Add diagnostic events for scenarios that prevent a function app from starting (#9597)

* Fix typo in HostIdCollisionErrorCode

* Add diagnostic event for when the function app has 10 non-decryptable secrets backups

* Add a test case for a diagnostic event when the function app has 10 non-decryptable secrets backups

* Log a diagnostic event if the read operation failed because the blob access tier is set to archived

* Add BlobRepository_TierSetToArchive_ReadAsync_Logs_DiagnosticEvent

* Add a diagnostic event for parsing errors in the host configuration file

* Add InvalidHostJsonLogsDiagnosticEvent test case

* Update Moq version to 4.20.69

* Add helper method to validate that the expected diagnostic event is present

Author: Francisco-Gamino

src/WebJobs.Script.WebHost/Properties/Resources.Designer.cs

@@ -139,6 +139,9 @@
   "uri": "{uri}"
 }}</value>
   </data>
+  <data name="FailedToReadBlobSecretRepositoryTierSetToArchive" xml:space="preserve">
+    <value>Failed to read from Blob Storage Secret Repository because its access tier is set to archive.</value>
+  </data>
   <data name="FunctionSecretsSchemaV0" xml:space="preserve">
     <value>{
     "type": "object",

src/WebJobs.Script.WebHost/Properties/Resources.resx

@@ -9,7 +9,9 @@
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
 using Microsoft.Azure.WebJobs.Host.Storage;
+using Microsoft.Azure.WebJobs.Script.Diagnostics;
 using Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.Extensions;
+using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost
@@ -19,6 +21,7 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost
     /// </summary>
     public class BlobStorageSecretsRepository : BaseSecretsRepository
     {
+        private readonly string _blobArchivedName = "BlobArchived";
         private readonly string _secretsBlobPath;
         private readonly string _hostSecretsBlobPath;
         private readonly string _secretsContainerName = "azure-webjobs-secrets";
@@ -82,6 +85,7 @@ public override async Task<ScriptSecrets> ReadAsync(ScriptSecretsType type, stri
         {
             string secretsContent = null;
             string blobPath = GetSecretsBlobPath(type, functionName);
+            const string Operation = "read";
             try
             {
                 BlobClient secretBlobClient = Container.GetBlobClient(blobPath);
@@ -94,9 +98,24 @@ public override async Task<ScriptSecrets> ReadAsync(ScriptSecretsType type, stri
                     }
                 }
             }
+            catch (RequestFailedException rfex) when (rfex.Status == 409)
+            {
+                // If the read operation failed because the blob access tier is set to archived, log a diagnostic event.
+                if (rfex.ErrorCode.Equals(_blobArchivedName, StringComparison.OrdinalIgnoreCase))
+                {
+                    Logger?.LogDiagnosticEventError(
+                        DiagnosticEventConstants.FailedToReadBlobStorageRepositoryErrorCode,
+                        Resources.FailedToReadBlobSecretRepositoryTierSetToArchive,
+                        DiagnosticEventConstants.FailedToReadBlobStorageRepositoryHelpLink,
+                        rfex);
+                }
+
+                LogErrorMessage(Operation, rfex);
+                throw;
+            }
             catch (Exception ex)
             {
-                LogErrorMessage("read", ex);
+                LogErrorMessage(Operation, ex);
                 throw;
             }
 

src/WebJobs.Script.WebHost/Security/KeyManagement/BlobStorageSecretsRepository.cs

@@ -590,7 +590,11 @@ private async Task PersistSecretsAsync<T>(T secrets, string keyScope = null, boo
                 {
                     string message = string.Format(Resources.ErrorTooManySecretBackups, ScriptConstants.MaximumSecretBackupCount, string.IsNullOrEmpty(keyScope) ? "host" : keyScope, await AnalyzeSnapshots(secretBackups));
                     _logger?.LogDebug(message);
-                    throw new InvalidOperationException(message);
+
+                    var exception = new InvalidOperationException(message);
+                    _logger?.LogDiagnosticEventError(DiagnosticEventConstants.MaximumSecretBackupCountErrorCode, message, DiagnosticEventConstants.MaximumSecretBackupCountHelpLink, exception);
+
+                    throw exception;
                 }
                 await _repository.WriteSnapshotAsync(secretsType, keyScope, secrets);
             }

src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs

@@ -205,7 +205,16 @@ internal JObject LoadHostConfig(string configFilePath)
                     }
                     catch (JsonException ex)
                     {
-                        throw new FormatException($"Unable to parse host configuration file '{configFilePath}'.", ex);
+                        var message = $"Unable to parse host configuration file '{configFilePath}'.";
+                        var formatException = new FormatException(message, ex);
+
+                        _logger.LogDiagnosticEventError(
+                            DiagnosticEventConstants.UnableToParseHostConfigurationFileErrorCode,
+                            message,
+                            DiagnosticEventConstants.UnableToParseHostConfigurationFileHelpLink,
+                            formatException);
+
+                        throw formatException;
                     }
                     catch (Exception ex) when (ex is FileNotFoundException || ex is DirectoryNotFoundException)
                     {

src/WebJobs.Script/Config/HostJsonFileConfigurationSource.cs

@@ -5,13 +5,22 @@ namespace Microsoft.Azure.WebJobs.Script
 {
     internal static class DiagnosticEventConstants
     {
-        public const string HostIdCollisionErrorCode = "AZFD004";
+        public const string HostIdCollisionErrorCode = "AZFD0004";
         public const string HostIdCollisionHelpLink = "https://go.microsoft.com/fwlink/?linkid=2224100";
 
         public const string ExternalStartupErrorCode = "AZFD0005";
         public const string ExternalStartupErrorHelpLink = "https://go.microsoft.com/fwlink/?linkid=2224847";
 
         public const string SasTokenExpiringErrorCode = "AZFD0006";
         public const string SasTokenExpiringErrorHelpLink = "https://go.microsoft.com/fwlink/?linkid=2244092";
+
+        public const string MaximumSecretBackupCountErrorCode = "AZFD0007";
+        public const string MaximumSecretBackupCountHelpLink = "https://go.microsoft.com/fwlink/?linkid=2241600";
+
+        public const string FailedToReadBlobStorageRepositoryErrorCode = "AZFD0008";
+        public const string FailedToReadBlobStorageRepositoryHelpLink = "https://go.microsoft.com/fwlink/?linkid=2241601";
+
+        public const string UnableToParseHostConfigurationFileErrorCode = "AZFD0009";
+        public const string UnableToParseHostConfigurationFileHelpLink = "https://go.microsoft.com/fwlink/?linkid=2248917";
     }
 }

src/WebJobs.Script/Diagnostics/DiagnosticEventConstants.cs

@@ -0,0 +1,44 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using Microsoft.Extensions.Logging;
+using System.Collections.Generic;
+using System;
+using Xunit;
+using Microsoft.WebJobs.Script.Tests;
+using Microsoft.Azure.AppService.Proxy.Common.Extensions;
+
+namespace Microsoft.Azure.WebJobs.Script.Tests.Integration.Diagnostics
+{
+    public class DiagnosticEventTestUtils
+    {
+        public static void ValidateThatTheExpectedDiagnosticEventIsPresent(
+            TestLoggerProvider loggerProvider,
+            string expectedMessage,
+            LogLevel logLevel,
+            string helpLink,
+            string errorCode
+        )
+        {
+            LogMessage actualEvent = null;
+
+            // Find the expected diagnostic event
+            foreach (var message in loggerProvider.GetAllLogMessages())
+            {
+                if (message.FormattedMessage.IndexOf(expectedMessage, StringComparison.OrdinalIgnoreCase) > -1 &&
+                    message.Level == logLevel &&
+                    message.State is Dictionary<string, object> dictionary &&
+                    dictionary.ContainsKey("MS_HelpLink") && dictionary.ContainsKey("MS_ErrorCode") &&
+                    dictionary.GetValueOrDefault("MS_HelpLink").ToString().Equals(helpLink, StringComparison.OrdinalIgnoreCase) &&
+                    dictionary.GetValueOrDefault("MS_ErrorCode").ToString().Equals(errorCode, StringComparison.OrdinalIgnoreCase))
+                {
+                    actualEvent = message;
+                    break;
+                }
+            }
+
+            // Make sure that the expected event was found
+            Assert.NotNull(actualEvent);
+        }
+    }
+}

test/WebJobs.Script.Tests.Integration/Diagnostics/DiagnosticEventTestUtils.cs

@@ -0,0 +1,97 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System.IO;
+using System.Threading.Tasks;
+using Azure;
+using Microsoft.Azure.WebJobs.Host.Storage;
+using Microsoft.Azure.WebJobs.Script.WebHost;
+using Microsoft.Extensions.Logging;
+using Microsoft.WebJobs.Script.Tests;
+using Xunit;
+using Moq;
+using Azure.Storage.Blobs;
+using Microsoft.Azure.WebJobs.Script.WebHost.Properties;
+using LogLevel = Microsoft.Extensions.Logging.LogLevel;
+using System.Threading;
+using Microsoft.Azure.WebJobs.Script.Tests.Integration.Diagnostics;
+
+namespace Microsoft.Azure.WebJobs.Script.Tests.Integration.Host
+{
+    public class BlobStorageSecretsRepositoryTests
+    {
+        [Fact]
+        public async Task BlobRepository_TierSetToArchive_ReadAsync_Logs_DiagnosticEvent()
+        {
+            var mockBlobStorageProvider = new Mock<IAzureBlobStorageProvider>();
+            var mockBlobContainerClient = new Mock<BlobContainerClient>();
+            var mockBlobClient = new Mock<BlobClient>();
+            var mockBlobServiceClient = new Mock<BlobServiceClient>();
+
+            var exception = new RequestFailedException(409, "Conflict", "BlobArchived", null);
+            Response<bool> response = Response.FromValue(true, default);
+            Task<Response<bool>> taskResponse = Task.FromResult(response);
+
+            mockBlobStorageProvider
+                .Setup(provider => provider.TryCreateBlobServiceClientFromConnection(It.IsAny<string>(), out It.Ref<BlobServiceClient>.IsAny))
+                .Returns((string connection, out BlobServiceClient client) =>
+                {
+                    client = mockBlobServiceClient.Object;
+                    return true;
+                });
+
+            mockBlobContainerClient
+                .Setup(client => client.GetBlobClient(It.IsAny<string>()))
+                .Returns(mockBlobClient.Object);
+
+            mockBlobContainerClient
+                .Setup(client => client.Exists(default))
+                .Returns(response);
+
+            mockBlobServiceClient
+                .Setup(client => client.GetBlobContainerClient(It.IsAny<string>()))
+                .Returns(mockBlobContainerClient.Object);
+
+            mockBlobClient
+                .Setup(client => client.DownloadAsync())
+                .Throws(exception);
+
+            mockBlobClient
+                .Setup(client => client.ExistsAsync(It.IsAny<CancellationToken>()))
+                .Returns(taskResponse);
+
+            // Create logger
+            var loggerProvider = new TestLoggerProvider();
+            var loggerFactory = new LoggerFactory();
+            loggerFactory.AddProvider(loggerProvider);
+            var logger = loggerFactory.CreateLogger<BlobStorageSecretsRepository>();
+
+            // BlobStorageSecretsRepository settings:
+            var environment = new TestEnvironment();
+            var secretSentinelDirectoryPath = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
+            var appName = "Test_test";
+            var testFunctionName = "Function1";
+
+            var secretsRepository = new BlobStorageSecretsRepository(
+                secretSentinelDirectoryPath,
+                ConnectionStringNames.Storage,
+                appName,
+                logger,
+                environment,
+                mockBlobStorageProvider.Object);
+
+            await Assert.ThrowsAsync<RequestFailedException>(async () =>
+            {
+                await secretsRepository.ReadAsync(ScriptSecretsType.Host, testFunctionName);
+            });
+
+            DiagnosticEventTestUtils.ValidateThatTheExpectedDiagnosticEventIsPresent(
+                loggerProvider,
+                Resources.FailedToReadBlobSecretRepositoryTierSetToArchive,
+                LogLevel.Error,
+                DiagnosticEventConstants.FailedToReadBlobStorageRepositoryHelpLink,
+                DiagnosticEventConstants.FailedToReadBlobStorageRepositoryErrorCode
+            );
+        }
+    }
+}

test/WebJobs.Script.Tests.Integration/Host/BlobStorageSecretsRepositoryTests.cs

@@ -49,7 +49,7 @@
     <PackageReference Include="Microsoft.Azure.ServiceBus" Version="4.2.1" />
     <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="6.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.4" />
-    <PackageReference Include="Moq" Version="4.9.0" />
+    <PackageReference Include="Moq" Version="4.20.69" />
     <PackageReference Include="xunit" Version="2.4.1" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
       <PrivateAssets>all</PrivateAssets>

test/WebJobs.Script.Tests.Integration/WebJobs.Script.Tests.Integration.csproj

@@ -223,6 +223,42 @@ public void Initialize_Sanitizes_HostJsonLog()
             Assert.Equal($"Host configuration file read:{Environment.NewLine}{hostJson}", logMessage);
         }
 
+        [Fact]
+        public void InvalidHostJsonLogsDiagnosticEvent()
+        {
+            Assert.False(File.Exists(_hostJsonFile));
+
+            var hostJsonContent = " { fooBar";
+            TestMetricsLogger testMetricsLogger = new TestMetricsLogger();
+
+            File.WriteAllText(_hostJsonFile, hostJsonContent);
+            Assert.True(File.Exists(_hostJsonFile));
+
+            var ex = Assert.Throws<FormatException>(() => BuildHostJsonConfiguration(testMetricsLogger));
+
+            var expectedTraceMessage = $"Unable to parse host configuration file '{_hostJsonFile}'.";
+
+            LogMessage actualEvent = null;
+
+            // Find the expected diagnostic event
+            foreach (var message in _loggerProvider.GetAllLogMessages())
+            {
+                if (message.FormattedMessage.IndexOf(expectedTraceMessage, StringComparison.OrdinalIgnoreCase) > -1 &&
+                    message.Level == LogLevel.Error &&
+                    message.State is Dictionary<string, object> dictionary &&
+                    dictionary.ContainsKey("MS_HelpLink") && dictionary.ContainsKey("MS_ErrorCode") &&
+                    dictionary.GetValueOrDefault("MS_HelpLink").ToString().Equals(DiagnosticEventConstants.UnableToParseHostConfigurationFileHelpLink.ToString(), StringComparison.OrdinalIgnoreCase) &&
+                    dictionary.GetValueOrDefault("MS_ErrorCode").ToString().Equals(DiagnosticEventConstants.UnableToParseHostConfigurationFileErrorCode.ToString(), StringComparison.OrdinalIgnoreCase))
+                {
+                    actualEvent = message;
+                    break;
+                }
+            }
+
+            // Make sure that the expected event was found
+            Assert.NotNull(actualEvent);
+        }
+
         private IConfiguration BuildHostJsonConfiguration(TestMetricsLogger testMetricsLogger, IEnvironment environment = null)
         {
             environment = environment ?? new TestEnvironment();