sphibbs
commented
5 years ago @avijitgupta @chandrasekarsrinivasan @MikhailTryakhov can you take a look? Piping should work here.
Open spaelling opened 5 years ago
sphibbs
commented
5 years ago @avijitgupta @chandrasekarsrinivasan @MikhailTryakhov can you take a look? Piping should work here.
EvgenyAgafonchikov
commented
5 years ago Basing on the current implementation, this seems to be expected behavior. You have to re-specify all the parameters in Set to avoid dropping values or setting them to defaults. Please find discussion of similar issue there: https://github.com/Azure/azure-powershell/issues/3493#issuecomment-456383703
@sphibbs, I looked through open issues and there are some similar, for example https://github.com/Azure/azure-powershell/issues/5145.
Basing on the discussion referenced above, we may need to "merge" these issues and decide on common solution for them. Simple solution looks like wrapping
prop = this.prop;constructions into
if(this.prop != null)
{
prop = this.prop;
}for required properties to avoid dropping them, while optional still could be nullified. However, per discussion there is another request: to have incremental Set version that would keep optional properties too. And this is the thing that requires universal solution discussion.
spaelling
commented
5 years ago Basing on the current implementation, this seems to be expected behavior. You have to re-specify all the parameters in Set to avoid dropping values or setting them to defaults. Please find discussion of similar issue there: #3493 (comment)
@sphibbs, I looked through open issues and there are some similar, for example #5145.
Basing on the discussion referenced above, we may need to "merge" these issues and decide on common solution for them. Simple solution looks like wrapping
prop = this.prop;constructions into
if(this.prop != null) { prop = this.prop; }for required properties to avoid dropping them, while optional still could be nullified. However, per discussion there is another request: to have incremental Set version that would keep optional properties too. And this is the thing that requires universal solution discussion.
I think that is an unfortunate expected behavior. If I have to specify every single parameter then the cmdlet is not of much assistance, I would rather, change the object directly.
Also the example in docs.microsoft.com as below is then wrong.
$nsg = Get-AzNetworkSecurityGroup -Name "NSG-FrontEnd" -ResourceGroupName "TestRG"
$nsg | Get-AzNetworkSecurityRuleConfig -Name "rdp-rule"
Set-AzNetworkSecurityRuleConfig -Name "rdp-rule" -NetworkSecurityGroup $nsg -Access "Deny"I can see the argument that omitting parameter can be used to drop the property, or set to some default value, but in the case of dropping I would like to do that explicitly. In that case
if(this.prop != null)
{
prop = this.prop;
}would not work, as the property would be maintained and not dropped as specified (if using -Parameter $null to drop it)
Anyhow, it would be a breaking change. Alternatively a new cmdlet
Edit-AzNetworkSecurityRuleConfig -Name "rdp-rule" -NetworkSecurityGroup $nsg -Access "Deny"
LucianFrango
commented
5 years ago +1 in that I am experiencing this issue as well. The example does not work as per @spaelling outlined in this previous comment on Jan 24th. Still no resolved as of July 2019.
iyoumans
commented
5 years ago +1 I too am experiencing this problem as of July 17, 2019. An update command where I have to map all of the old values in addition to the one I want to change is a pain.
spaelling
commented
5 years ago +1 I too am experiencing this problem as of July 17, 2019. An update command where I have to map all of the old values in addition to the one I want to change is a pain.
There is a workaround you can use until then
# we can do it "manually"
$nsg = Get-AzNetworkSecurityGroup -Name "NSG-FrontEnd" -ResourceGroupName "TestRG"
($nsg.SecurityRules | Where-Object {$_.Name -eq 'rdp-rule'}).Access = 'Deny'
# updating NSG works fine now
$nsg | Set-AzNetworkSecurityGroup | Get-AzNetworkSecurityRuleConfig -Name "rdp-rule" | Format-Table -AutoSize
<# OUTPUT
Description Protocol SourcePortRange DestinationPortRange SourceAddressPrefix DestinationAddressPrefix Access Priority Direction ProvisioningState
----------- -------- --------------- -------------------- ------------------- ------------------------ ------ -------- --------- -----------------
* {*} {3389} {*} {*} Deny 100 Inbound Succeeded
#>Thanks! I wouldn't have thought of updating it as a property of the NSG vs the Rule object.
UmairSyed
commented
4 years ago I am facing a similar issue when i am trying to use ARM template to deploy NSG rule "allowInternetInbound" and the protocol is "Any". The template uses "protocol": "*". I am getting the following error during deployment "message": "Required security rule parameter Protocol is missing for security rule with Id: /subscriptions/xx/resourceGroups/xx/providers/Microsoft.Network/networkSecurityGroups/xx/securityRules/AllowInternetInBound.",".
hobbesuk
commented
4 years ago Thanks for the workaround, the docs really need updating as they don't work
cadams84
commented
3 years ago @spaelling I can change the access using the workaround but not the SourceAddressPrefix. Should this be possible?
rventurelli
commented
3 years ago @cadams84 it worked also for SourceAddressPrefix:
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName "MyResource" -Name "MyNsg"
($nsg.SecurityRules | Where-Object {$_.Name -eq "RuleName"}).SourceAddressPrefix = ([System.String[]] @("xxx.xxx.xxx.xxx"))
$nsg | Set-AzNetworkSecurityGroup | Get-AzNetworkSecurityRuleConfig -Name "RuleName"@rventurelli thank you. This has partially resolved my problem so let me explain in more detail. I have connected a webhook to my runbook. My powershell script contains the webhook:
Write-Output "Changing IP Address..."
$uri = "https://webhookaddress"
$nsg = @{ SourceAddressPrefix = ([System.String[]] @("123.123.123.12")) Name = "NSG_Rule_Name" }
$body = ConvertTo-Json -InputObject $nsg $header = @{ message="StartedbyContoso"} $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body -Headers $header $jobid = (ConvertFrom-Json ($response.Content)).jobids[0]
The runbook input parameter accepts the WEBHOOKDATA as JSON:
{"WebhookName":"UpdateIPAddress","RequestBody":"{\r\n \"Name\": \"NSG_Rule_Name\",\r\n \"SourceAddressPrefix\": [\r\n \"123.123.123.12\"\r\n ]\r\n}","RequestHeader":{"Connection":"Keep-Alive","Host":"33ce53a59d11.webhook.ne.azure-automation.net","User-Agent":"Mozilla/5.0","message":"StartedbyContoso","x-ms-request-id":"7c7c8934-0445-478c-84fd-a6761eadc79b"}}
But when trying to pass $nsg.SourceAddressPrefix in the runbook, it fails. If I don't cast the IP to a string in the webhook script, it will fail to be in the JSON. So now I'm trying to cast the string back to an integer within the runbook.
Your powershell example works fine for me if I specify the IP within the runbook. I am trying to specify it in a webhook script and pass it through to the runbook:
$nsg = Get-AzNetworkSecurityGroup -Name "NSG_Name" -ResourceGroupName "RG_Name" $nsg | Get-AzNetworkSecurityRuleConfig -Name "NSG_Rule_Name" Set-AzNetworkSecurityRuleConfig -Name "NSG_Rule_Name" -NetworkSecurityGroup $nsg -SourceAddressPrefix = $nsg.SourceAddressPrefix
webguynj
commented
3 years ago Please provide a working powershell function to allow updating parameter of a NetworkSecurityGroupConfig rule that does not clobber exisitng attibutes of the rule as the documentation describes. Also, it would be beneficial for Set-AzNetworkSecurityRuleConfig to accept a rule as pipeline input if indeed you can't use this without clobbering all existing attributes of a rule
smilingcircuits
commented
3 years ago Please provide a working powershell function to allow updating parameter of a NetworkSecurityGroupConfig rule that does not clobber exisitng attibutes of the rule as the documentation describes. Also, it would be beneficial for Set-AzNetworkSecurityRuleConfig to accept a rule as pipeline input if indeed you can't use this without clobbering all existing attributes of a rule
Agreed, an edit option/append for rule updates would be a very useful tool for scripting. And to the original purpose of opening the thread, the incorrect example in the documentation persists.
Description
Set-AzNetworkSecurityRuleConfig does not produce an output that can be piped to
Set-AzNetworkSecurityGroupso that the change can be persisted.If the changes made cannot be persisted, then I am not sure what the purpose of the cmdlet is.
Script/Steps for Reproduction
Below is using the example from the official docs but piping
$nsgtoSet-AzNetworkSecurityGroupwhich then fails.Module Version
Environment Data
Debug Output