"az webapp config ssl bind" command passes partial site object causing Azure policy enforcement to fail when it shouldn't

[joerob-msft]

Describe the bug

Create an Azure Policy set to Deny when HTTPS Only is not set on an app

Use CLI to bind certificate to app

az webapp config ssl bind -certificate THUMBPRINT ...

EXPECTED
Command succeeds

ACTUAL
Command fails with policy exception even though HTTPS Only is set on site

This bug appears due to the following code:

The code here to update bindings is passing a partial object for the site, which causes the policy to fail

https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/appservice/custom.py

def _update_host_name_ssl_state(cmd, resource_group_name, webapp_name, webapp,
                                host_name, ssl_state, thumbprint, slot=None):
    Site, HostNameSslState = cmd.get_models('Site', 'HostNameSslState')
    updated_webapp = Site(host_name_ssl_states=[HostNameSslState(name=host_name,
                                                                 ssl_state=ssl_state,
                                                                 thumbprint=thumbprint,
                                                                 to_update=True)],
                          location=webapp.location, tags=webapp.tags)
    return _generic_site_operation(cmd.cli_ctx, resource_group_name, webapp_name, 'begin_create_or_update',
                                   slot, updated_webapp)

Related command

az webapp config ssl bind

Errors

ARM 403 response, Policy Deny is applied

Issue script & Debug output

az webapp config ssl bind --certificate-thumbprint [REDACTED] --name [REDACTED] --resource-group [REDACTED] --ssl-type SNI --debug
cli.knack.cli: Command arguments: ['webapp', 'config', 'ssl', 'bind', '--certificate-thumbprint', '[REDACTED]', '--name', '[REDACTED]', '--resource-group', '[REDACTED]', '--ssl-type', 'SNI', '--debug']

urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/[REDACTED]/resourceGroups/[REDACTED]/providers/Microsoft.Web/sites/[REDACTED]?api-version=2023-01-01 HTTP/1.1" 403 3154
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '3154'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '3ce9927b-3af8-4c02-9dbb-7fb160bf08ce'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '3ce9927b-3af8-4c02-9dbb-7fb160bf08ce'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240905T014741Z:3ce9927b-3af8-4c02-9dbb-7fb160bf08ce'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: A309F47AB78A4056A7B1FEF28C329DC2 Ref B: MAA201060514053 Ref C: 2024-09-05T01:47:41Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 05 Sep 2024 01:47:40 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"RequestDisallowedByPolicy","target":"auedevbuidad01legacyauth01","message":"Resource 'auedevbuidad01legacyauth01' was disallowed by policy. Policy identifiers: [REDACTED]
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job
return cmd_copy.exception_handler(ex)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/commands.py", line 46, in _ex_handler
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job
result = cmd_copy(params)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 334, in call
return self.handler(*args, **kwargs)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/custom.py", line 3798, in bind_ssl_cert
return _update_ssl_binding(cmd, resource_group_name, name, certificate_thumbprint,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/custom.py", line 3788, in _update_ssl_binding
_update_host_name_ssl_state(cmd, resource_group_name, name, webapp,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/custom.py", line 3748, in _update_host_name_ssl_state
return _generic_site_operation(cmd.cli_ctx, resource_group_name, webapp_name, 'begin_create_or_update',
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/appservice/_appservice_utils.py", line 21, in _generic_site_operation
if extra_parameter is None else operation(resource_group_name,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/mgmt/web/v2023_01_01/operations/_web_apps_operations.py", line 17008, in begin_create_or_update
raw_result = self._create_or_update_initial(
File "/usr/lib64/az/lib/python3.9/site-packages/azure/mgmt/web/v2023_01_01/operations/_web_apps_operations.py", line 16870, in _create_or_update_initial
raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (RequestDisallowedByPolicy)

Expected behavior

Binding call succeeds

Environment Summary

AZURECLI/2.63.0 (RPM)
azsdk-python-core/1.28.0
Python/3.9.19 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.35)
cloud-shell/1.0

Additional context

Incident 541939186

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.