{Role} ad sp create-for-rbac: Retry Service Principal creation for …

…"must in the local tenant" error (#17412)
Azure · Apr 8, 2021 · 5544a0f · 5544a0f
1 parent 116bdd5
commit 5544a0f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py
@@ -1454,10 +1454,14 @@ def create_service_principal_for_rbac(
                 aad_sp = _create_service_principal(cmd.cli_ctx, app_id, resolve_app=False)
                 break
             except Exception as ex:  # pylint: disable=broad-except
+                err_msg = str(ex)
                 if retry_time < _RETRY_TIMES and (
-                        ' does not reference ' in str(ex) or ' does not exist ' in str(ex)):
+                        ' does not reference ' in err_msg or
+                        ' does not exist ' in err_msg or
+                        'service principal being created must in the local tenant' in err_msg):
+                    logger.warning("Creating service principal failed with error '%s'. Retrying: %s/%s",
+                                   err_msg, retry_time + 1, _RETRY_TIMES)
                     time.sleep(5)
-                    logger.warning('Retrying service principal creation: %s/%s', retry_time + 1, _RETRY_TIMES)
                 else:
                     logger.warning(
                         "Creating service principal failed for appid '%s'. Trace followed:\n%s",

diff --git a/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_graph.py b/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_graph.py
@@ -325,6 +325,25 @@ def test_create_for_rbac_idempotent(self):
             finally:
                 self.cmd('ad sp delete --id {name}')
 
+    @mock.patch('azure.cli.command_modules.role.custom._auth_client_factory')
+    @mock.patch('azure.cli.command_modules.role.custom._graph_client_factory')
+    @mock.patch('azure.cli.command_modules.role.custom._create_service_principal')
+    @mock.patch('azure.cli.command_modules.role.custom.create_application')
+    def test_create_for_rbac_retry(self, create_application_mock, create_service_principal_mock,
+                                   graph_client_factory_mock, auth_client_factory_mock):
+        graph_client_factory_mock.return_value.config.tenant_id = '00000001-0000-0000-0000-000000000000'
+        create_application_mock.return_value.app_id = '00000000-0000-0000-0000-000000000000'
+        create_service_principal_mock.side_effect = [
+            # Mock replication exceptions
+            Exception("The appId '00000000-0000-0000-0000-000000000000' of the service principal "
+                      "does not reference a valid application object."),
+            Exception("When using this permission, the backing application of the service principal being "
+                      "created must in the local tenant"),
+            # Success
+            mock.MagicMock()
+        ]
+        self.cmd('ad sp create-for-rbac --skip-assignment')
+
 
 class GraphGroupScenarioTest(ScenarioTest):