« Grrrr DevOps Pipeline... premier gros crash 😤/en » : différence entre les versions

De wikili
Aller à la navigation Aller à la recherche
VisuelWikicode
Page créée avec « Grrrr DevOps Pipeline... first major crash 😤 »
 
Page créée avec « </syntaxhighlight>WorkArround<syntaxhighlight lang="powershell"> $azAccountsVersion = (Get-Module -ListAvailable -Name Az.Accounts | Sort-Object Version -Descending | Select-Object -First 1).Version $dexResourceUrl = 'https://database.windows.net/' if ($azAccountsVersion -ge [Version]'5.0.0') { write-host "Az.Accounts 5.0.0 and above" $AccessTokenSecure = (Get-AzAccessToken -ResourceUrl $dexResourceUrl).Token $token = ConvertFrom-SecureString -Sec... »
 
(10 versions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
<languages/>
<languages/>
<div lang="fr" dir="ltr" class="mw-content-ltr">
I knew Microsoft had given a warning… but as usual, no one really took it seriously 😅
Je savais que Microsoft avait prévenu… mais comme souvent, personne n’a vu passer l’info sérieusement 😅
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
We work in a fullstack DevOps team, with scripts that call SQL procedures in thousands of Azure SQL databases, whether for maintenance, exports, cleanup… you know, the usual stuff.
On bosse dans une équipe ''fullstack DevOps'', avec des scripts qui appellent des procédures SQL dans des '''milliers de bases Azure SQL''', que ce soit pour de la maintenance, des exports, du nettoyage… bref, du classique.
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
And for that, '''we use the token obtained with the Get-AzAccessToken function<code>Get-AzAccessToken</code>'''..
Et pour ça, '''on utilise le token obtenu avec la fonction <code>Get-AzAccessToken</code>'''.
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
The catch? Microsoft continuously updates their backend. So the Azure Pipeline pool that runs our PowerShell scripts gets updated automatically, without any action on our part.
Le hic ? Microsoft met à jour en continu leur backend. Donc le '''pool d’Azure Pipeline''' qui exécute nos scripts PowerShell est mis à jour automatiquement, sans intervention de notre part.
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
And this Sunday… boom 💥: they updated the Az.Accounts module from version 4 to 5, with a major breaking change:
Et ce dimanche… '''patatras 💥''' : ils ont mis à jour le module '''Az.Accounts de la version 4 vers la 5''', avec un '''breaking change majeur''' :<blockquote>Le token n’est plus retourné en <code>String</code>, mais en <code>SecureString</code> !</blockquote>Résultat ? Toutes les fonctions plus anciennes qui manipulent ces tokens n’arrivent plus à les lire, et '''ça casse tout. En prod.''' 😩
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
    The token is no longer returned as a String, but as a SecureString!
Le pire ? Comme tout tourne dans un backend, '''on ne remonte pas les warnings''', donc '''personne ne l’a vu venir'''. C’est seulement une fois que les exports sont tombés en erreur qu’on a compris.
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
The result? All the older functions that handle these tokens can’t read them anymore, and everything breaks. In production. 😩
🎓 Leçon apprise : ne jamais ignorer les warnings… même s’ils sont planqués dans les logs.
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
The worst part? Since everything runs in the backend, we don’t get any warnings, so no one saw it coming. It was only after the exports started failing that we realized what was going on.
🔧 Fix : il faut ajouter le paramètre <code>-AsPlainText</code> dans certains cas ou revoir complètement la gestion du token selon le module utilisé.
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
🎓 Lesson learned: never ignore warnings… even if they're buried deep in the logs.
Voici le warning qu’on aurait dû prendre au sérieux :
 
</div>
🔧 Fix: you need to add the -AsPlainText parameter in some cases, or completely revise how the token is handled depending on the module version used.
 
Here’s the warning we should have taken seriously:


<div lang="fr" dir="ltr" class="mw-content-ltr">
<syntaxhighlight lang="pwsh">
<syntaxhighlight lang="pwsh">
get-azaccesstoken
get-azaccesstoken
Ligne 44 : Ligne 29 :
- The change is expected to take effect in Az.Accounts version : '5.0.0'
- The change is expected to take effect in Az.Accounts version : '5.0.0'
Note : https://aka.ms/azps-changewarnings
Note : https://aka.ms/azps-changewarnings
</div>


<div lang="fr" dir="ltr" class="mw-content-ltr">
</syntaxhighlight>WorkArround<syntaxhighlight lang="powershell">
</syntaxhighlight>WorkArround<syntaxhighlight lang="powershell">
$azAccountsVersion = (Get-Module -ListAvailable -Name Az.Accounts | Sort-Object Version -Descending | Select-Object -First 1).Version
$azAccountsVersion = (Get-Module -ListAvailable -Name Az.Accounts | Sort-Object Version -Descending | Select-Object -First 1).Version
Ligne 59 : Ligne 42 :
}
}
</syntaxhighlight>
</syntaxhighlight>
</div>
[[Catégorie:Boîte à idées]]
[[Catégorie:Boîte à idées]]

Dernière version du 5 juin 2025 à 14:55

Autres langues :

I knew Microsoft had given a warning… but as usual, no one really took it seriously 😅

We work in a fullstack DevOps team, with scripts that call SQL procedures in thousands of Azure SQL databases, whether for maintenance, exports, cleanup… you know, the usual stuff.

And for that, we use the token obtained with the Get-AzAccessToken functionGet-AzAccessToken..

The catch? Microsoft continuously updates their backend. So the Azure Pipeline pool that runs our PowerShell scripts gets updated automatically, without any action on our part.

And this Sunday… boom 💥: they updated the Az.Accounts module from version 4 to 5, with a major breaking change: 

   The token is no longer returned as a String, but as a SecureString!

The result? All the older functions that handle these tokens can’t read them anymore, and everything breaks. In production. 😩

The worst part? Since everything runs in the backend, we don’t get any warnings, so no one saw it coming. It was only after the exports started failing that we realized what was going on.

🎓 Lesson learned: never ignore warnings… even if they're buried deep in the logs.

🔧 Fix: you need to add the -AsPlainText parameter in some cases, or completely revise how the token is handled depending on the module version used.

Here’s the warning we should have taken seriously: 

get-azaccesstoken
WARNING: Upcoming breaking changes in the cmdlet 'Get-AzAccessToken' :
The Token property of the output type will be changed from String to SecureString. Add the [-AsSecureString] switch to avoid the impact of this upcoming breaking change.
- The change is expected to take effect in Az version : '14.0.0'
- The change is expected to take effect in Az.Accounts version : '5.0.0'
Note : https://aka.ms/azps-changewarnings

WorkArround

$azAccountsVersion = (Get-Module -ListAvailable -Name Az.Accounts | Sort-Object Version -Descending | Select-Object -First 1).Version
$dexResourceUrl   = 'https://database.windows.net/'
if ($azAccountsVersion -ge [Version]'5.0.0') {
    write-host  "Az.Accounts 5.0.0 and above"
    $AccessTokenSecure = (Get-AzAccessToken -ResourceUrl $dexResourceUrl).Token
    $token  = ConvertFrom-SecureString -SecureString $AccessTokenSecure -AsPlainText
} else {
    write-host  "Az.Accounts below 5.0.0"
    $token = (Get-AzAccessToken -ResourceUrl $dexResourceUrl).Token
}
Récupérée de "http://wiki.lli.be/index.php?title=Grrrr_DevOps_Pipeline..._premier_gros_crash_😤/en&oldid=416"