search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.21k stars 3.81k forks source link

Get-AzFirewallPolicyRuleCollectionGroup not using resourceid parameter #22312

Open LeoH2K opened 1 year ago

LeoH2K commented 1 year ago

Description

Get-AzFirewallPolicyRuleCollectionGroup source code has the parameter for resourceid but not used in the executecmdlet . When I run the cmdlet, returns nothing but accepts the Resource ID string.

Issue script & Debug output

PS> $DebugPreference='Continue'
PS> Get-AzFirewallPolicyRuleCollectionGroup -ResourceId "<ResourceID String>"
DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByResourceIdParameterSet'.
DEBUG: 14:51:35 - using account id '<user Account>'...
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Network:6.1.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0018991
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing.

Environment data

PS> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.5
PSEdition                      Core
GitCommitId                    7.3.5
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

PS > Get-Module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.12.4                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     6.1.0                 Az.Network                          {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting…

Error output

PS> Resolve-AzError
DEBUG: 14:51:46 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 14:51:46 - using account id '<user account>'...
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].

DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.4; CommandName: Resolve-AzError; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0008613
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:46 - ResolveError end processing.
ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @fwsuppgithub.

Issue Details
### Description `Get-AzFirewallPolicyRuleCollectionGroup` source code has the parameter for resourceid but not used in the `executecmdlet` . When I run the cmdlet, returns nothing but accepts the Resource ID string. ### Issue script & Debug output ```PowerShell PS> $DebugPreference='Continue' PS> Get-AzFirewallPolicyRuleCollectionGroup -ResourceId "" DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByResourceIdParameterSet'. DEBUG: 14:51:35 - using account id ''... DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True]. DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True]. DEBUG: AzureQoSEvent: Module: Az.Network:6.1.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0018991 DEBUG: 14:51:35 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True]. DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing. ``` ### Environment data ```PowerShell PS> $PSVersionTable Name Value ---- ----- PSVersion 7.3.5 PSEdition Core GitCommitId 7.3.5 OS Microsoft Windows 10.0.19045 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0 ``` ### Module versions ```PowerShell PS > Get-Module Az* ModuleType Version PreRelease Name ExportedCommands ---------- ------- ---------- ---- ---------------- Script 2.12.4 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…} Script 6.1.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting… ``` ### Error output ```PowerShell PS> Resolve-AzError DEBUG: 14:51:46 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'. DEBUG: 14:51:46 - using account id ''... DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True]. DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True]. DEBUG: AzureQoSEvent: Module: Az.Accounts:2.12.4; CommandName: Resolve-AzError; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0008613 DEBUG: 14:51:46 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True]. DEBUG: 14:51:46 - ResolveError end processing. ```
Author: LeoH2K
Assignees: -
Labels: `Service Attention`, `bug`, `customer-reported`, `Network - Firewall`
Milestone: -
ChristopherGLewis commented 10 months ago

Any update on this? We've got a requirement to automate Azure FW policies through PowerShell and this AzModule command just doesn't work.

> $RG = 'rg-FW'
> $FWP = 'FirewallPolicy_test-1-fw_premium_07600a'
> $fw = 'test-1-fw'
> $RCGName = 'lewisRuleCollectionGroup'
> $fwobj = Get-AzFirewall -ResourceGroupName $rg -Name $fw
> $FWPObj = Get-AzFirewallPolicy -ResourceGroupName $rg -Name $FWP
> $RCGID = $FWPObj.RuleCollectionGroups.where({ $_.id -match $RCGName })[0].id
#This doesn't work
> $DebugPreference='Continue'
> $RCGobj = Get-AzFirewallPolicyRuleCollectionGroup -ResourceId $RCGID -debug -verbose
> Get-AzFirewallPolicyRuleCollectionGroup -ResourceId $rcgobj.Properties.id -Debug -Verbose

DEBUG: 3:24:48 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByResourceIdParameterSet'.
DEBUG: 3:24:48 PM - using account id 'test@infrapractice.3cloudsolutions.com'...
DEBUG: 3:24:48 PM - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 3:24:48 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:24:48 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent:  Module: Az.Network:6.2.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.9; IsSuccess: True; Duration: 00:00:00.0005601
DEBUG: 3:24:48 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 3:24:48 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing.
DEBUG: Setting WindowTitle: Test [main] - PowerShell 7.3 (53148)
> Resolve-AzError 
DEBUG: 3:24:50 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 3:24:50 PM - using account id 'test@infrapractice.3cloudsolutions.com'...
DEBUG: 3:24:50 PM - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 3:24:50 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:24:50 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.13.0; CommandName: Resolve-AzError; PSVersion: 7.3.9; IsSuccess: True; Duration: 00:00:00.0006650
DEBUG: 3:24:50 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 3:24:50 PM - ResolveError end processing.
DEBUG: Setting WindowTitle: Test [main] - PowerShell 7.3 (53148)

> $RCGIDArray = $RCGID -split "/"
> $RCGobj = Get-AzFirewallPolicyRuleCollectionGroup -ResourceGroupName $RCGIDArray[4] -AzureFirewallPolicyName $RCGIDArray[8] -Name $RCGIDArray[10] 

$RCGobj = Get-AzFirewallPolicyRuleCollectionGroup -ResourceGroupName $RCGIDArray[4] -AzureFirewallPolicyName $RCGIDArray[8] -Name $RCGIDArray[10] -debug
DEBUG: 3:29:43 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByNameParameterSet'.
DEBUG: 3:29:43 PM - using account id 'test@infrapractice.3cloudsolutions.com'...
DEBUG: 3:29:43 PM - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: [Common.Authentication]: Authenticating using Account: 'test@infrapractice.3cloudsolutions.com', environment: 'AzureCloud', tenant: 'Tenant-id-11-22-33-44'
DEBUG: 3:29:43 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 3:29:43 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'Tenant-id-11-22-33-44', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'test@infrapractice.3cloudsolutions.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(b671289e-fe10-4bb6-8260-e619aa82f69f)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - b671289e-fe10-4bb6-8260-e619aa82f69f
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] Access token is not expired. Returning the found cache entry. [Current time (11/10/2023 21:29:43) - Expiration Time (11/10/2023 22:36:55 +00:00) - Extended Expiration Time (11/10/2023 22:36:55 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] 
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f]  AT expiration time: 11/10/2023 10:36:55 PM +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-11-10T22:36:55.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'Tenant-id-11-22-33-44', UserId: 'test@infrapractice.3cloudsolutions.com'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/sub-id-11-22-33-44/resourceGroups/rg-FW/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_test-1-fw_premium_07600a/ruleCollectionGroups/LewisRuleCollectionGroup?api-version=2023-05-01

Headers:
Accept-Language               : en-US
x-ms-client-request-id        : 48ea5edf-2fa9-4eda-97bd-745cd0dc7ef1

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
ETag                          : "ddfa4a53-dbcd-4eae-9909-eba9ef0a0ad4"
Server                        : Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-request-id               : 1e4dae38-90a1-4a2a-b58f-df6c462f1b21
x-ms-correlation-request-id   : 1e4dae38-90a1-4a2a-b58f-df6c462f1b21
x-ms-routing-request-id       : NORTHCENTRALUS:20231110T212936Z:1e4dae38-90a1-4a2a-b58f-df6c462f1b21
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Fri, 10 Nov 2023 21:29:36 GMT

Body:
{
  "properties": {
    "size": "0.00139904 MB",
    "priority": 1000,
    "ruleCollections": [
      {
        "ruleCollectionType": "FirewallPolicyFilterRuleCollection",
        "action": {
          "type": "Allow"
        },
        "rules": [
          {
            "ruleType": "NetworkRule",
            "ipv6Rule": false,
            "name": "test1",
            "ipProtocols": [
              "Any"
            ],
            "sourceAddresses": [
              "1.1.1.1"
            ],
            "sourceIpGroups": [],
            "destinationAddresses": [
              "10.1.1.1"
            ],
            "destinationIpGroups": [],
            "destinationFqdns": [],
            "destinationPorts": [
              "53"
            ]
          }
        ],
        "name": "LewisNetworkRuleCollection",
        "priority": 1999
      }
    ],
    "provisioningState": "Succeeded"
  },
  "id": "/subscriptions/sub-id-11-22-33-44/resourceGroups/rg-FW/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_test-1-fw_premium_07600a/ruleCollectionGroups/LewisRuleCollectionGroup",
  "name": "LewisRuleCollectionGroup",
  "type": "Microsoft.Network/FirewallPolicies/RuleCollectionGroups",
  "etag": "ddfa4a53-dbcd-4eae-9909-eba9ef0a0ad4",
  "location": "eastus"
}

DEBUG: 3:29:43 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:29:43 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent:  Module: Az.Network:6.2.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.9; IsSuccess: True; Duration: 00:00:00.5467800
DEBUG: 3:29:43 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 3:29:43 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing.
DEBUG: Setting WindowTitle: test [main] - PowerShell 7.3 (53148)
LeoH2K commented 9 months ago

dsf

bergsj commented 3 months ago

Any update on this?

lukeb1961 commented 2 weeks ago

Come on guys, still broken. Could someone look into this?