`az security contact create` fails with ERROR: Operation returned an invalid status 'Created'

[odegroot]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related command

az security contact create --name foo-example.com --email foo@example.com --alert-notifications On --alerts-admins Off

Describe the bug

The security contact gets created successfully, but the az command fails nonetheless.

ERROR: Operation returned an invalid status 'Created'

The REST API returns HTTP status code 201 Created. This is perfectly valid - see API docs - but the az cli still considers this a failure. It prints an error message and returns a nonzero exit code.

To Reproduce

The error occurs "invalid status 'Created'" occurs sometimes, not always.
I can reliably reproduce the error on a brand new subscription. There may be other triggers that I'm unaware of.

1. Create a new subscription
2. Create a security contact using az security contact create.

After the initial failure, subsequent attempts on the same subscription work just fine, with the exact same inputs.
Deleting and then recreating the security contact with the same inputs also works just fine.

Expected behavior

The az cli should treat status code 201 Created as a success. It shouldn't print an error message.

Environment summary

Azure DevOps pipeline step AzureCLI@2

Pool: Azure Pipelines
Image: ubuntu-latest
Agent: Hosted Agent

==============================================================================
Task         : Azure CLI
Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
Version      : 2.217.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-cli
==============================================================================
/usr/bin/az --version
azure-cli                         2.46.0

core                              2.46.0
telemetry                          1.0.8

Extensions:
account                            0.2.5
azure-devops                      0.26.0

Dependencies:
msal                              1.20.0
azure-mgmt-resource             21.1.0b1

Python location '/opt/az/bin/python3'
Extensions directory '/opt/az/azcliextensions'

Python (Linux) 3.10.10 (main, Mar  6 2023, 09:39:14) [GCC 11.3.0]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.
Setting AZURE_CONFIG_DIR env variable to: /home/vsts/work/_temp/.azclitask
Setting active cloud to: AzureCloud

Additional context

Here's the command output with --debug enabled. (tenant / subscription IDs redacted)

##[command]az security contact create --debug --name foo-example.com --email foo@example.com --alert-notifications On --alerts-admins Off
DEBUG: cli.knack.cli: Command arguments: ['security', 'contact', 'create', '--debug', '--name', 'foo-example.com', '--email', 'foo@example.com', '--alert-notifications', 'On', '--alerts-admins', 'Off']
DEBUG: cli.knack.cli: __init__ debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fc165fb5360>, <function OutputProducer.on_global_arguments at 0x7fc165eb3f40>, <function CLIQuery.on_global_arguments at 0x7fc165f051b0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'security': ['azure.cli.command_modules.security']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands
DEBUG: cli.azure.cli.core: security                  0.007        48       104
DEBUG: cli.azure.cli.core: Total (1)                 0.007        48       104
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
DEBUG: cli.azure.cli.core: Total (0)                 0.000         0         0  
DEBUG: cli.azure.cli.core: Loaded 48 groups, 104 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command  : security contact create
DEBUG: cli.azure.cli.core: Command table: security contact create
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fc1648a6560>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/vsts/work/_temp/.azclitask/commands/2023-03-16.17-54-49.security_contact_create.2372.log'.
INFO: az_command_data_logger: command args: security contact create --debug --name {} --email {} --alert-notifications {} --alerts-admins {}
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7fc1648bb0a0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7fc1646a9000>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7fc1646a9120>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fc165ed0040>, <function CLIQuery.handle_query_parameter at 0x7fc165f05240>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7fc1646a9090>]
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=SecurityCenter
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/service_principal_entries.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/msal_token_cache.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/vsts/work/_temp/.azclitask/msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? False
DEBUG: msal.application: Region to be used: None
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: 129baf20-d5e0-4d44-86ea-b4e4ce57bb3e
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'PUT'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '120'
DEBUG: cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'a550efad-c423-11ed-960e-e3c79e9d1358'
DEBUG: cli.azure.cli.core.sdk.policies:     'CommandName': 'security contact create'
DEBUG: cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--debug --name --email --alert-notifications --alerts-admins'
DEBUG: cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.46.0 (DEB) azsdk-python-azure-mgmt-security/3.0.0 Python/3.10.10 (Linux-5.15.0-1034-azure-x86_64-with-glibc2.35) VSTS_9f9c2088-4d89-48b3-8760-c639dab38b85_build_1_0'
DEBUG: cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties": {"email": "foo@example.com", "phone": "", "alertNotifications": "On", "alertsToAdmins": "Off"}}
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com?api-version=2017-08-01-preview HTTP/1.1" 201 398
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 201
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '398'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies:     'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-resource-requests': '249'
DEBUG: cli.azure.cli.core.sdk.policies:     'api-supported-versions': '2017-08-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies:     'Server': 'Kestrel'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-request-id': '8da4e6cf-f18b-4e57-8526-7481891d1952'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '8da4e6cf-f18b-4e57-8526-7481891d1952'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTEUROPE:20230316T175458Z:8da4e6cf-f18b-4e57-8526-7481891d1952'
DEBUG: cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 16 Mar 2023 17:54:58 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1e000f3a-0000-0d00-0000-641357f20000\"","location":"West Europe"}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/security/custom.py", line 285, in create_security_contact
    return client.create(resource_name, new_contact)
  File "/opt/az/lib/python3.10/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/opt/az/lib/python3.10/site-packages/azure/mgmt/security/v2017_08_01_preview/operations/_security_contacts_operations.py", line 473, in create
    raise HttpResponseError(response=response, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Created'
Content: {"properties":{"alertNotifications":"On","alertsToAdmins":"Off","email":"foo@example.com","phone":""},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Security/securityContacts/foo-example.com","name":"foo-example.com","type":"Microsoft.Security/securityContacts","etag":"\"1e000f3a-0000-0d00-0000-641357f20000\"","location":"West Europe"}

ERROR: cli.azure.cli.core.azclierror: Operation returned an invalid status 'Created'
ERROR: az_command_data_logger: Operation returned an invalid status 'Created'
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fc1648a67a0>]
INFO: az_command_data_logger: exit code: 1
INFO: cli.__main__: Command ran in 9.745 seconds (init: 0.335, invoke: 9.410)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 3516 in cache
WARNING: telemetry.check: Negative: The /home/vsts/work/_temp/.azclitask/telemetry.txt was modified at 2023-03-16 17:53:23.427256, which in less than 600.000000 s

Thank you for your feedback. This has been routed to the support team for assistance.

[yonzhan]

route to CXP team

[SaurabhSharma-MSFT]

@odegroot I am not able to reproduce this issue. I have checked with both Azure CLI 2.45 and 2.46 versions, and I am not getting any errors.

Using --debug parameters also did not give any error messages.
Is this cmd giving the same error message when you are using outside of the devops pipeline for you?