Unable to update Defender Profile to Custom Workspace using CLI

[RajiSubramanian]

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az aks update Extension Name: aks-preview. Version: 0.5.87.

Errors:

The command failed with an unexpected error. Here is the traceback:
'AKSPreviewManagedClusterModels' object has no attribute 'ManagedClusterSecurityProfileAzureDefender'
Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/home/raji/.azure/cliextensions/aks-preview/azext_aks_preview/custom.py", line 798, in aks_update
    mc = aks_update_decorator.update_mc_profile_preview()
  File "/home/raji/.azure/cliextensions/aks-preview/azext_aks_preview/managed_cluster_decorator.py", line 1942, in update_mc_profile_preview
    mc = self.update_mc_profile_default()
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/acs/managed_cluster_decorator.py", line 5631, in update_mc_profile_default
    mc = self.update_defender(mc)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/acs/managed_cluster_decorator.py", line 5552, in update_defender
    defender = self.context.get_defender_config()
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/acs/managed_cluster_decorator.py", line 3672, in get_defender_config
    azure_defender = self.models.ManagedClusterSecurityProfileAzureDefender(enabled=enable_defender)
AttributeError: 'AKSPreviewManagedClusterModels' object has no attribute 'ManagedClusterSecurityProfileAzureDefender'

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az aks update --enable-defender --resource-group {} --name {}

Expected Behavior

Environment Summary

Linux-5.4.0-1085-azure-x86_64-with-glibc2.28 (Cloud Shell), Common Base Linux Delridge (quinault)
Python 3.10.5
Installer: DEB

azure-cli 2.38.0

Extensions:
k8s-extension 1.2.3
interactive 0.4.5
resource-graph 2.1.0
aks-preview 0.5.87
ai-examples 0.2.5
ssh 1.1.2

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

[yonzhan]

route to CXP team

[navba-MSFT]

@RajiSubramanian Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.

[navba-MSFT]

@RajiSubramanian Could you please confirm if you have registered for AKS-AzureDefender before running the command ?
Could you run the below commands in order and check if you are still facing the issue ?

az login

az account set --subscription MySubID

az feature register --namespace Microsoft.ContainerService --name AKS-AzureDefender

az aks update --enable-defender --resource-group MYRGName --name MyAKSClusterName

Awaiting your reply.

[RajiSubramanian]

Yes we ran the commands az aks update --enable-defender --resource-group xxx --name xxx - but still no go - resulted following error - as mentined earlier

[navba-MSFT]

@RajiSubramanian The above PR has been filed and it is currently under review. In the meantime, if you have any questions, please feel free to ask.

[navba-MSFT]

@RajiSubramanian The PR is now merged and the fix will be released in the next version on 2022-08-02 See this: https://github.com/Azure/azure-cli-extensions/milestone/69. We will now proceed with closure of this thread. Please feel free to reopen if you have any follow-up questions. We would be happy to help.

[FumingZhang]

The issue is fixed in the latest version of aks-preview (0.5.91).

This problem can be solved by updating to the latest version of aks-preview without waiting for the new version of azure-cli release.

[RajiSubramanian]

Still we are unable to map the custom log Analytics workspace. and getting redirected to default workspace althoug we have followed the article.

[FumingZhang]

Hi @RajiSubramanian, for your question unable to map the custom log Analytics workspace, could you please share more details about

• what commands do you use?
• what version of cli are you using? (may check by az version)
• which article you are following? (Is it this one?)

Please make sure you have the latest version of aks-preview (current 0.5.91) installed.

To update the defender profile using custom workspace, you need to prepare a json-formatted file like

{
    "logAnalyticsWorkspaceResourceId": "/subscriptions/xxxx/resourcegroups/xxxx/providers/microsoft.operationalinsights/workspaces/xxxx"
}

Assuming the above file name is defender_config.json and is located in the current working directory, use the following command to udpate
az aks update -g <resource_group_name> -n <cluster_name> --enable-defender --defender-config defender_config.json

[FumingZhang]

Some more updates, the command should work fine if you only have azure-cli installed, without aks-preview. However, if you also have aks-preview installed, please use the latest version of aks-preview.

[RajiSubramanian]

No, we have installed AKS-Preview, Azure-Cli and kubernetes version and all are upto date. But still fails to map custom log analytics workspace.

[FumingZhang]

Hi @RajiSubramanian, could you please use logAnalyticsWorkspaceResourceId as the key in the json config (instead of logAnalyticsWorkspaceResourceID) and try agagin?

[RajiSubramanian]

Thanks for your support. The issue is fixed.