[AKS] fix the nextLink issue (#22001)

Author: YanaXu

src/Aks/Aks/ChangeLog.md

@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed the issue of handling `nextLink` in `Set-AzAksCluster`. [#21846]
+* Fixed the issue of parameter `AcrNameToDetach` in `Set-AzAksCluster` due to role assignment name is a guid.
 * Added breaking change message for parameter `DockerBridgeCidr` in `New-AzAksCluster`.
 * Supported the value `AzureLinux` for parameter `-NodeOsSKU` in `New-AzAksCluster` and parameter `-OsSKU` in `New-AzAksNodePool`.
 * Fixed the issue of `-DisableLocalAccount` for `Set-AzAksCluster`. [#21835]

src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs

@@ -356,12 +356,14 @@ private AcsServicePrincipal BuildServicePrincipal(string name, string clientSecr
             return new AcsServicePrincipal { SpId = app.AppId, ClientSecret = clientSecret, ObjectId = sp.Id };
         }
 
-        protected RoleAssignment GetRoleAssignmentWithRoleDefinitionId(string roleDefinitionId)
+        protected RoleAssignment GetRoleAssignmentWithRoleDefinitionId(string roleDefinitionId, string acrResourceId, string acsServicePrincipalObjectId)
         {
             RoleAssignment roleAssignment = null;
             var actionSuccess = RetryAction(() =>
             {
-                roleAssignment = AuthClient.RoleAssignments.List().Where(x => x.Properties.RoleDefinitionId == roleDefinitionId && x.Name == Name).FirstOrDefault();
+                roleAssignment = AuthClient.RoleAssignments.ListForScope(acrResourceId)
+                    .Where(x => (x.Properties.RoleDefinitionId == roleDefinitionId && (x.Name == Name || x.Properties.PrincipalId == acsServicePrincipalObjectId)))
+                    .FirstOrDefault();
             });
             if (!actionSuccess)
             {
@@ -374,29 +376,33 @@ protected RoleAssignment GetRoleAssignmentWithRoleDefinitionId(string roleDefini
 
         protected void AddAcrRoleAssignment(string acrName, string acrParameterName, AcsServicePrincipal acsServicePrincipal)
         {
-            string acrResourceId = null;
-            try
-            {
-                //Find Acr resourceId first
-                var acrQuery = new ODataQuery<GenericResourceFilter>($"$filter=resourceType eq 'Microsoft.ContainerRegistry/registries' and name eq '{acrName}'");
-                var acrObjects = RmClient.Resources.List(acrQuery);
-                acrResourceId = acrObjects.First().Id;
-            }
-            catch (Exception)
-            {
-                throw new AzPSArgumentException(
-                    string.Format(Resources.CouldNotFindSpecifiedAcr, acrName),
-                    acrParameterName,
-                    string.Format(Resources.CouldNotFindSpecifiedAcr, "*"));
-            }
+            string acrResourceId = getSpecifiedAcr(acrName, acrParameterName);
+
+            var roleDefinitionId = GetRoleId("acrpull", acrResourceId);
+            var spObjectId = getSPObjectId(acsServicePrincipal);
 
-            var roleId = GetRoleId("acrpull", acrResourceId);
-            RoleAssignment roleAssignment = GetRoleAssignmentWithRoleDefinitionId(roleId);
+            RoleAssignment roleAssignment = GetRoleAssignmentWithRoleDefinitionId(roleDefinitionId, acrResourceId, spObjectId);
             if (roleAssignment != null)
             {
                 WriteWarning(string.Format(Resources.AcrRoleAssignmentIsAlreadyExist, acrResourceId));
                 return;
             }
+
+            var success = RetryAction(() =>
+                AuthClient.RoleAssignments.Create(acrResourceId, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters()
+                {
+                    Properties = new RoleAssignmentProperties(roleDefinitionId, spObjectId)
+                }), Resources.AddRoleAssignment);
+
+            if (!success)
+            {
+                throw new AzPSInvalidOperationException(
+                    Resources.CouldNotAddAcrRoleAssignment,
+                    desensitizedMessage: Resources.CouldNotAddAcrRoleAssignment);
+            }
+        }
+
+        protected string getSPObjectId(AcsServicePrincipal acsServicePrincipal) {
             var spObjectId = acsServicePrincipal.ObjectId;
             if (spObjectId == null)
             {
@@ -414,17 +420,31 @@ protected void AddAcrRoleAssignment(string acrName, string acrParameterName, Acs
                         string.Format(Resources.CouldNotFindObjectIdForServicePrincipal, "*"));
                 }
             }
-            var success = RetryAction(() =>
-                AuthClient.RoleAssignments.Create(acrResourceId, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters()
-                {
-                    Properties = new RoleAssignmentProperties(roleId, spObjectId)
-                }), Resources.AddRoleAssignment);
+            return spObjectId;
+        }
 
-            if (!success)
+        protected string getSpecifiedAcr(string acrName, string acrParameterName) {
+            try
             {
-                throw new AzPSInvalidOperationException(
-                    Resources.CouldNotAddAcrRoleAssignment,
-                    desensitizedMessage: Resources.CouldNotAddAcrRoleAssignment);
+                //Find Acr resourceId first
+                var acrQuery = new ODataQuery<GenericResourceFilter>($"$filter=resourceType eq 'Microsoft.ContainerRegistry/registries' and name eq '{acrName}'");
+                var acrObjects = RmClient.Resources.List(acrQuery);
+                while (acrObjects.Count() == 0 && acrObjects.NextPageLink != null)
+                {
+                    acrObjects = RmClient.Resources.ListNext(acrObjects.NextPageLink);
+                }
+                if (acrObjects.Count() == 0)
+                {
+                    throw new AzPSArgumentException(
+                    string.Format(Resources.CouldNotFindSpecifiedAcr, acrName),
+                    acrParameterName,
+                    string.Format(Resources.CouldNotFindSpecifiedAcr, "*"));
+                }
+                return acrObjects.First().Id;
+            }
+            catch (Exception ex)
+            {
+                throw new AzPSArgumentException(string.Format(Resources.CouldNotFindSpecifiedAcr, acrName), ex, string.Format(Resources.CouldNotFindSpecifiedAcr, "*"));
             }
         }
 

src/Aks/Aks/Commands/SetAzureRmAks.cs

@@ -463,24 +463,12 @@ public override void ExecuteCmdlet()
 
         private void RemoveAcrRoleAssignment(string acrName, string acrParameterName, AcsServicePrincipal acsServicePrincipal)
         {
-            string acrResourceId = null;
-            try
-            {
-                //Find Acr resourceId first
-                var acrQuery = new ODataQuery<GenericResourceFilter>($"$filter=resourceType eq 'Microsoft.ContainerRegistry/registries' and name eq '{acrName}'");
-                var acrObjects = RmClient.Resources.List(acrQuery);
-                acrResourceId = acrObjects.First().Id;
-            }
-            catch (Exception)
-            {
-                throw new AzPSArgumentException(
-                    string.Format(Resources.CouldNotFindSpecifiedAcr, acrName),
-                    acrParameterName,
-                    string.Format(Resources.CouldNotFindSpecifiedAcr, "*"));
-            }
+            string acrResourceId = getSpecifiedAcr(acrName, acrParameterName);
 
             var roleDefinitionId = GetRoleId("acrpull", acrResourceId);
-            RoleAssignment roleAssignment = GetRoleAssignmentWithRoleDefinitionId(roleDefinitionId);
+            var spObjectId = getSPObjectId(acsServicePrincipal);
+
+            RoleAssignment roleAssignment = GetRoleAssignmentWithRoleDefinitionId(roleDefinitionId, acrResourceId, spObjectId);
             if (roleAssignment == null)
             {
                 throw new AzPSInvalidOperationException(

src/Aks/Aks/Properties/Resources.Designer.cs

@@ -349,7 +349,7 @@
     <value>Could not find object id of service principal : {0}, please make sure you have graph directory.read permission which is required for grant acrpull permission.</value>
   </data>
   <data name="CouldNotFindSpecifiedAcr" xml:space="preserve">
-    <value>Could not find specified Acr '{0}' to attach.</value>
+    <value>Could not find specified Acr '{0}' to attach or detach.</value>
   </data>
   <data name="AgentPoolAlreadyExistsError" xml:space="preserve">
     <value>The node pool already exists. Please use Update-AzAksNodePool for update.</value>