Azure Devops Fails with CLI to remove firewall rules when resource group is locked for deletion

[mandarsj]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
We are using Sql Azure in a resource group , the resource group also has a delete lock to avoid accidental deletion of resources, which is according to us is a standard practice. The sql azure database is updated using code first pattern using Deploy Azure Database task in Azure DevOps . The details in this documentation.

https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/azure-sqldb?view=azure-devops&tabs=yaml

We also found, this task internally adds and removes a firewall rules to sql azure server to allow agent to access the sql serve.

However If resource group is locked for deletion, this scenario fails as pipeline is unable to delete a firewall rule.

This seems a catch 22 situation as we want resource group locked for deletion but also want pipeline to be able to delete firewall rules to access server to deploy database scripts.
To Reproduce

• Create SQL Azure Server and Database

• Setup with code first deployment

• Lock resource group for deletion

• Try to deploy database using azure devops pipeline.

• pipeline fails

Expected behavior

The resource group lock should have an exception for a service principle which is able to bypass this resource lock.

[yonzhan]

route to CXP team

[navba-MSFT]

Adding the Service Attention label so that the Github Devops Service team can look into this issue.

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @v-anvashist, @V-hmusukula.

Issue Details

---

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
We are using Sql Azure in a resource group , the resource group also has a delete lock to avoid accidental deletion of resources, which is according to us is a standard practice. The sql azure database is updated using code first pattern using Deploy Azure Database task in Azure DevOps . The details in this documentation.

https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/azure-sqldb?view=azure-devops&tabs=yaml

We also found, this task internally adds and removes a firewall rules to sql azure server to allow agent to access the sql serve.

However If resource group is locked for deletion, this scenario fails as pipeline is unable to delete a firewall rule.

This seems a catch 22 situation as we want resource group locked for deletion but also want pipeline to be able to delete firewall rules to access server to deploy database scripts.
To Reproduce

• Create SQL Azure Server and Database

• Setup with code first deployment

• Lock resource group for deletion

• Try to deploy database using azure devops pipeline.

• pipeline fails

Expected behavior

The resource group lock should have an exception for a service principle which is able to bypass this resource lock.

Author:	mandarsj
Assignees:	-
Labels:	Service Attention, customer-reported, DevOps, Pipelines, Auto-Assign
Milestone:	-

[v1ferrarij]

I am also having this issue.

[v-soujanya]

Hi @mandarsj we are only owning the CLI service.
Do we have Az CLI Command or query to repro the issue on our end?