azure-cli-extensions icon indicating copy to clipboard operation
azure-cli-extensions copied to clipboard
verified publisher icon Azure

Azcli fails to create FrontDoor WAF Policy

Open alsastre opened this issue 3 years ago • 16 comments

Describe the bug

Command Name az network front-door waf-policy create Extension Name: front-door. Version: 1.0.17. az-cli fails to create the azure front-door WAF policy with the latest version.

Errors:

(BadRequest) WebApplicationFirewallPolicy validation failed. More information "Policy ArmResourceId has incorrect formatting".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "Policy ArmResourceId has incorrect formatting".

Debug logs (With confidential data removed):

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/XXXXX/resourceGroups/XXXXXX/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/XXXXXXX?api-version=2020-11-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '230'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'XXXXXXXX'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network front-door waf-policy create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --resource-group --mode --sku --request-body-check --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.43.0 (HOMEBREW) azsdk-python-mgmt-frontdoor/1.0.0 Python/3.10.8 (macOS-12.6.1-x86_64-i386-64bit)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "global", "sku": {"name": "Premium_AzureFrontDoor"}, "properties": {"policySettings": {"enabledState": "Enabled", "mode": "Detection", "requestBodyCheck": "Enabled"}, "customRules": {"rules": []}, "managedRules": {}}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/XXXXX/resourceGroups/XXXXXX/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/XXXXXXX?api-version=2020-11-01 HTTP/1.1" 400 179
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
....
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "error": {
    "code": "BadRequest",
    "message": "WebApplicationFirewallPolicy validation failed. More information \"Policy ArmResourceId has incorrect formatting\"."
  }
}

To Reproduce:

Steps to reproduce the behaviour. Note that argument values have been redacted, as they may contain sensitive information.

  • az network front-door waf-policy create --name {} --resource-group {} --mode {} --sku {} --request-body-check {} --debug

Expected Behavior

Front door policy is created

Environment Summary

macOS-12.6.1-x86_64-i386-64bit, Darwin 21.6.0
Python 3.10.8
Installer: HOMEBREW

azure-cli 2.43.0

Extensions:
front-door 1.0.17
azure-firewall 0.14.4
log-analytics-solution 0.1.1
aks-preview 0.5.118
logic 0.1.6
azure-devops 0.25.0
storage-preview 0.8.3
sentinel 0.2.0
ssh 1.1.3
log-analytics 0.2.2
scheduled-query 0.5.1

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Additional Context

alsastre avatar Dec 10 '22 18:12 alsastre

Thank you for your feedback. This has been routed to the support team for assistance.

ghost avatar Dec 11 '22 01:12 ghost

route to CXP team

yonzhan avatar Dec 11 '22 01:12 yonzhan

@alsastre Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.

navba-MSFT avatar Dec 12 '22 03:12 navba-MSFT

@alsastre

To manage Azure Front Door Standard/Premium resource, use az afd CLI command.

To manage Classic Azure Front Door resource, use az network front-door CLI command.

navba-MSFT avatar Dec 12 '22 04:12 navba-MSFT

I am not trying to manage the Azure Front Door but create WAF Policies for Front door (Microsoft.Network/frontdoorWebApplicationFirewallPolicies)

alsastre avatar Dec 12 '22 19:12 alsastre

@alsastre Thanks for clarifying. I am unable to reproduce this issue at my end. I ran the same command at my end and it ran successfully. See below:

I am using the same AzCLI ( 2.43.0 ) and front-door (1.0.17) extension as your enviornment.

CLI Command:

az network front-door waf-policy create -g MyRgName -n MyResource --sku Premium_AzureFrontDoor --request-body-check Enabled --mode Detection --debug

Output: { "customRules": { "rules": [] }, "etag": null, "frontendEndpointLinks": [], "id": "/subscriptions/XXXX-XXXX-XXX-XXXX/resourcegroups/MyRGName/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/MyResource", "location": "Global", "managedRules": { "managedRuleSets": [] }, "name": "MyResource", "policySettings": { "customBlockResponseBody": null, "customBlockResponseStatusCode": null, "enabledState": "Enabled", "mode": "Detection", "redirectUrl": null, "requestBodyCheck": "Enabled" }, "provisioningState": "Succeeded", "resourceGroup": "MyRgName", "resourceState": "Enabled", "routingRuleLinks": [], "securityPolicyLinks": [], "sku": { "name": "Premium_AzureFrontDoor" }, "tags": {}, "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies" }

Could you please run the above command again and check if that helps ? Awaiting your reply.

navba-MSFT avatar Dec 14 '22 07:12 navba-MSFT

@alsastre I wanted to do quick follow-up to check if you had a chance to look at my above comment. Please let us know if you had any updates on this. Awaiting your reply.

navba-MSFT avatar Dec 16 '22 04:12 navba-MSFT

I was able to test it today, the problem appears if you try to create the policy with - in the name (e.g MyResource-test) which I believe is not supported as the terraform project will also not allow me to.

So the issue should be that there should just be a nicer error message 😄

alsastre avatar Dec 19 '22 13:12 alsastre

@alsastre Thanks for getting back. We have filed the above PR to include the proper help message to the waf-policy name parameter to mention - "Name must begin with a letter and contain only letters and numbers."

navba-MSFT avatar Dec 20 '22 05:12 navba-MSFT

@navba-MSFT @yonzhan - adding a help message is nice, but it doesn't solve the root cause of the misleading error message. This should be addressed at the root, by the Azure Front Door server, to return a proper error. Can we involve them here?

ohads-MSFT avatar Aug 28 '24 19:08 ohads-MSFT

Please update error message

eduards-vavere avatar Sep 04 '24 15:09 eduards-vavere

This issue is still not resolved, there is no message or validation error before creating the resource that the name has to be alphanumeric. I just tried (in the portal) with dashes in the name and it fails the same way.

jrunestone avatar Oct 02 '24 08:10 jrunestone

To make things funnier to debug, official documentation states that FrontDoorWebApplicationFirewallPolicies.name constraints are just 'max length = 128'

pzskc383 avatar Feb 26 '25 05:02 pzskc383

Kind of funny this is still unresolved almost 3 years later. Just add a error message? I had to spend 30 minutes bashing my head against a wall before trying it in the portal where it actually gave me a clear error.

Rembrandtastic avatar May 19 '25 16:05 Rembrandtastic

wow, it's already 2025 and this still hasn't been resolved in the latest version :(

quanltsimple avatar Jun 27 '25 16:06 quanltsimple

Same problem

WebApplicationFirewallPolicy validation failed. More information "Policy ArmResourceId has incorrect formatting". (Code: BadRequest)

cherchyk avatar Sep 17 '25 14:09 cherchyk