Azure
Set-AzFirewallPolicy fails on child policies
Description
I was encouraged through a support ticket to do a Get/Set-update on our firewall policies in Azure.
There was no issues with the base firewall policy, but when running the get/set on firewall policies that has a base policy it fails.
Seems to be an error with the type referenced here in the cmdlet: https://github.com/Azure/azure-powershell/blob/28cbcb2f16431ed569a9cee464b6043c2a0869a1/src/Network/Network/AzureFirewallPolicy/SetAzureFirewallPolicyCommand.cs#L269
Issue script & Debug output
$fwp = get-azfirewallpolicy -Name <ame> -ResourceGroupName <rg name>
$fwp | Set-AzFirewallPolicy
Set-AzFirewallPolicy: Invalid URI. The requested URI Microsoft.Azure.Management.Network.Models.SubResource is not a valid path.
StatusCode: 400
ReasonPhrase: Bad Request
Status: Failed
ErrorCode: InvalidUri
ErrorMessage: Invalid URI. The requested URI Microsoft.Azure.Management.Network.Models.SubResource is not a valid path.
OperationID : <redacted>
Environment data
Name Value
---- -----
PSVersion 7.5.0
PSEdition Core
GitCommitId 7.5.0
OS Microsoft Windows 10.0.26120
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 4.0.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 7.11.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGateway…
Script 1.1.3 Az.Tools.Predictor {Disable-AzPredictor, Enable-AzPredictor, Open-AzPredictorSurvey, Send-AzPredictorRating}
Error output
RequestId :
Message : Invalid URI. The requested URI Microsoft.Azure.Management.Network.Models.SubResource is not a valid path.
StatusCode: 400
ReasonPhrase: Bad Request
Status: Failed
ErrorCode: InvalidUri
ErrorMessage: Invalid URI. The requested URI Microsoft.Azure.Management.Network.Models.SubResource is not a valid path.
OperationID : <redacted>
ServerMessage :
ServerResponse :
RequestMessage :
InvocationInfo : {Set-AzFirewallPolicy}
Line : $fwp | set-azfirewallpolicy
Position : At line:1 char:8
+ $fwp | set-azfirewallpolicy
+ ~~~~~~~~~~~~~~~~~~~~
StackTrace : at Microsoft.Azure.Commands.Network.NetworkBaseCmdlet.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HistoryId : 72
There must be something wrong during the piping that caused azure powershell to send type name Microsoft.Azure.Management.Network.Models.SubResource to the backend service.
Looping in network team
+1, I'm seeing this as well, was attempting to "bump" a FW Policy currently in a failed provisioning state.
+1 Seeing this same issue on my child firewall policy, works fine on the parent firewall policy. My child firewall is now stuck in a failed provisioning state.
Dev from Azure Firewall here. Confirmed this
It seems this issue appears when a pipe is used with a base/parent policy
We're sending the literal string of Microsoft.Azure.Management.Network.Models.SubResource instead of properly serializing. I'm working on a fix for this
