[Question] Dependecy resolvement when specifying custom configuration

[rstelcer]

Release version

v6.0.1.1

Question Details

Problem Description
Publishing a policy fragment depending on the named value results in the following error:
info: publisher[0] Putting policy policy for operation dependecycheck in API echo-api... info: publisher[0] Putting policy policy for operation retrieve-header-only in API echo-api... crit: publisher[0] Application failed. System.Net.Http.HttpRequestException: HTTP request to URI https://management.azure.com/subscriptions/***/resourceGroups/app-grp/providers/Microsoft.ApiManagement/service/api-grp-apim-3/apis/echo-api/operations/dependecycheck/policies/policy?api-version=2023-09-01-preview failed with status code 400. Content is '{"error":{"code":"ValidationError","message":"One or more fields contain incorrect values:","details":[{"code":"ValidationError","target":"include-fragment","message":"Error in element 'include-fragment' on line 11, column 4: Policy fragment with id 'TokenValidator' could not be found."}]}}'.

Environment setup
The solution uses the following features from API Management:

• APIs
• Named Values
• Policy Fragments

The relationships are:

• named values contain properties
• policy depends on the name value
• the policy is attached to the API

The policy content - to understand the correlation with named values:
<fragment> <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="User not authenticated" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true" output-token-variable-name="token_customer_info"> <openid-config url="https://{{my_idp_hostname}}/.well-known/openid-configuration" /> <audiences> <audience>https://{{my_idp_hostname}}/api/v2/</audience> <audience>https://{{my_idp_hostname}}/userinfo</audience> </audiences> <issuers> <issuer>https://{{my_idp_hostname}}/</issuer> </issuers> <required-claims> <claim name="{{my_namespace}}/customer_id" match="all" /> </required-claims> </validate-jwt> </fragment>

Example of configuration file per e.g. Prod:
`
apimServiceName: api-prod
namedValues:

• name: MyIdpHostname
  properties:
  displayName: my_idp_hostname
  value: "<enter_your_prod_idp>"

`

The publishing pipeline has 3 stages:

• dev; to republish what we have in git
• uat, we read what we have in git, make amendments to named values (see above), and publish it
• prod, we read what we have in git, make amendments to named values (see above), and publish it

During the publishing test, we observed the following behavior:

• API is published
• Policy publishing fails

Observations

• The policy is published when the configuration file is not specified.
• Named values are replaced, but only if they are not available.

NB: This applies when we have a custom configuration file to amend values per stage/environment. The same behavior/outcome applies to Products; whether we use partial (publish-artifacts-in-last-commit) or full publishing (publish-all-artifacts-in-repo).

Questions

• Named Value: why can we not replace/amend the value if previously available?
• Dependencies: why does a replacement of NamedValue work if not previously available, but the policy referencing it, fails?

Is this by design or perhaps a bug?

Thanks in advance.

Expected behavior

Named values are replaced
Named values are published
API is published
Policy is published
API is updated

Actual behavior

Named values are replaced
Named values are published (only if not available earlier)
API is published
Policy publishing fails with status code 400:
crit: publisher[0] Application failed. System.Net.Http.HttpRequestException: HTTP request to URI https://management.azure.com/subscriptions/***/resourceGroups/app-grp/providers/Microsoft.ApiManagement/service/api-grp-apim-3/apis/echo-api/operations/dependecycheck/policies/policy?api-version=2023-09-01-preview failed with status code 400. Content is '{"error":{"code":"ValidationError","message":"One or more fields contain incorrect values:","details":[{"code":"ValidationError","target":"include-fragment","message":"Error in element 'include-fragment' on line 11, column 4: Policy fragment with id 'TokenValidator' could not be found."}]}}'.

Reproduction Steps

Prerequisites:

1. Use Echo API (by default available when an instance of API Management is created)

Steps:

1. Create a policy (see above)
2. Assign the policy to Echo API; it does not matter what API endpoint.
3. Run executor (no filter configuration attached)
4. Run publisher (with configuration example as specified above).

Publisher fails.

PS: The same behavior is observed with Products.

[github-actions]

  Thank you for opening this issue! Please be patient while we will look into it and get back to you as this is an open source project. In the meantime make sure you take a look at the [closed issues](https://github.com/Azure/apiops/issues?q=is%3Aissue+is%3Aclosed) in case your question has already been answered. Don't forget to provide any additional information if needed (e.g. scrubbed logs, detailed feature requests,etc.).
  Whenever it's feasible, please don't hesitate to send a Pull Request (PR) our way. We'd greatly appreciate it, and we'll gladly assess and incorporate your changes.

[guythetechie]

@rstelcer - the error message seems to point to a missing policy fragment, not to named value issues. It fails when creating a policy on operation dependecycheck in API echo-api, and the error message says it cannot find policy fragment TokenValidator.

Can you confirm that the policy fragment TokenValidator exists?