripts\B2C-Create.ps1

Line |
1160 |  New-SaaSIdentityProvider
     |  ~~~~~~~~~~~~~~~~~~~~~~~~
     | The term 'Connect-AzAccount' is not recognized as a name of a cmdlet, function,
     | script file, or executable program. Check the spelling of the name, or if a path
     | was included, verify that the path is correct and try again.

Problem

Old machine, had concurrent AzureRm and Az installations.

Solution

Uninstall-AzureRm

Request

• Please improve the error message when running in Docker.
• Add a note to documentation that AzureRm needs to be removed.

Thank you for this quickstart!

Describe the bug
I followed the guideline Deploying the Identity Foundation Services and changed during the inital setup the SKU for azureb2c in the config.json from PremiumP1 to Standard, as the documentation tells is possible. But the deployed SKU of the Azure AD B2C tenant is PremiumP1, not Standard.

To Reproduce
Steps to reproduce the behavior:

1. Go to Deploying the Identity Foundation Services
2. Follow the guide until Running the script the first time
3. edit the config.json file and change $.initConfig.azureb2c.skuName from PremiumP1 to Standard`
4. run the ./run.sh script again
5. take a look at the SKU at the newly deployed Azure AD B2B Tenant

Expected behavior
The SKU should be Standard, but it is PremiumP1.

Screenshots

Desktop (please complete the following information):

• OS: Windows with WSL Debian
• Browser Chrome
• Version / not required

Describe the bug

To Reproduce
Steps to reproduce the behavior:

1. Go to Signup Admin Website, in the relative path: /Admin/Tenants, a table with tenants displays, and for each tenant the following links are available: Edit | Details | Users | Delete
2. When clicking the link Users the webpage redirects to /Admin/tenants//users
3. An error page displays:

Error.
An error occurred while processing your request.

Expected behavior
A page with a form to add the email should display, after clicking submit, a new user should display and a new record should be inserted in the database.

Screenshots

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Chrome

Additional context
I saw the webpage to add an email once, when I put the email and click submit there was an error returned. Since then it failed every time.

Hi,

I wanted to take this kit for a spin to see how the deployment and dev-QA-prod lifecycle would work.
Unfortunately, as soon as I've deployed it, the web app fails to register or sign in new members:

Are there any post-deployment steps that are required to mitigate this, or did we encounter a new bug?

I haven't drilled down into the errors more than this; I just noticed this happening on two new deployments - so something seems to be amiss. I just wanted to bring this to your attention if you can fix it to avoid others having the same issue.

Thanks.

Following the instructions of the Identitity Framework, I was able to complete a successful deployment.

Running ./setup.sh from src/Saas.Identity/Saas.Permissions/deployment completes succesfully.

But when attempting to ./run.sh from the previous folder, I get an error:

### SaaS Administration Service API ###
Provisioning the SaaS Administration Service API...
/asdk/src/Saas.Identity/Saas.Permissions/deployment/start.sh: line 42: /asdk/src/Saas.Lib/Deployment.Script.Modules/deploy-app-service.sh: Permission denied

This issue is to track the work around creating automation to ease the deployment of the control plane and identity framework infrastructure. Any updates will be posted here as they happen.

Describe the bug
When I use the Edit page of a tenant and want to change the service plan (property ProductTierId), it does not change but keep its value.

To Reproduce
Steps to reproduce the behavior:

1. Go to the signup admin page
2. Login as Tenant Admin user
3. go to Admin in the top menu
4. Select your Tenant and choose another Service Plan
5. Click Save
6. You will be redirected to the Tenant list overview, but it still holds its old Service Plan. It does not change.

The other properties can be changed but Service Plan cannot. Fun fact: The Edit page will next time you click Edit on the tenant show the value you selected before - not the value as it is represented in the data. But when you open the Detail page of a tenant, you will see the right value. It looks like that the UI control for the Service Plan on the Edit page is not correctly mapped.

Expected behavior
The tenant Service Plan should change in the database after change it in the Edit page of a tenant.

Screenshots
Tenants overview before editing:

Then I clicked Edit and changed the Service Plan

Its still the same:

Desktop (please complete the following information):

• OS: Windows with WSL Debian
• Browser Chrome
• Version 120.0.6099.217

Describe the bug

Traceback (most recent call last):
File "/asdk/src/Saas.Lib/Deployment.Script.Modules/patch-github-workflow.py", line 4, in
from ruamel.yaml import YAML
ModuleNotFoundError: No module named 'ruamel'

To Reproduce

Installed the Sass.IdentityProvider module first. Success.
Then I was following the Saas.Permissions install guide. Which is to run:

sudo chmod +x setup.sh
./setup.sh
./run.sh

Expected behavior
Expected no error.

Desktop (please complete the following information):

• OS: MacOS, Ventura 13.0, Apple M1 Pro

We manage to deploy the service and saas webapp on azure. However there are not enough documentation on how to configure SaaS.Application.Web on local. Also, How we get JWT token to debug on local environment?

After clicking the "Deploy to Azure" button on the Azure SAAS DK site and providing the required information the deployment fails. This has happened with both paid and unpaid subscriptions.

DEPLOYMENT.OPERATIONS.JSON
[
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/Microsoft.Template-20211214084404/operations/EE9CDC6B970B75D8",
"operationId": "EE9CDC6B970B75D8",
"properties": {
"provisioningOperation": "Create",
"provisioningState": "Failed",
"timestamp": "2021-12-14T16:45:57.5132203Z",
"duration": "PT1M7.6887762S",
"trackingId": "1f9601ef-0f72-4284-b130-e1f042591e04",
"serviceRequestId": "33ac6f8b-2303-4c88-88b1-1b578d211e50",
"statusCode": "Conflict",
"statusMessage": {
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n "status": "Failed",\r\n "error": {\r\n "code": "ResourceDeploymentFailure",\r\n "message": "The resource operation completed with terminal provisioning state 'Failed'.",\r\n "details": [\r\n {\r\n "code": "ServiceUnavailable",\r\n "message": "Database account creation failed. Operation Id: 8afe70e7-59b4-4211-bbe9-305c659b9f25, Error : Sorry, we are currently experiencing high demand in this region, and cannot fulfill your request at this time. We work continuously to bring more and more capacity online, and encourage you to try again shortly. Please do not hesitate to contact us via Azure support at any time or for any reason using this link http://aka.ms/azuresupport.\r\nActivityId: 022e0839-12fd-43ec-839e-54612b355428, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0"\r\n }\r\n ]\r\n }\r\n}"
}
]
}
},
"targetResource": {
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deployCosmosDb",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployCosmosDb"
}
}
},
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/Microsoft.Template-20211214084404/operations/2949AFE5D6857534",
"operationId": "2949AFE5D6857534",
"properties": {
"provisioningOperation": "Create",
"provisioningState": "Failed",
"timestamp": "2021-12-14T16:45:24.6937828Z",
"duration": "PT34.8693387S",
"trackingId": "7f25a3f0-2d38-469b-8c4a-4b4b3a454656",
"serviceRequestId": "4863f9c7-5e55-4dd2-8965-9b40baffcb2c",
"statusCode": "Conflict",
"statusMessage": {
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n "status": "Failed",\r\n "error": {\r\n "code": "ResourceDeploymentFailure",\r\n "message": "The resource operation completed with terminal provisioning state 'Failed'.",\r\n "details": [\r\n {\r\n "code": "ProvisioningDisabled",\r\n "message": "Subscriptions are restricted from provisioning in this region. Please choose a different region. For exceptions to this rule please open a support request with Issue type of 'Service and subscription limits'. See https://docs.microsoft.com/en-us/azure/sql-database/quota-increase-request for more details."\r\n }\r\n ]\r\n }\r\n}"
}
]
}
},
"targetResource": {
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deploySql",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deploySql"
}
}
}
]

DEPLOYMENT.JSON
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/Microsoft.Template-20211214084404",
"name": "Microsoft.Template-20211214084404",
"type": "Microsoft.Resources/deployments",
"tags": {
"marketplaceItemId": "Microsoft.Template"
},
"properties": {
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/azure-saas/main/src/Saas.Deployment/Saas.Deployment.Root/azuredeploy.json",
"contentVersion": "1.0.0.0"
},
"templateHash": "11589629160719704561",
"parameters": {
"saasProviderName": {
"type": "String",
"value": "vorobote"
},
"saasEnvironment": {
"type": "String",
"value": "dev"
},
"saasLocation": {
"type": "String",
"value": "westus3"
},
"saasInstanceNumber": {
"type": "String",
"value": "004"
},
"cosmosDbAccountName": {
"type": "String",
"value": "cosmos-vorobote-dev-004"
},
"cosmosDbDatabaseName": {
"type": "String",
"value": "cosmos-vorobote-dev-004"
},
"sqlAdministratorLogin": {
"type": "String",
"value": "vorboteadmin"
},
"sqlAdministratorLoginPassword": {
"type": "SecureString"
},
"sqlServerName": {
"type": "String",
"value": "sql-vorobote-dev-004"
},
"sqlElasticPoolName": {
"type": "String",
"value": "sql-elasticpool-vorobote-dev-004"
},
"sqlEdition": {
"type": "String",
"value": "Basic"
},
"sqlElasticPoolCapacity": {
"type": "Int",
"value": 50
},
"sqlDatabaseCapacityMax": {
"type": "Int",
"value": 5
}
},
"mode": "Incremental",
"debugSetting": {
"detailLevel": "None"
},
"provisioningState": "Failed",
"timestamp": "2021-12-14T16:45:58.4844086Z",
"duration": "PT1M9.4330677S",
"correlationId": "6d040372-807f-4cfb-b4ad-e4beff8f5ecb",
"providers": [
{
"namespace": "Microsoft.Resources",
"resourceTypes": [
{
"resourceType": "deployments",
"locations": [
null
]
}
]
}
],
"dependencies": [
{
"dependsOn": [
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deployCosmosDb",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployCosmosDb"
},
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deploySql",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deploySql"
}
],
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deployProviderWebApp",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployProviderWebApp"
},
{
"dependsOn": [
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deploySql",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deploySql"
},
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deployProviderWebApp",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployProviderWebApp"
}
],
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deployOnboardingApiApp",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployOnboardingApiApp"
},
{
"dependsOn": [
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deployCosmosDb",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployCosmosDb"
},
{
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deploySql",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deploySql"
}
],
"id": "/subscriptions/730bfc87-e487-4637-8f1a-85b39255ff53/resourceGroups/vorobte4/providers/Microsoft.Resources/deployments/deployAdminWebApp",
"resourceType": "Microsoft.Resources/deployments",
"resourceName": "deployAdminWebApp"
}
],
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details."
},
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details."
}
]
},
"validationLevel": "Template"
}
}

Bicep deployment fails due to issues with parameters not being passed properly when utilizing Azure CLI version 2.46 (Latest Version)

To reproduce follow setup instructions in Identity Provider.

Resolved by downgrading version in Dockerfile. Replace the following line:

&& curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

With (Taken from Azure CLI installation script):

apt-transport-https \ lsb-release \ && sudo mkdir -p /etc/apt/keyrings \ && curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null \ && sudo chmod go+r /etc/apt/keyrings/microsoft.gpg \ && AZ_REPO=$(lsb_release -cs) \ && echo "deb [arch=dpkg --print-architecture signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | sudo tee /etc/apt/sources.list.d/azure-cli.list \ && sudo apt-get update \ && sudo apt-get install azure-cli=2.45.0-1~jammy -y

Describe the bug
Can't setup the infrastructure by script. (https://azure.github.io/azure-saas/quick-start/#option-2-setup-identity-framework---powershell-advanced)
Should any prerequisite be done before running script?

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

I want to integrate a saas based offering in to my current dashboard and API which is node.js based.
Any plans to provide something similar implemented in node ?
Can I deploy just the identity part as a separate microservice? Does that have a node-based implementation?

Failure on running start.sh of permission deployment

"details":[{"code":"BadRequest","target":"/subscriptions/ad4c9615-c9ee-4529-aca8-cb5a32e96b96/resourceGroups/rg-fc-para-tzqf/providers/Microsoft.Resources/deployments/PermissionApi","message":"{\r\n "code": "BadRequest",\r\n "message": "Diagnostic settings does not support retention for new diagnostic settings."\r\n}"}]}]}]}}

I think Azure changed ability to configure diagnostic settings programmatically very recently. Related issue:
hashicorp/terraform-provider-azurerm#23051

This error seemed to be resolved by setting the retention policy days to 0 in
.../src/Saas.Lib/Saas.Bicep.Module/appServiceModuleWithObservability.bicep

Describe the bug
Following the instructions of the Identity Framework, I was able to complete a successful deployment.

Running ./setup.sh from src/Saas.Identity/Saas.Permissions/deployment completes successfully.

But when attempting to ./run.sh from the previous folder, I get an error:

SaaS Administration Service API

Provisioning the SaaS Administration Service API...
The file /asdk/src/Saas.Identity/Saas.Permissions/deployment/bicep/parameters/app-service-parameters.json does not exist, creating it now
cp: cannot stat '/asdk/src/Saas.Identity/Saas.Permissions/deployment/bicep/parameters/parameters-template.json': No such file or directory

I tried to manually create the directory and copy the file over manually, but this did not work
I also tried to run src/Saas.Lib/Deployment.Script.Modules/deploy-app-service.sh manually but I must need the wrapper scripts first as I got the error
./deploy-app-service.sh: line 8: ASDK_DEPLOYMENT_SCRIPT_PROJECT_BASE: unbound variable

The current Azure SaaS Dev Kit is written in .NET. It has been requested that we provide additional implementations in other languages such as Javascript/Node, Python, Java, and more.

Please react to this issue with a 👍 if this is important to you so we can gauge the interest of the community