Skip to content

[App Service] Fix #21907: az webapp config container set: preserve Key Vault references#33071

Closed
seligj95 wants to merge 1 commit intoAzure:devfrom
seligj95:fix/21907-container-kv-refs
Closed

[App Service] Fix #21907: az webapp config container set: preserve Key Vault references#33071
seligj95 wants to merge 1 commit intoAzure:devfrom
seligj95:fix/21907-container-kv-refs

Conversation

@seligj95
Copy link
Contributor

@seligj95 seligj95 commented Mar 26, 2026

Description

Fixes #21907

When running az webapp config container set, existing app settings containing Key Vault references (@Microsoft.KeyVault(...)) were being overwritten with raw values. This occurred because:

  1. ACR credential auto-detection replaced KV-referenced credentials with raw values when a .azurecr.io URL was provided without explicit --docker-registry-server-user/--docker-registry-server-password.
  2. The settings update used a read-modify-write cycle through update_app_settings that could interfere with non-container settings.

Changes

  • custom.py: Added _is_key_vault_reference() helper. Modified update_container_settings to:

    • Read existing settings first and check for KV references before ACR auto-detection
    • Skip ACR credential auto-lookup when existing DOCKER_REGISTRY_SERVER_USERNAME or DOCKER_REGISTRY_SERVER_PASSWORD are Key Vault references
    • Merge only container-specific keys directly into the existing properties dict, preserving all other app settings as-is

  • test_webapp_commands_thru_mock.py: Added TestUpdateContainerSettingsPreservesKeyVaultRefs with 3 tests:

    • KV ref app settings survive a container set operation
    • ACR credential auto-detection is skipped when existing creds are KV references
    • _is_key_vault_reference correctly identifies KV ref strings

Testing

  • azdev style appservice — PASSED
  • azdev linter appservice — pre-existing batch module errors only; no appservice issues
  • All 32 unit tests in test_webapp_commands_thru_mock.py pass

@seligj95
[App Service] Fix Azure#21907: az webapp config container set: pres…
437ca3f 
…erve Key Vault references

When running `az webapp config container set`, existing app settings
containing Key Vault references (e.g., @Microsoft.KeyVault(...)) were
being overwritten. This happened because:

1. ACR credential auto-detection replaced KV-ref credentials with raw
   values when a .azurecr.io URL was provided without explicit
   username/password.
2. The settings update used a read-modify-write cycle through
   update_app_settings that could interfere with non-container settings.

This fix:
- Adds _is_key_vault_reference() helper to detect KV reference values.
- Skips ACR credential auto-detection when existing username/password
  settings are Key Vault references.
- Merges only container-specific keys directly into the existing
  properties dict, preserving all other app settings as-is.
- Adds unit tests verifying KV references survive container set
  operations.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@seligj95 seligj95 requested a review from NoriZC as a code owner March 26, 2026 15:30
Copilot AI review requested due to automatic review settings March 26, 2026 15:30
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 26, 2026
edited
Loading

❌AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
❌appservice
❌latest
❌3.12
Type Test Case Error Message Line
Failed test_functionapp_workloadprofiles self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f4df140b740>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f4df4e90c50>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:159: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:678: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:821: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:790: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3719: in update_container_settings_functionapp
    return update_container_settings(cmd, resource_group_name, name, registry_server,
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3659: in update_container_settings
    settings = get_app_settings(cmd, resource_group_name, name, slot)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:2846: in get_app_settings
    result = generic_site_operation(cmd.cli_ctx, resource_group_name, name, 'list_application_settings', slot)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/appservice_utils.py:20: in generic_site_operation
    return (operation(resource_group_name, name)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/web/v2024_11_01/operations/web_apps_operations.py:19194: in list_application_settings
    pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/authentication.py:194: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send
    response = self.session.request(  # type: ignore
env/lib/python3.12/site-packages/requests/sessions.py:589: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/sessions.py:703: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/adapters.py:667: in send
    resp = conn.urlopen(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^
                                        

self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml(host='management.azure.com', port=443) at 0x7f4dee6e9460>
 = False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E               No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E               Found 5 similar requests with 0 different matcher(s) :
E               
E               1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :

env/lib/python3.12/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.appservice.tests.latest.test_functionapp_commands.FunctionWorkloadProfile testMethod=test_functionapp_workloadprofiles>
resource_group = 'clitest.rg000001', storage_account = 'clitest000002'

    @AllowLargeResponse()
    @ResourceGroupPreparer(location='northeurope')
    @StorageAccountPreparer()
    def test_functionapp_workloadprofiles(self, resource_group, storage_account):
    
        functionapp_name = self.create_random_name(
            'functionapp', 32)
        managed_environment_name = self.create_random_name(
            'managedenvironment', 40
        )
        workload_profile_name = self.create_random_name(
            'wlp', 15
        )
    
        workload_profile_name_2 = self.create_random_name(
            'wlp', 15
        )
    
        self.cmd('containerapp env create --name {} --resource-group {} --location northeurope --enable-workload-profiles  --logs-destination none'.format(
            managed_environment_name,
            resource_group,
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name_2
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('functionapp create -g {} -n {} -s {} --functions-version 4 --runtime dotnet-isolated --environment {} --workload-profile-name {} --cpu 1.0 --memory 1.0Gi'.format(
            resource_group,
            functionapp_name,
            storage_account,
            managed_environment_name,
            workload_profile_name
        )).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name)
            ])
    
        self.cmd('functionapp show -g {} -n {}'.format(resource_group, functionapp_name)).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name),
        ])
    
>       self.cmd('functionapp config container set -g {} -n {} --workload-profile-name {} --cpu 0.75 --memory 2.0Gi'.format(
            resource_group,
            functionapp_name,
            workload_profile_name_2
        ))

src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:581: 
                                        
src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
                                        

self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f4df140b740>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f4df4e90c50>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()
    
        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E           No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E           Found 5 similar requests with 0 different matcher(s) :
E           
E           1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError		 azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:518
Failed test_functionapp_enable_dapr The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:673
Failed test_functionapp_container_config_set_replicas The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:1851
Failed test_linux_webapp_quick_create The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:188
Failed test_linux_webapp_multicontainer_slot The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:1382
Failed test_container_webapp_docker_image_name The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:2434
❌3.13
Type Test Case Error Message Line
Failed test_functionapp_workloadprofiles self = <azure.cli.testsdk.base.ExecutionResult object at 0x7fde684128d0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7fde6e56e490>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:159: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:678: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:821: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:790: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3719: in update_container_settings_functionapp
    return update_container_settings(cmd, resource_group_name, name, registry_server,
src/azure-cli/azure/cli/command_modules/appservice/custom.py:3659: in update_container_settings
    settings = get_app_settings(cmd, resource_group_name, name, slot)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/custom.py:2846: in get_app_settings
    result = generic_site_operation(cmd.cli_ctx, resource_group_name, name, 'list_application_settings', slot)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appservice/appservice_utils.py:20: in generic_site_operation
    return (operation(resource_group_name, name)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/mgmt/web/v2024_11_01/operations/web_apps_operations.py:19194: in list_application_settings
    pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/authentication.py:194: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send
    response = self.session.request(  # type: ignore
env/lib/python3.13/site-packages/requests/sessions.py:589: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/sessions.py:703: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/adapters.py:667: in send
    resp = conn.urlopen(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^
                                        

self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml(host='management.azure.com', port=443) at 0x7fde6adc7930>
 = False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E               No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E               Found 5 similar requests with 0 different matcher(s) :
E               
E               1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :
E               
E               5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']
E               Matchers failed :

env/lib/python3.13/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.appservice.tests.latest.test_functionapp_commands.FunctionWorkloadProfile testMethod=test_functionapp_workloadprofiles>
resource_group = 'clitest.rg000001', storage_account = 'clitest000002'

    @AllowLargeResponse()
    @ResourceGroupPreparer(location='northeurope')
    @StorageAccountPreparer()
    def test_functionapp_workloadprofiles(self, resource_group, storage_account):
    
        functionapp_name = self.create_random_name(
            'functionapp', 32)
        managed_environment_name = self.create_random_name(
            'managedenvironment', 40
        )
        workload_profile_name = self.create_random_name(
            'wlp', 15
        )
    
        workload_profile_name_2 = self.create_random_name(
            'wlp', 15
        )
    
        self.cmd('containerapp env create --name {} --resource-group {} --location northeurope --enable-workload-profiles  --logs-destination none'.format(
            managed_environment_name,
            resource_group,
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('containerapp env workload-profile add --name {} --resource-group {} --workload-profile-type D4 -w {} --min-nodes 3 --max-nodes 6'.format(
            managed_environment_name,
            resource_group,
            workload_profile_name_2
        ))
    
        if self.is_live:
            time.sleep(260)
    
        self.cmd('functionapp create -g {} -n {} -s {} --functions-version 4 --runtime dotnet-isolated --environment {} --workload-profile-name {} --cpu 1.0 --memory 1.0Gi'.format(
            resource_group,
            functionapp_name,
            storage_account,
            managed_environment_name,
            workload_profile_name
        )).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name)
            ])
    
        self.cmd('functionapp show -g {} -n {}'.format(resource_group, functionapp_name)).assert_with_checks([
            JMESPathCheck('resourceConfig.cpu', 1.0),
            JMESPathCheck('resourceConfig.memory', '1Gi'),
            JMESPathCheck('workloadProfileName', workload_profile_name),
        ])
    
>       self.cmd('functionapp config container set -g {} -n {} --workload-profile-name {} --cpu 0.75 --memory 2.0Gi'.format(
            resource_group,
            functionapp_name,
            workload_profile_name_2
        ))

src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:581: 
                                        
src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
                                        

self = <azure.cli.testsdk.base.ExecutionResult object at 0x7fde684128d0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7fde6e56e490>
command = 'functionapp config container set -g clitest.rg000001 -n functionapp000003 --workload-profile-name wlp000006 --cpu 0.75 --memory 2.0Gi'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()
    
        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_functionapp_workloadprofiles.yaml') in your current record mode ('once').
E           No match for the request (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>)&nbsp;was&nbsp;found.
E           Found 5 similar requests with 0 different matcher(s) :
E           
E           1 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           2 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           3 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           4 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E           
E           5 - (<Request (POST) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Web/sites/functionapp000003/config/appsettings/list?api-version=2024-11-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError		 azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:518
Failed test_functionapp_enable_dapr The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:673
Failed test_functionapp_container_config_set_replicas The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_functionapp_commands.py:1851
Failed test_linux_webapp_quick_create The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:188
Failed test_linux_webapp_multicontainer_slot The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:1382
Failed test_container_webapp_docker_image_name The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py:2434
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 26, 2026

Hi @seligj95,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 26, 2026
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Mar 26, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Mar 26, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Mar 26, 2026
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes az webapp config container set overwriting Key Vault reference app settings by changing how container-related app settings are detected and updated so KV-ref values are preserved.

Changes:

  • Add _is_key_vault_reference() helper and use it to skip ACR credential auto-detection when existing DOCKER credential settings are KV references.
  • Update update_container_settings to merge only container-related keys into existing app settings instead of using the prior update flow that could overwrite unrelated settings.
  • Add unit tests to ensure KV refs are preserved and ACR auto-detection is skipped when KV refs are present.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/azure-cli/azure/cli/command_modules/appservice/custom.py Updates container settings logic to preserve Key Vault reference values and avoid overwriting unrelated app settings.
src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands_thru_mock.py Adds tests covering KV-ref preservation, ACR auto-detect skip behavior, and KV-ref detection helper.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/azure-cli/azure/cli/command_modules/appservice/custom.py
Comment on lines +3611 to +3614
# Read existing app settings so we can preserve non-container settings and Key Vault references
existing_app_settings = _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'list_application_settings', slot)
existing_properties = existing_app_settings.properties or {}
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update_container_settings now calls list_application_settings unconditionally, even when no container app settings are being updated (e.g., only container_image_name/multicontainer/min/max are provided). This adds an extra network call on a hot command path; consider fetching existing app settings lazily only when needed (when container_updates will be applied and/or when ACR auto-detect needs to inspect existing DOCKER creds).

Copilot uses AI. Check for mistakes.
src/azure-cli/azure/cli/command_modules/appservice/custom.py
Comment on lines +3613 to +3614
'list_application_settings', slot)
existing_properties = existing_app_settings.properties or {}
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

existing_properties = existing_app_settings.properties or {} creates a fallback dict, but later updates write to existing_app_settings.properties[...]. If properties is None, this will still raise; assign the fallback back to the object (e.g., existing_app_settings.properties = existing_properties) before any reads/writes.

Suggested change
'list_application_settings', slot)
existing_properties = existing_app_settings.properties or {}
'list_application_settings', slot)
existing_properties = existing_app_settings.properties or {}
if existing_app_settings.properties is None:
existing_app_settings.properties = existing_properties

Copilot uses AI. Check for mistakes.
@seligj95 seligj95 mentioned this pull request Mar 26, 2026
Open
@seligj95
Copy link
Contributor Author

seligj95 commented Mar 26, 2026

Consolidated into #33064. The Key Vault reference fix has been cherry-picked and merged with the managed identity ACR pull changes, with conflicts resolved and all tests passing.

@seligj95 seligj95 closed this Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NoriZC NoriZC Awaiting requested review from NoriZC NoriZC is a code owner

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd is a code owner

@teresaritorto teresaritorto Awaiting requested review from teresaritorto teresaritorto is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

@yonzhan yonzhan Awaiting requested review from yonzhan

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

Assignees

@zhoxing-ms zhoxing-ms

Labels

act-observability-squad Auto-Assign Auto assign by bot Web Apps az webapp

Projects

None yet

Milestone

May 2026 (2026-05-05)

Development

Successfully merging this pull request may close these issues.

webapp config container set overwrites DOCKER_* app settings

4 participants

@seligj95 @yonzhan @zhoxing-ms