fixing error for secrets, suppressing wrong logging

Simon Jakesch · Simon Jakesch · commit 80a128b5f439 · 2025-11-16T12:31:08.000-06:00
diff --git a/src/containerapp/azext_containerapp/_compose_utils.py b/src/containerapp/azext_containerapp/_compose_utils.py
@@ -1940,7 +1940,8 @@ def get_mcp_gateway_configuration(service):
 
 def enable_managed_identity(cmd, resource_group_name, app_name):
     """
-    Enable system-assigned managed identity for a container app.
+    Enable system-assigned managed identity for a container app using a scoped PATCH
+    so that existing secrets (which are write-only) are not re-sent without values.
 
     Args:
         cmd: Azure CLI command context
@@ -1950,36 +1951,42 @@ def enable_managed_identity(cmd, resource_group_name, app_name):
     Returns:
         Dictionary with identity information including principal_id
     """
+    import json
     from knack.log import get_logger
-    from ._clients import ContainerAppClient
-
-    logger = get_logger(__name__)
+    from azure.cli.core.commands.client_factory import get_subscription_id
+    from azure.cli.core.util import send_raw_request
 
-    logger.info(f"Enabling system-assigned managed identity for '{app_name}'")
+    from ._clients import PREVIEW_API_VERSION
 
-    try:
-        # Get current app using show classmethod
-        app = ContainerAppClient.show(cmd, resource_group_name, app_name)
+    logger = get_logger(__name__)
 
-        # Set identity type to SystemAssigned
-        if 'identity' not in app:
-            app['identity'] = {}
+    logger.info(f"Enabling system-assigned managed identity for '{app_name}' via PATCH")
 
-        app['identity']['type'] = 'SystemAssigned'
+    management_hostname = cmd.cli_ctx.cloud.endpoints.resource_manager
+    subscription_id = get_subscription_id(cmd.cli_ctx)
+    request_url = "{}/subscriptions/{}/resourceGroups/{}/providers/Microsoft.App/containerApps/{}?api-version={}".format(
+        management_hostname.strip('/'),
+        subscription_id,
+        resource_group_name,
+        app_name,
+        PREVIEW_API_VERSION)
 
-        # Update the app using create_or_update classmethod
-        updated_app = ContainerAppClient.create_or_update(
-            cmd, resource_group_name, app_name, app)
+    payload = {
+        "identity": {
+            "type": "SystemAssigned"
+        }
+    }
 
+    try:
+        response = send_raw_request(cmd.cli_ctx, "PATCH", request_url, body=json.dumps(payload))
+        updated_app = response.json()
         identity = updated_app.get('identity', {})
         principal_id = identity.get('principalId')
 
         if principal_id:
-            logger.info(
-                f"Successfully enabled managed identity. Principal ID: {principal_id}")
+            logger.info(f"Successfully enabled managed identity. Principal ID: {principal_id}")
         else:
-            logger.warning(
-                "Managed identity enabled but principal ID not yet available")
+            logger.warning("Managed identity enabled but principal ID not yet available")
 
         return identity
 
diff --git a/src/containerapp/azext_containerapp/containerapp_decorator.py b/src/containerapp/azext_containerapp/containerapp_decorator.py
@@ -133,6 +133,9 @@ def get_argument_from_revision(self):
     def get_argument_target_label(self):
         return self.get_param("target_label")
 
+    def get_argument_suppress_ingress_warning(self):
+        return self.get_param("suppress_ingress_warning")
+
     def validate_arguments(self):
         self.containerapp_def = None
         try:
@@ -1089,15 +1092,18 @@ def post_process(self, r):
         if "properties" in r and "provisioningState" in r["properties"] and r["properties"]["provisioningState"].lower() == "waiting" and not self.get_argument_no_wait():
             not self.get_argument_disable_warnings() and logger.warning('Containerapp creation in progress. Please monitor the creation using `az containerapp show -n {} -g {}`'.format(self.get_argument_name(), self.get_argument_resource_group_name()))
 
+        suppress_ingress_warning = bool(self.get_argument_suppress_ingress_warning())
+
         if "configuration" in r["properties"] and "ingress" in r["properties"]["configuration"] and \
                 r["properties"]["configuration"]["ingress"] and "fqdn" in r["properties"]["configuration"]["ingress"]:
             not self.get_argument_disable_warnings() and logger.warning("\nContainer app created. Access your app at https://{}/\n".format(r["properties"]["configuration"]["ingress"]["fqdn"]))
         else:
-            target_port = self.get_argument_target_port() or "<port>"
-            not self.get_argument_disable_warnings() and logger.warning(
-                "\nContainer app created. To access it over HTTPS, enable ingress: "
-                "az containerapp ingress enable -n %s -g %s --type external --target-port %s"
-                " --transport auto\n", self.get_argument_name(), self.get_argument_resource_group_name(), target_port)
+            if not suppress_ingress_warning:
+                target_port = self.get_argument_target_port() or "<port>"
+                not self.get_argument_disable_warnings() and logger.warning(
+                    "\nContainer app created. To access it over HTTPS, enable ingress: "
+                    "az containerapp ingress enable -n %s -g %s --type external --target-port %s"
+                    " --transport auto\n", self.get_argument_name(), self.get_argument_resource_group_name(), target_port)
 
         if self.get_argument_service_connectors_def_list() is not None:
             linker_client = get_linker_client(self.cmd)
diff --git a/src/containerapp/azext_containerapp/custom.py b/src/containerapp/azext_containerapp/custom.py
@@ -773,7 +773,8 @@ def create_containerapp(cmd,
                         runtime=None,
                         enable_java_metrics=None,
                         enable_java_agent=None,
-                        kind=None):
+                        kind=None,
+                        suppress_ingress_warning=False):
     raw_parameters = locals()
 
     containerapp_create_decorator = ContainerAppPreviewCreateDecorator(
@@ -2759,7 +2760,8 @@ def create_containerapps_from_compose(cmd,  # pylint: disable=R0914
                                     env_vars=env_vars_cli_format,
                                     secrets=secret_vars,
                                     min_replicas=final_min_replicas,
-                                    max_replicas=final_max_replicas, )
+                                    max_replicas=final_max_replicas,
+                                    suppress_ingress_warning=True)
             )
 
         # Phase 5: Dry-run mode - collect service config instead of deploying
