Unable to fetch registration token for existing host pool to join session hosts about bicep-types-az HOT 20 OPEN

workaround works for me but i had to specify the api version of 2021-01-14-preview. Any other api version seemed to fail.

output token string = reference(hPool.id, '2021-01-14-preview').registrationInfo.token

from bicep-types-az.

this did it once for me:
https://github.com/bfrankMS/AVD-PoC-InfraAsCode/blob/hostpoolnew/pipelines/hostpool/modules/hostpool.bicep
https://github.com/bfrankMS/AVD-PoC-InfraAsCode/blob/hostpoolnew/pipelines/hostpool/avdcomplete.bicep

from bicep-types-az.

from bicep-types-az.

Hi guys,

It seems to be atm so that NO possibility to get the token with BICEP and get sessionhost attached to the hostpool?
At least I am not able to get this to be working.

If you have solution, please share, appriciate it!

Me

from bicep-types-az.

A couple of things going on here, I'm guessing because the value of token is a secret.

• Because token has a value of null, but the output type is string, you get a type mismatch and the deployment fails. I'm not sure I know a way around this, other than to emit the entire parent object (output registrationInfo object = hPool.properties). If this token is a secret, we'd recommend the property be marked as write-only in the RP API spec and the property should not be returned in the response at all. The current behavior may be an ARM RPC violation.
• If token is a secret, it should be exposed with a list* post API. Something like listToken, which would be a safe way to retrieve the secret (including with bicep where you could do hPool.listToken()).

I can pass this along to the relevant RP team, but I would also recommend opening a support case for this issue and for it to be routed to the team that manages this resource type.

from bicep-types-az.

from bicep-types-az.

Feel free to recommend to them they get in touch with me at [email protected] if they need more context. It is not possible for this to be fixed at the bicep level. It is entirely an issue with the resource provider.

from bicep-types-az.

@Preethi-CS

Did you get any response about this? This used to work like a charm but is now broken unfortunately..

from bicep-types-az.

This was working for me too for a long time (months) - last success was as recent as 2nd Nov 22 - but has stopped working really recently, as when i ran this on 8th Nov and today 10th Nov it now returns:
registrationinfo:null

I cant see any changes to the docs to indicate this has been removed from the resource response.

How should I go about raising a ticket for this. Who's the responsible team/owners. Thanks.

from bicep-types-az.

The responsible team is the DesktopVirtualization/hostPools resource provider team. You should be able to provide that detail in the support case and support should then be able to route it to the right spot.

from bicep-types-az.

The responsible team is the DesktopVirtualization/hostPools resource provider team. You should be able to provide that detail in the support case and support should then be able to route it to the right spot.

Alex appreciate this - thanks for the speedy response. I have forwarded details in our support ticket.

As a workaround - I have added a bicep template module that queries the hostpool registration key, using powershell (Get-AzWvdHostPoolRegistrationToken) in a Microsoft.Resources/deploymentScripts, which it returns as an output.
Ref:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep

from bicep-types-az.

@prestond123

Thanks for this thread and information on workaround, saved me a lot of time.
Any chance you could post a sample of the deploymentscript you ran? A bit new to this and struggling to get the correct configuration.

from bicep-types-az.

Hi - I was using:

Microsoft.DesktopVirtualization/hostPools@2021-07-12

And this was working fine - From before June - until end of November, but now no longer works.

Ms support suggested using the older Microsoft.DesktopVirtualization/hostPools@2021-01-14-preview as their validation tests shows this as working.

I'm not sure why a newer "non-preview" version of the API would stop working - or if it is advisable to change to an older API version, and/or use a preview version, but this older preview version does still work.

@bendiksygnestveit try this first too.

from bicep-types-az.

...and the support ticket eventually got transferred to our team 😅. I ran a quick test with Azure REST API browser. It turns out that the RP's PUT response schema doesn't match their GET response schema. In the PUT response, registrationInfo is always an object, while in the GET response, it is null.

PUT response:

GET response:

The reason why the output stopped working in early November is because we changed the emitter to always add API versions to resource references, so that each reference uses the response from a GET call instead of PUT request.

The RP will have to fix their service so that GET response schema is consistent with PUT response schema. I'll transfer the support ticket back the RP.

from bicep-types-az.

Had an offline discussion with the RP and learned that the registrationToken property is a secret, which means it should not be accessed directly anyway. The recommended way to access a secret property is to use the list* function. The RP does expose a POST method retrieveRegistrationToken for getting registrationToken, but since the method name doesn't start with list, it won't work with Bicep / ARM templates. To fix the issue the RP will need to:

• Mark the registrationToken as secret in Swagger to block direct access to the registrationToken property
• Expose a new listRegistrationToken API so that we can call hostpools.listRegistrationToken() in Bicep to access the property.

from bicep-types-az.

Having the token accessed via list* would be great. I originally had a template to build the host pool, workspace, application group etc. - but wasn't comfortable passing the token out as an output as this is "more" visible in the Azure UI - I ended up moving the host pool resources backup to the parent template to avoid this, where I could pass to a VM template as a secret.

What sort of release timespan would we expect for this change, understanding this is with RP, but is security related?

from bicep-types-az.

The DesktopVirtualization team will need to comment on timelines for the list* API. In the meantime, you should be able to do a non-idiomatic (and not advised) reference() call in bicep like so:

resource hPool 'Microsoft.DesktopVirtualization/hostPools@2021-07-12' existing = {
  name: hostPoolName
}

output token string = reference(hPool.id).registrationInfo.token

from bicep-types-az.

+1 for the list* function
thanks for the workaround - it worked for me.

from bicep-types-az.

@bfrankMS
I got it work but do not understand what doing wrong. I will do some investigations comparing your code to mine!

Thanks Frank for sharing to me your solution!

from bicep-types-az.

For some reason, moving the parameter from protectedSettings to settings worked!
(as @bfrankMS did, plus using version 2021-02-01-preview )

from bicep-types-az.