azure-powershell
azure-powershell copied to clipboard
Azure
Get-AzFirewallPolicyRuleCollectionGroup not using resourceid parameter
Description
Get-AzFirewallPolicyRuleCollectionGroup source code has the parameter for resourceid but not used in the executecmdlet . When I run the cmdlet, returns nothing but accepts the Resource ID string.
Issue script & Debug output
PS> $DebugPreference='Continue'
PS> Get-AzFirewallPolicyRuleCollectionGroup -ResourceId "<ResourceID String>"
DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByResourceIdParameterSet'.
DEBUG: 14:51:35 - using account id '<user Account>'...
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Network:6.1.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0018991
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing.
Environment data
PS> $PSVersionTable
Name Value
---- -----
PSVersion 7.3.5
PSEdition Core
GitCommitId 7.3.5
OS Microsoft Windows 10.0.19045
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
PS > Get-Module Az*
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.12.4 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 6.1.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting…
Error output
PS> Resolve-AzError
DEBUG: 14:51:46 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 14:51:46 - using account id '<user account>'...
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.12.4; CommandName: Resolve-AzError; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0008613
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:46 - ResolveError end processing.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @fwsuppgithub.
Issue Details
Description
Get-AzFirewallPolicyRuleCollectionGroup source code has the parameter for resourceid but not used in the executecmdlet . When I run the cmdlet, returns nothing but accepts the Resource ID string.
Issue script & Debug output
PS> $DebugPreference='Continue'
PS> Get-AzFirewallPolicyRuleCollectionGroup -ResourceId "<ResourceID String>"
DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByResourceIdParameterSet'.
DEBUG: 14:51:35 - using account id '<user Account>'...
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Network:6.1.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0018991
DEBUG: 14:51:35 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:35 - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing.
Environment data
PS> $PSVersionTable
Name Value
---- -----
PSVersion 7.3.5
PSEdition Core
GitCommitId 7.3.5
OS Microsoft Windows 10.0.19045
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
PS > Get-Module Az*
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.12.4 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 6.1.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting…
Error output
PS> Resolve-AzError
DEBUG: 14:51:46 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 14:51:46 - using account id '<user account>'...
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.12.4; CommandName: Resolve-AzError; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0008613
DEBUG: 14:51:46 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 14:51:46 - ResolveError end processing.
| Author: | LeoH2K |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
Any update on this? We've got a requirement to automate Azure FW policies through PowerShell and this AzModule command just doesn't work.
> $RG = 'rg-FW'
> $FWP = 'FirewallPolicy_test-1-fw_premium_07600a'
> $fw = 'test-1-fw'
> $RCGName = 'lewisRuleCollectionGroup'
> $fwobj = Get-AzFirewall -ResourceGroupName $rg -Name $fw
> $FWPObj = Get-AzFirewallPolicy -ResourceGroupName $rg -Name $FWP
> $RCGID = $FWPObj.RuleCollectionGroups.where({ $_.id -match $RCGName })[0].id
#This doesn't work
> $DebugPreference='Continue'
> $RCGobj = Get-AzFirewallPolicyRuleCollectionGroup -ResourceId $RCGID -debug -verbose
> Get-AzFirewallPolicyRuleCollectionGroup -ResourceId $rcgobj.Properties.id -Debug -Verbose
DEBUG: 3:24:48 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByResourceIdParameterSet'.
DEBUG: 3:24:48 PM - using account id '[email protected]'...
DEBUG: 3:24:48 PM - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 3:24:48 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:24:48 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent: Module: Az.Network:6.2.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.9; IsSuccess: True; Duration: 00:00:00.0005601
DEBUG: 3:24:48 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 3:24:48 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing.
DEBUG: Setting WindowTitle: Test [main] - PowerShell 7.3 (53148)
> Resolve-AzError
DEBUG: 3:24:50 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 3:24:50 PM - using account id '[email protected]'...
DEBUG: 3:24:50 PM - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 3:24:50 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:24:50 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.13.0; CommandName: Resolve-AzError; PSVersion: 7.3.9; IsSuccess: True; Duration: 00:00:00.0006650
DEBUG: 3:24:50 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 3:24:50 PM - ResolveError end processing.
DEBUG: Setting WindowTitle: Test [main] - PowerShell 7.3 (53148)
> $RCGIDArray = $RCGID -split "/"
> $RCGobj = Get-AzFirewallPolicyRuleCollectionGroup -ResourceGroupName $RCGIDArray[4] -AzureFirewallPolicyName $RCGIDArray[8] -Name $RCGIDArray[10]
$RCGobj = Get-AzFirewallPolicyRuleCollectionGroup -ResourceGroupName $RCGIDArray[4] -AzureFirewallPolicyName $RCGIDArray[8] -Name $RCGIDArray[10] -debug
DEBUG: 3:29:43 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand begin processing with ParameterSet 'GetByNameParameterSet'.
DEBUG: 3:29:43 PM - using account id '[email protected]'...
DEBUG: 3:29:43 PM - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: 'Tenant-id-11-22-33-44'
DEBUG: 3:29:43 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 3:29:43 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'Tenant-id-11-22-33-44', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - be061e56-881b-4a38-bef3-86a51727d989] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(b671289e-fe10-4bb6-8260-e619aa82f69f)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - b671289e-fe10-4bb6-8260-e619aa82f69f
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] === Token Acquisition (SilentRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] Access token is not expired. Returning the found cache entry. [Current time (11/10/2023 21:29:43) - Expiration Time (11/10/2023 22:36:55 +00:00) - Extended Expiration Time (11/10/2023 22:36:55 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.13 Microsoft Windows 10.0.22621 [2023-11-10 21:29:43Z - b671289e-fe10-4bb6-8260-e619aa82f69f] AT expiration time: 11/10/2023 10:36:55 PM +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2023-11-10T22:36:55.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'Tenant-id-11-22-33-44', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/sub-id-11-22-33-44/resourceGroups/rg-FW/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_test-1-fw_premium_07600a/ruleCollectionGroups/LewisRuleCollectionGroup?api-version=2023-05-01
Headers:
Accept-Language : en-US
x-ms-client-request-id : 48ea5edf-2fa9-4eda-97bd-745cd0dc7ef1
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
ETag : "ddfa4a53-dbcd-4eae-9909-eba9ef0a0ad4"
Server : Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-request-id : 1e4dae38-90a1-4a2a-b58f-df6c462f1b21
x-ms-correlation-request-id : 1e4dae38-90a1-4a2a-b58f-df6c462f1b21
x-ms-routing-request-id : NORTHCENTRALUS:20231110T212936Z:1e4dae38-90a1-4a2a-b58f-df6c462f1b21
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Fri, 10 Nov 2023 21:29:36 GMT
Body:
{
"properties": {
"size": "0.00139904 MB",
"priority": 1000,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"ipv6Rule": false,
"name": "test1",
"ipProtocols": [
"Any"
],
"sourceAddresses": [
"1.1.1.1"
],
"sourceIpGroups": [],
"destinationAddresses": [
"10.1.1.1"
],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"53"
]
}
],
"name": "LewisNetworkRuleCollection",
"priority": 1999
}
],
"provisioningState": "Succeeded"
},
"id": "/subscriptions/sub-id-11-22-33-44/resourceGroups/rg-FW/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_test-1-fw_premium_07600a/ruleCollectionGroups/LewisRuleCollectionGroup",
"name": "LewisRuleCollectionGroup",
"type": "Microsoft.Network/FirewallPolicies/RuleCollectionGroups",
"etag": "ddfa4a53-dbcd-4eae-9909-eba9ef0a0ad4",
"location": "eastus"
}
DEBUG: 3:29:43 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:29:43 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent: Module: Az.Network:6.2.0; CommandName: Get-AzFirewallPolicyRuleCollectionGroup; PSVersion: 7.3.9; IsSuccess: True; Duration: 00:00:00.5467800
DEBUG: 3:29:43 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 3:29:43 PM - GetAzureFirewallPolicyRuleCollectionGroupCommand end processing.
DEBUG: Setting WindowTitle: test [main] - PowerShell 7.3 (53148)
Still broken today many years later. Also quite confusing when troubleshooting as it seems to work but only returns empty object.
Must use -Name and -AzureFirewallPolicy to get a return. So using Get-AzFirewallPolicy that comes with resourceId of the groups, I have to stip this to get only the name.
Seems a bit cumbersome, and would like to see a fix for this so we get a working resourceId input
