cmd/deploy: Handle error due to missing permissions during deploy (#2297

) * Handle error due to missing permissions during deploy * CreateRoleAssignmentSimple can already return an error. Use this if a status 403 (not enough permissions) occurs. This is opposed to status 404 that seems to be issued to signal work in progress during service principal generation (by arm). * autoFillApimodel: remove the duplicated retry logic of CreateRoleAssignmentSimple. this allows to properly fail if CreateRoleAssignmentSimple returns an error * style fix: gofmt -s
Azure · Feb 20, 2018 · bd362d9 · bd362d9
1 parent e5774d7
commit bd362d9
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 10 deletions.
diff --git a/cmd/deploy.go b/cmd/deploy.go
@@ -215,14 +215,11 @@ func autofillApimodel(dc *deployCmd) {
 			log.Warnf("created application with applicationID (%s) and servicePrincipalObjectID (%s).", applicationID, servicePrincipalObjectID)
 
 			log.Warnln("apimodel: ServicePrincipalProfile was empty, assigning role to application...")
-			for {
-				err = dc.client.CreateRoleAssignmentSimple(dc.resourceGroup, servicePrincipalObjectID)
-				if err != nil {
-					log.Debugf("Failed to create role assignment (will retry): %q", err)
-					time.Sleep(3 * time.Second)
-					continue
-				}
-				break
+
+			err = dc.client.CreateRoleAssignmentSimple(dc.resourceGroup, servicePrincipalObjectID)
+			if err != nil {
+				log.Fatalf("apimodel: could not create or assign ServicePrincipal: %q", err)
+
 			}
 
 			dc.containerService.Properties.ServicePrincipalProfile = &api.ServicePrincipalProfile{

diff --git a/pkg/armhelpers/graph.go b/pkg/armhelpers/graph.go
@@ -2,14 +2,14 @@ package armhelpers
 
 import (
 	"fmt"
-	"time"
-
 	"github.com/Azure/azure-sdk-for-go/arm/authorization"
 	"github.com/Azure/azure-sdk-for-go/arm/graphrbac"
 	"github.com/Azure/go-autorest/autorest/date"
 	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/satori/go.uuid"
 	log "github.com/sirupsen/logrus"
+	"regexp"
+	"time"
 )
 
 const (
@@ -97,13 +97,20 @@ func (az *AzureClient) CreateRoleAssignmentSimple(resourceGroup, servicePrincipa
 		},
 	}
 
+	re := regexp.MustCompile("(?i)status=(\\d+)")
 	for {
 		_, err := az.CreateRoleAssignment(
 			scope,
 			roleAssignmentName,
 			roleAssignmentParameters,
 		)
 		if err != nil {
+			match := re.FindStringSubmatch(err.Error())
+			if match != nil && (match[1] == "403") {
+				//insufficient permissions. stop now
+				log.Debugf("Failed to create role assignment (will abort now): %q", err)
+				return err
+			}
 			log.Debugf("Failed to create role assignment (will retry): %q", err)
 			time.Sleep(3 * time.Second)
 			continue