Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azcli fails to create FrontDoor WAF Policy #5625

Closed
alsastre opened this issue Dec 10, 2022 · 12 comments · Fixed by #5658
Closed

Azcli fails to create FrontDoor WAF Policy #5625

alsastre opened this issue Dec 10, 2022 · 12 comments · Fixed by #5658
Assignees
@navba-MSFT
Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. CXP Attention This issue is handled by CXP team. extension/front-door Network - Front Door Network question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@alsastre
Copy link

Describe the bug

Command Name
az network front-door waf-policy create Extension Name: front-door. Version: 1.0.17.
az-cli fails to create the azure front-door WAF policy with the latest version.

Errors:

(BadRequest) WebApplicationFirewallPolicy validation failed. More information "Policy ArmResourceId has incorrect formatting".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "Policy ArmResourceId has incorrect formatting".

Debug logs (With confidential data removed):

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/XXXXX/resourceGroups/XXXXXX/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/XXXXXXX?api-version=2020-11-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '230'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'XXXXXXXX'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network front-door waf-policy create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --resource-group --mode --sku --request-body-check --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.43.0 (HOMEBREW) azsdk-python-mgmt-frontdoor/1.0.0 Python/3.10.8 (macOS-12.6.1-x86_64-i386-64bit)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "global", "sku": {"name": "Premium_AzureFrontDoor"}, "properties": {"policySettings": {"enabledState": "Enabled", "mode": "Detection", "requestBodyCheck": "Enabled"}, "customRules": {"rules": []}, "managedRules": {}}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/XXXXX/resourceGroups/XXXXXX/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/XXXXXXX?api-version=2020-11-01 HTTP/1.1" 400 179
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
....
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "error": {
    "code": "BadRequest",
    "message": "WebApplicationFirewallPolicy validation failed. More information \"Policy ArmResourceId has incorrect formatting\"."
  }
}

To Reproduce:

Steps to reproduce the behaviour. Note that argument values have been redacted, as they may contain sensitive information.

  • az network front-door waf-policy create --name {} --resource-group {} --mode {} --sku {} --request-body-check {} --debug

Expected Behavior

Front door policy is created

Environment Summary

macOS-12.6.1-x86_64-i386-64bit, Darwin 21.6.0
Python 3.10.8
Installer: HOMEBREW

azure-cli 2.43.0

Extensions:
front-door 1.0.17
azure-firewall 0.14.4
log-analytics-solution 0.1.1
aks-preview 0.5.118
logic 0.1.6
azure-devops 0.25.0
storage-preview 0.8.3
sentinel 0.2.0
ssh 1.1.3
log-analytics 0.2.2
scheduled-query 0.5.1

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Additional Context
@ghost ghost added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. Network labels Dec 10, 2022
@ghost ghost added this to the Backlog milestone Dec 10, 2022
@ghost ghost assigned necusjz Dec 10, 2022
@ghost ghost added the Auto-Assign Auto assign by bot label Dec 10, 2022
@ghost
Copy link

ghost commented Dec 11, 2022

Thank you for your feedback. This has been routed to the support team for assistance.

@yonzhan
Copy link
Collaborator

yonzhan commented Dec 11, 2022

route to CXP team

@navba-MSFT navba-MSFT self-assigned this Dec 12, 2022
@navba-MSFT
Copy link
Contributor

@alsastre Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.

@navba-MSFT
Copy link
Contributor

@alsastre

To manage Azure Front Door Standard/Premium resource, use az afd CLI command.

To manage Classic Azure Front Door resource, use az network front-door CLI command.

@navba-MSFT navba-MSFT added the needs-author-feedback More information is needed from author to address the issue. label Dec 12, 2022
@alsastre
Copy link
Author

I am not trying to manage the Azure Front Door but create WAF Policies for Front door (Microsoft.Network/frontdoorWebApplicationFirewallPolicies)

@ghost ghost added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. labels Dec 12, 2022
@navba-MSFT
Copy link
Contributor

@alsastre Thanks for clarifying. I am unable to reproduce this issue at my end. I ran the same command at my end and it ran successfully. See below:

I am using the same AzCLI ( 2.43.0 ) and front-door (1.0.17) extension as your enviornment.

CLI Command:

az network front-door waf-policy create -g MyRgName -n MyResource --sku Premium_AzureFrontDoor --request-body-check Enabled --mode Detection --debug

Output:
{
"customRules": {
"rules": []
},
"etag": null,
"frontendEndpointLinks": [],
"id": "/subscriptions/XXXX-XXXX-XXX-XXXX/resourcegroups/MyRGName/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/MyResource",
"location": "Global",
"managedRules": {
"managedRuleSets": []
},
"name": "MyResource",
"policySettings": {
"customBlockResponseBody": null,
"customBlockResponseStatusCode": null,
"enabledState": "Enabled",
"mode": "Detection",
"redirectUrl": null,
"requestBodyCheck": "Enabled"
},
"provisioningState": "Succeeded",
"resourceGroup": "MyRgName",
"resourceState": "Enabled",
"routingRuleLinks": [],
"securityPolicyLinks": [],
"sku": {
"name": "Premium_AzureFrontDoor"
},
"tags": {},
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
}

Could you please run the above command again and check if that helps ? Awaiting your reply.

@navba-MSFT navba-MSFT added needs-author-feedback More information is needed from author to address the issue. and removed needs-team-attention This issue needs attention from Azure service team or SDK team labels Dec 14, 2022
@navba-MSFT
Copy link
Contributor

@alsastre I wanted to do quick follow-up to check if you had a chance to look at my above comment. Please let us know if you had any updates on this. Awaiting your reply.

@alsastre
Copy link
Author

I was able to test it today, the problem appears if you try to create the policy with - in the name (e.g MyResource-test) which I believe is not supported as the terraform project will also not allow me to.

So the issue should be that there should just be a nicer error message 😄

@ghost ghost added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. labels Dec 19, 2022
navba-MSFT added a commit to navba-MSFT/azure-cli-extensions that referenced this issue Dec 20, 2022
@navba-MSFT
{AzureFrontdoor} fixes Azure#5625 Update the help message for PolicyName
fd94f0d 
 fixes Azure#5625 Update the help message for PolicyName

Giving "-" 'hyphen' in the policy name fails. The help message should include that the " Name must begin with a letter and contain only letters and numbers."
@navba-MSFT navba-MSFT mentioned this issue Dec 20, 2022
Merged
3 tasks
@navba-MSFT
Copy link
Contributor

@alsastre Thanks for getting back. We have filed the above PR to include the proper help message to the waf-policy name parameter to mention - "Name must begin with a letter and contain only letters and numbers."

@navba-MSFT navba-MSFT removed the needs-team-attention This issue needs attention from Azure service team or SDK team label Dec 20, 2022
necusjz pushed a commit that referenced this issue Dec 20, 2022
@navba-MSFT
{Front Door} Fix #5625: az network front-door waf-policy create: Up…
da29942 
…date help message for `--policy-name` (#5658)
@ohads-MSFT
Copy link
Contributor

@navba-MSFT @yonzhan - adding a help message is nice, but it doesn't solve the root cause of the misleading error message. This should be addressed at the root, by the Azure Front Door server, to return a proper error. Can we involve them here?

@eduards-vavere
Copy link

Please update error message

@jrunestone
Copy link

This issue is still not resolved, there is no message or validation error before creating the resource that the name has to be alphanumeric. I just tried (in the portal) with dashes in the name and it fails the same way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@navba-MSFT navba-MSFT

Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. CXP Attention This issue is handled by CXP team. extension/front-door Network - Front Door Network question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
7 participants
@jrunestone @alsastre @necusjz @yonzhan @navba-MSFT @eduards-vavere @ohads-MSFT