Get-AzSubscriptionDeploymentWhatIfResult hangs in Azure DevOps Pipeline using ManagedIdentity when trying to validate postgre-sql #28487
Description
Description
I have a very strange issue and no longer any idea what is happening.
When trying to deploy the following bicep file:
targetScope = 'subscription'
// General
param location string = 'northeurope'
param PSQLRGName string = '<redacted>'
param tags object = {
Owner: '<redacted>'
}
param kvSubscriptionId string = '<redacted>'
param kvResourceGroup string = '<redacted>'
param kvName string = '<redacted>'
// Virtual Network
param subnetResourceId string = '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Network/virtualNetworks/<redacted>/subnets/<redacted>'
// PSQL
param psqlname string = '<redacted>'
param administratorlogin string = '<redacted>'
param skuName string = 'Standard_D16ds_v5'
param skuTier string = 'GeneralPurpose'
param geoRedundantBackup string = 'Enabled'
param privateDnsZoneArmResourceId string = '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Network/privateDnsZones/<redacted>'
param backupRetentionDays int = 30
param storagesize int = 64
param storageautogrow string = 'Disabled'
param psqlversion string = '16'
param highAvailability string = 'SameZone'
param maintenanceWindow object = {
customWindow: 'Enabled'
dayOfWeek: 0
startHour: 0
startMinute: 0
}
param publicNetworkAccess string = 'Disabled'
param administrators array = [
{
objectId: '<redacted>'
principalName: '<redacted>'
principalType: 'Group'
tenantId: '<redacted>'
}
]
// RESOURCES
resource psqlrg 'Microsoft.Resources/resourceGroups@2024-11-01' = {
name: PSQLRGName
location: location
tags: tags
}
resource kv 'Microsoft.KeyVault/vaults@2024-11-01' existing = {
name: kvName
scope: resourceGroup(kvSubscriptionId, kvResourceGroup)
}
module flexibleServer 'br/public:avm/res/db-for-postgre-sql/flexible-server:0.12.0' = {
scope: psqlrg
name: 'flexibleServerDeployment'
params: {
availabilityZone: 1
name: psqlname
skuName: skuName
tier: skuTier
administratorLogin: administratorlogin
administratorLoginPassword: kv.getSecret('psqladmin')
delegatedSubnetResourceId: subnetResourceId
geoRedundantBackup: geoRedundantBackup
location: location
privateDnsZoneArmResourceId: privateDnsZoneArmResourceId
backupRetentionDays: backupRetentionDays
storageSizeGB: storagesize
autoGrow: storageautogrow
version: psqlversion
highAvailability: highAvailability
publicNetworkAccess: publicNetworkAccess
administrators: administrators
maintenanceWindow: maintenanceWindow
}
}It works when running in a PowerShell myself. Running the same file in the same environment (even created a custom Azure DevOps runner) it hangs forever using the Managed Identity.
There is nothing shown in the logs. It hangs for the full hour until the pipeline kills the process.
The pipeline step is for testing now as following:
- task: AzurePowerShell@5
displayName: IT - Run WhatIf deployments
timeoutInMinutes: 5
condition: eq(variables['detectManagementGroups.IT'], 'true')
env:
BICEP_TRACING_ENABLED: True
BICEP_TRACING_VERBOSITY: Full
inputs:
azureSubscription: id-iac-mgit
scriptType: InlineScript
azurePowerShellVersion: LatestVersion
pwsh: true
Inline: |
<Redacted Script here>The PowerShell command used is:
$result = Get-AzSubscriptionDeploymentWhatIfResult -Name $deploymentName -Location "northeurope" -ResultFormat FullResourcePayloads -TemplateFile $file -VerboseNotably other types (like Azure Firewall) work with the same script.
It seems to only be hanging on the postgres resource and only in IAC. I have no idea how to further troubleshoot this.
Using flexible-server:0.13.1 also makes no difference.
Issue script & Debug output
2025-09-01T08:31:47.5826389Z ##[section]Starting: IT - Run WhatIf deployments
2025-09-01T08:31:47.5831901Z ==============================================================================
2025-09-01T08:31:47.5832079Z Task : Azure PowerShell
2025-09-01T08:31:47.5832191Z Description : Run a PowerShell script within an Azure environment
2025-09-01T08:31:47.5832314Z Version : 5.261.0
2025-09-01T08:31:47.5832413Z Author : Microsoft Corporation
2025-09-01T08:31:47.5832507Z Help : https://aka.ms/azurepowershelltroubleshooting
2025-09-01T08:31:47.5832640Z ==============================================================================
2025-09-01T08:31:49.5294848Z AZUREPS_HOST_ENVIRONMENT: ADO/AzurePowerShell@v5_Linux_Managed-Azure 1_IAC Core Verification_977__
2025-09-01T08:31:49.5335071Z Generating script.
2025-09-01T08:31:49.7784158Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/mnt/vss/_work/_temp/8c048432-13eb-496d-b46e-bfacd4e13949.ps1'
2025-09-01T08:31:49.7903684Z File saved!
2025-09-01T08:31:52.0067381Z ##[command]Import-Module -Name /usr/local/share/powershell/Modules/Az.Accounts/5.2.0/Az.Accounts.psd1 -Global
2025-09-01T08:31:52.0067767Z ##[command]Clear-AzContext -Scope Process
2025-09-01T08:31:52.0068061Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2025-09-01T08:31:52.0068630Z ##[command] Connect-AzAccount -ServicePrincipal -Tenant <Tenant-ID> -ApplicationId *** -FederatedToken ***** -Environment AzureCloud -Scope Process
2025-09-01T08:31:52.0069761Z �[33;1mWARNING: TenantId '<Tenant-ID>' contains more than one active subscription. First one will be selected for further use. To select another subscription, use Set-AzContext.�[0m
2025-09-01T08:31:52.0070723Z �[33;1mWARNING: To override which subscription Connect-AzAccount selects by default, use `Update-AzConfig -DefaultSubscriptionForLogin 00000000-0000-0000-0000-000000000000`. Go to https://go.microsoft.com/fwlink/?linkid=2200610 for more information.�[0m
2025-09-01T08:31:53.7404200Z
2025-09-01T08:31:53.7975509Z Deploying /mnt/vss/_work/1/s/<redacted-path>/<redacted-rg-name>/<redacted-file-name>.bicep
2025-09-01T08:32:04.8892488Z �[33;1mWARNING: TRACE: Bicep version: 0.37.4+27cc8db2ed, CLI arguments: "build /mnt/vss/_work/1/s/<redacted-path>/<redacted-rg-name>/<redacted-file-name>.bicep --stdout"
2025-09-01T08:32:04.8895907Z TRACE: PublicModuleMetadataHttpClient: Retrieving list of public registry modules...
2025-09-01T08:32:04.8896703Z WARNING: The following experimental Bicep features have been enabled: Enable extendable parameters. Experimental features should be enabled for testing purposes only, as there are no guarantees about the quality or stability of these features. Do not enable these settings for any production usage, or your production environment may be subject to breaking.
2025-09-01T08:32:04.8899677Z TRACE: Building semantic model for /mnt/vss/_work/1/s/<redacted-path>/<redacted-rg-name>/<redacted-file-name>.bicep (BicepFile). Experimental features enabled: Enable extendable parameters. Using bicepConfig from /mnt/vss/_work/1/s/bicepconfig.json.
2025-09-01T08:32:04.8900318Z TRACE: PublicModuleMetadataHttpClient: Retrieved info on 222 public registry modules.
2025-09-01T08:32:04.8902969Z TRACE: Building semantic model for /home/AzDevOps/.bicep/br/mcr.microsoft.com/bicep$avm$res$db-for-postgre-sql$flexible-server/0.12.0$/main.json
2025-09-01T08:32:04.8903661Z
2025-09-01T08:32:04.8906234Z �[0m
2025-09-01T08:32:04.9716639Z �[33;1mDEBUG: 08:32:04 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].�[0m
2025-09-01T08:32:04.9718948Z �[33;1mDEBUG: 08:32:04 - GetAzureSubscriptionDeploymentWhatIfResultCmdlet begin processing with ParameterSet 'ByTemplateFileWithNoParameters'.�[0m
2025-09-01T08:32:04.9719846Z �[33;1mDEBUG: 08:32:04 - using account id '***'...�[0m
2025-09-01T08:32:04.9723640Z �[33;1mDEBUG: 08:32:04 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [Az.Resources], Cmdlet = [Get-AzDeploymentWhatIfResult]. Returning default value [True].�[0m
2025-09-01T08:32:04.9769193Z Getting the latest status of all resources...�[33;1mDEBUG: [Common.Authentication]: Authenticating using Account: '***', environment: 'AzureCloud', tenant: '<Tenant-ID>'�[0m
2025-09-01T08:32:04.9770437Z �[33;1mDEBUG: 08:32:04 - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].�[0m
2025-09-01T08:36:47.6024585Z ##[error]The task has timed out.
2025-09-01T08:36:47.6044253Z ##[section]Finishing: IT - Run WhatIf deploymentsEnvironment data
Name Value
---- -----
PSVersion 7.5.2
PSEdition Core
GitCommitId 7.5.2
OS Ubuntu 24.04.3 LTS
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Module versions
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 5.2.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 8.1.0 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}Error output
Not possible because it hangs