From 15c208964e16ad101960cf0ab685b5062b6f55ad Mon Sep 17 00:00:00 2001 From: Emmanuel Knafo Date: Thu, 30 Apr 2026 21:25:13 -0400 Subject: [PATCH] fix(workflows): restart App Services after UAMI SQL grant AB#2228 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - restart mapaq-* App Services after Entra group-add so SqlClient drops the cached failed-auth token captured before membership - promote silent group-add error to fatal; tolerate already-member - mirror behaviour of working .azuredevops/pipelines/deploy.yml Fixes AB#2228 🔁 - Generated by Copilot --- .github/workflows/deploy.yml | 52 +++++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 3b408b9..8b1274f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -76,16 +76,56 @@ jobs: echo "endpoint=$endpoint" >> "$GITHUB_OUTPUT" - name: Grant UAMI SQL access via Entra group + id: grant_sql run: | - # Retrieve the UAMI principal ID from azd env outputs + set -euo pipefail + # Retrieve the UAMI principal ID from azd env outputs (falls back to Azure CLI lookup). uami_principal_id=$(azd env get-value UAMI_PRINCIPAL_ID 2>/dev/null || \ az identity show \ --name "$(azd env get-value UAMI_NAME)" \ --resource-group "$(azd env get-value AZURE_RESOURCE_GROUP)" \ --query principalId -o tsv) + echo "Adding UAMI principal $uami_principal_id to Entra group $SQL_ADMIN_GROUP_ID" - # Add UAMI to the SQL admin Entra group (idempotent — ignores if already member) - az ad group member add \ - --group "$SQL_ADMIN_GROUP_ID" \ - --member-id "$uami_principal_id" 2>/dev/null \ - || echo "UAMI already a member of SQL admin group (or insufficient permissions — verify manually)" + # Add UAMI to the SQL admin Entra group. The CLI returns non-zero with stderr + # 'One or more added object references already exist' when the principal is + # already a member; treat that as success. Any other error is fatal so the + # workflow does not silently leave the API broken (AB#2228). + if err=$(az ad group member add \ + --group "$SQL_ADMIN_GROUP_ID" \ + --member-id "$uami_principal_id" 2>&1); then + echo "OK: UAMI added to group." + elif echo "$err" | grep -qiE 'already exist|One or more added object references'; then + echo "OK: UAMI is already a member of group." + else + echo "::error::Failed to add UAMI to SQL admin Entra group: $err" + exit 1 + fi + echo "uami_principal_id=$uami_principal_id" >> "$GITHUB_OUTPUT" + + # Restart the App Services so their SqlClient connection pools drop the + # cached failed-auth tokens captured before the UAMI was added to the + # SQL admin Entra group. Without this, /api/establishments returns 500 + # until something else triggers a restart (AB#2228). + - name: Restart App Services to refresh SQL token (AB#2228) + run: | + set -euo pipefail + rg="$(azd env get-value AZURE_RESOURCE_GROUP)" + mapfile -t apps < <(az resource list \ + --resource-group "$rg" \ + --resource-type Microsoft.Web/sites \ + --query "[?starts_with(name, 'mapaq-')].name" -o tsv) + if [[ ${#apps[@]} -eq 0 ]]; then + echo "::warning::No mapaq-* App Services found in $rg; nothing to restart." + exit 0 + fi + for app in "${apps[@]}"; do + echo ">> Restarting $app" + az webapp restart --resource-group "$rg" --name "$app" + done + { + echo "### App Service restarts (AB#2228)" + echo "" + echo "Restarted ${#apps[@]} App Service(s) in \`$rg\` to refresh the SQL access token after adding the UAMI to the SQL admin Entra group:" + for app in "${apps[@]}"; do echo "- \`$app\`"; done + } >> "$GITHUB_STEP_SUMMARY"