Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

machinelearningservices: workspace API isn't returning publicNetworkAccess #18601

Open
stephybun opened this issue Apr 7, 2022 · 10 comments
Open

machinelearningservices: workspace API isn't returning publicNetworkAccess #18601

stephybun opened this issue Apr 7, 2022 · 10 comments
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Machine Learning question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.

Comments

@stephybun
Copy link

stephybun commented Apr 7, 2022
edited
Loading

Service: Machine Learning Services
API Version: 2021-07-01

Hello,

We want to expose the field publicNetworkAccess in the Terraform resource for Machine Learning Workspaces. Unfortunately this field isn't returned from the API regardless of whether it is set to Enabled or Disabled (example PUT and GET down below with IDs redacted). It also looks like setting this field doesn't do anything, when I inspect the workspace in the portal it still says that public network access is allowed for all networks.
image

Can you please update the API so that setting this field sets public network access properly and also that this field is returned by the API.

Thanks!

cc. @denniseik

PUT

{
  "identity": {
    "type": "SystemAssigned"
  },
  "location": "westeurope",
  "properties": {
    "allowPublicAccessWhenBehindVnet": true,
    "applicationInsights": ***,
    "containerRegistry": ***,
    "description": "Test machine learning workspace",
    "encryption": {
      "status": "Enabled",
      "identity": {},
      "keyVaultProperties": {
        "keyVaultArmId": ***,
        "keyIdentifier": ***
      }
    },
    "friendlyName": "test-workspace",
    "hbiWorkspace": true,
    "imageBuildCompute": "terraformCompute",
    "keyVault": ***,
    "publicNetworkAccess": "Enabled",
    "storageAccount": ***
  },
  "sku": {
    "name": "Basic",
    "tier": "Basic"
  },
  "tags": {
    "ENV": "Test"
  }
}

GET

{
  "id": ***,
  "name": "acctest-MLW-2204071344164086",
  "type": "Microsoft.MachineLearningServices/workspaces",
  "location": "westeurope",
  "tags": {
    "ENV": "Test"
  },
  "etag": null,
  "properties": {
    "friendlyName": "test-workspace",
    "description": "Test machine learning workspace",
    "storageAccount": ***,
    "keyVault": ***,
    "applicationInsights": ***,
    "hbiWorkspace": true,
    "tenantId": ***,
    "imageBuildCompute": "terraformCompute",
    "provisioningState": "Succeeded",
    "containerRegistry": ***,
    "notebookInfo": {
      "resourceId": "72c7e7d8d62c4eca8e558cb7e45cf9e0",
      "fqdn": "ml-acctest-mlw--westeurope-941a184a-d1eb-4694-88ba-55126f8e17e0.notebooks.azure.net",
      "isPrivateLinkEnabled": false,
      "notebookPreparationError": null
    },
    "serviceProvisionedResourceGroup": ***,
    "serviceManagedResourcesSettings": {
      "cosmosDb": {
        "collectionsThroughput": 8000
      }
    },
    "storageHnsEnabled": false,
    "workspaceId": "941a184a-d1eb-4694-88ba-55126f8e17e0",
    "linkedModelInventoryArmId": null,
    "privateLinkCount": 0,
    "allowPublicAccessWhenBehindVnet": true,
    "discoveryUrl": "https://westeurope.api.azureml.ms/discovery",
    "mlFlowTrackingUri": ***,
    "sdkTelemetryAppInsightsKey": ***,
    "encryption": {
      "status": "Enabled",
      "identity": {
        "userAssignedIdentity": null
      },
      "keyVaultProperties": {
        "keyIdentifier": ***,
        "identityClientId": null,
        "keyVaultArmId": ***
      },
      "cosmosDbResourceId": ***,
      "storageAccountResourceId": ***,
      "searchAccountResourceId": ***
    }
  },
  "identity": {
    "type": "SystemAssigned",
    "principalId": "5eac07d7-047c-4986-bb08-e38681b664a9",
    "tenantId": "26e25406-6564-4a26-98ee-c71ba03235ad"
  },
  "sku": {
    "name": "Basic",
    "tier": "Basic"
  },
  "systemData": {
    "createdAt": "2022-04-07T11:47:39.9199045Z",
    "createdBy": "af46c99c-71b9-47cf-84f7-4f303c7596a1",
    "createdByType": "Application",
    "lastModifiedAt": "2022-04-07T11:47:39.9199045Z",
    "lastModifiedBy": "af46c99c-71b9-47cf-84f7-4f303c7596a1",
    "lastModifiedByType": "Application"
  }
}
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Apr 7, 2022
@stephybun stephybun mentioned this issue Apr 7, 2022
Closed
@JackTn JackTn added Machine Learning Service Attention Workflow: This issue is responsible by Azure service team. labels Apr 11, 2022
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 11, 2022
@ghost
Copy link

ghost commented Apr 11, 2022

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @azureml-github.

Issue Details

Service: Machine Learning Services
API Version: 2021-07-01

Hello,

We want to expose the field publicNetworkAccess in the Terraform resource for Machine Learning Workspaces. Unfortunately this field isn't returned from the API regardless of whether it is set to Enabled or Disabled (example PUT and GET down below with IDs redacted). It also looks like setting this field doesn't do anything, when I inspect the workspace in the portal it still says that public network access is allowed for all networks.
image

Can you please update the API so that setting this field sets public network access properly and also that this field is returned by the API.

Thanks!

cc. @denniseik

PUT

{
  "identity": {
    "type": "SystemAssigned"
  },
  "location": "westeurope",
  "properties": {
    "allowPublicAccessWhenBehindVnet": true,
    "applicationInsights": ***,
    "containerRegistry": ***,
    "description": "Test machine learning workspace",
    "encryption": {
      "status": "Enabled",
      "identity": {},
      "keyVaultProperties": {
        "keyVaultArmId": ***,
        "keyIdentifier": ***
      }
    },
    "friendlyName": "test-workspace",
    "hbiWorkspace": true,
    "imageBuildCompute": "terraformCompute",
    "keyVault": ***,
    "publicNetworkAccess": "Enabled",
    "storageAccount": ***
  },
  "sku": {
    "name": "Basic",
    "tier": "Basic"
  },
  "tags": {
    "ENV": "Test"
  }
}

GET

{
  "id": ***,
  "name": "acctest-MLW-2204071344164086",
  "type": "Microsoft.MachineLearningServices/workspaces",
  "location": "westeurope",
  "tags": {
    "ENV": "Test"
  },
  "etag": null,
  "properties": {
    "friendlyName": "test-workspace",
    "description": "Test machine learning workspace",
    "storageAccount": ***,
    "keyVault": ***,
    "applicationInsights": ***,
    "hbiWorkspace": true,
    "tenantId": ***,
    "imageBuildCompute": "terraformCompute",
    "provisioningState": "Succeeded",
    "containerRegistry": ***,
    "notebookInfo": {
      "resourceId": "72c7e7d8d62c4eca8e558cb7e45cf9e0",
      "fqdn": "ml-acctest-mlw--westeurope-941a184a-d1eb-4694-88ba-55126f8e17e0.notebooks.azure.net",
      "isPrivateLinkEnabled": false,
      "notebookPreparationError": null
    },
    "serviceProvisionedResourceGroup": ***,
    "serviceManagedResourcesSettings": {
      "cosmosDb": {
        "collectionsThroughput": 8000
      }
    },
    "storageHnsEnabled": false,
    "workspaceId": "941a184a-d1eb-4694-88ba-55126f8e17e0",
    "linkedModelInventoryArmId": null,
    "privateLinkCount": 0,
    "allowPublicAccessWhenBehindVnet": true,
    "discoveryUrl": "https://westeurope.api.azureml.ms/discovery",
    "mlFlowTrackingUri": ***,
    "sdkTelemetryAppInsightsKey": ***,
    "encryption": {
      "status": "Enabled",
      "identity": {
        "userAssignedIdentity": null
      },
      "keyVaultProperties": {
        "keyIdentifier": ***,
        "identityClientId": null,
        "keyVaultArmId": ***
      },
      "cosmosDbResourceId": ***,
      "storageAccountResourceId": ***,
      "searchAccountResourceId": ***
    }
  },
  "identity": {
    "type": "SystemAssigned",
    "principalId": "5eac07d7-047c-4986-bb08-e38681b664a9",
    "tenantId": "26e25406-6564-4a26-98ee-c71ba03235ad"
  },
  "sku": {
    "name": "Basic",
    "tier": "Basic"
  },
  "systemData": {
    "createdAt": "2022-04-07T11:47:39.9199045Z",
    "createdBy": "af46c99c-71b9-47cf-84f7-4f303c7596a1",
    "createdByType": "Application",
    "lastModifiedAt": "2022-04-07T11:47:39.9199045Z",
    "lastModifiedBy": "af46c99c-71b9-47cf-84f7-4f303c7596a1",
    "lastModifiedByType": "Application"
  }
}
Author: stephybun
Assignees: -
Labels:

question, Machine Learning, Service Attention, customer-reported, needs-triage
Milestone: -

@stephybun stephybun mentioned this issue May 3, 2022
Closed
@deeikele
Copy link

deeikele commented May 3, 2022

Acknowledged and investigating

@deeikele
Copy link

@stephybun publicNetworkAccess is returned from january 01 2022 api version onwards. Could you please validate this fixes your workflow?

@SudoSpartanDan
Copy link

I think the issue was that it was working before. Did something on the prior API version change? This was working just fine about a month ago and now it's not working as designed. See hashicorp/terraform-provider-azurerm#16177 (comment)

@deeikele
Copy link

@SudoSpartanDan We haven't made changes in the backend to this, and I'm wondering if this property was working earlier correclty. Could you please validate this again? @xuzhang3 and team as fyi. The issue you have referenced was created by one of our devs as a heads up for this flow to be broken.

@SudoSpartanDan
Copy link

@deeikele, still broken. We don't necessarily care about the value being returned either; the main issue is with setting the value with PUT, which is not working as intended. It was working about a month ago when we set up Azure ML for our organization, but, since then, I can't programmatically adjust it at all since it automatically sets that setting back to Enabled, which we don't want.

I've had a MSFT ticket open for this for a while now (#2204200040005290) and it seems from both sides I'm getting the same answer; just use the newer API version. Very frustrating from our side since there are several layers of abstraction, including Azure's own azure-sdk-for-go which doesn't even implement the newest API version, that prevent us from just "using the newer version".

@xuzhang3
Copy link
Contributor

@deeikele Terraform AzureRM uses API v2021-07-01, but portal is not using this version, I try reproduce error and found that portal uses v2021-10-01, the properties returned by the two APIs are different.
v2021-07-01 vs v2021-10-01
image

Response from portal (v2021-10-01):
image

image

@deeikele
Copy link

I've followed up over email @xuzhang3. I can confirm below call is succesfull using the workspace REST API
{
"location": "eastus",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"friendlyName": "Test workspace",
"description": "test description",
"publicNetworkAccess": "Disabled"
..
}
}

@xuzhang3
Copy link
Contributor

seems to be no other way, except to upgrade the API from v2021-07-01 vs v2021-10-01 to cover this breaking change

@keisari-ch
Copy link

Hi,

Not sure, but I guess that also breaks compliance evaluations for builtin policies :
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Audit.json

image

2018-11-19:
"allowPublicAccessWhenBehindVnet": false,

2021-07-01:
"allowPublicAccessWhenBehindVnet": false,

2021-10-01:
"publicNetworkAccess": "Disabled",
2022-05-01:
"publicNetworkAccess": "Disabled",

Didnt find a way to know which API version is used by Policy Evaluations.

@xuzhang3 xuzhang3 mentioned this issue Sep 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Machine Learning question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@stephybun @JackTn @keisari-ch @SudoSpartanDan @xuzhang3 @deeikele