{Network} AppGateway WAF support HTTPDDoS rule set (#32374)

Author: cxznmhdcxz

src/azure-cli/azure/cli/command_modules/network/_actions.py

@@ -2,12 +2,13 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
+# pylint: disable=line-too-long
 
 from collections import defaultdict
 
 import argparse
 from knack.util import CLIError
-from azure.cli.core.azclierror import UnrecognizedArgumentError
+from azure.cli.core.azclierror import UnrecognizedArgumentError, InvalidArgumentValueError
 from ._validators import read_base_64_file
 
 
@@ -184,7 +185,9 @@ def get_action(self, values, option_string):  # pylint: disable=no-self-use
             elif kl == 'state':
                 d['state'] = v[0]
             elif kl == 'sensitivity':
+                if v[0].lower() not in ['low', 'medium', 'high']:
+                    raise InvalidArgumentValueError("sensitivity must be one of 'low', 'medium', or 'high'.")
                 d['sensitivity'] = v[0]
             else:
-                raise UnrecognizedArgumentError('key error: key must be one of rule-id, action and state.')
+                raise UnrecognizedArgumentError('key error: key must be one of rule-id, action, state, and sensitivity.')
         return d

src/azure-cli/azure/cli/command_modules/network/_help.py

@@ -1536,7 +1536,7 @@
     short-summary: The rule that will be disabled. If none specified, all rules in the group will be disabled. If provided, --group-name must be provided too.
     long-summary: |
         Usage: --rule rule-id=MyID state=MyState action=MyAction sensitivity=MySensitivity
-        Allowed values for sensitivity: High, Medium, Low, None
+        Allowed values for sensitivity: High, Medium, Low
         Multiple rules can be specified by using more than one `--rule` argument.
 examples:
   - name: Disable an attack protection rule

src/azure-cli/azure/cli/command_modules/network/_params.py

@@ -226,7 +226,7 @@ def load_arguments(self, _):
     with self.argument_context('network application-gateway waf-policy') as c:
         c.argument('policy_name', name_arg_type, id_part='name', help='The name of the application gateway WAF policy.')
         c.argument('rule_set_type', options_list='--type',
-                   arg_type=get_enum_type(['Microsoft_BotManagerRuleSet', 'Microsoft_DefaultRuleSet', 'OWASP']),
+                   arg_type=get_enum_type(['Microsoft_BotManagerRuleSet', 'Microsoft_DefaultRuleSet', 'OWASP', 'Microsoft_HTTPDDoSRuleSet']),
                    help='The type of the web application firewall rule set.')
         c.argument('rule_set_version',
                    options_list='--version',

src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/application_gateway/waf_policy/_create.py

@@ -22,9 +22,9 @@ class Create(AAZCommand):
     """
 
     _aaz_info = {
-        "version": "2024-07-01",
+        "version": "2025-03-01",
         "resources": [
-            ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.network/applicationgatewaywebapplicationfirewallpolicies/{}", "2024-07-01"],
+            ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.network/applicationgatewaywebapplicationfirewallpolicies/{}", "2025-03-01"],
         ]
     }
 
@@ -390,7 +390,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
         _element.sensitivity = AAZStrArg(
             options=["sensitivity"],
             help="Describes the override sensitivity to be applied when rule matches.",
-            enum={"High": "High", "Low": "Low", "Medium": "Medium", "None": "None"},
+            enum={"High": "High", "Low": "Low", "Medium": "Medium"},
         )
         _element.state = AAZStrArg(
             options=["state"],
@@ -614,7 +614,7 @@ def url_parameters(self):
         def query_parameters(self):
             parameters = {
                 **self.serialize_query_param(
-                    "api-version", "2024-07-01",
+                    "api-version", "2025-03-01",
                     required=True,
                 ),
             }
@@ -969,6 +969,9 @@ def _build_schema_on_200_201(cls):
             properties.enable_http2 = AAZBoolType(
                 serialized_name="enableHttp2",
             )
+            properties.entra_jwt_validation_configs = AAZListType(
+                serialized_name="entraJWTValidationConfigs",
+            )
             properties.firewall_policy = AAZObjectType(
                 serialized_name="firewallPolicy",
             )
@@ -1116,6 +1119,9 @@ def _build_schema_on_200_201(cls):
             properties.cookie_based_affinity = AAZStrType(
                 serialized_name="cookieBasedAffinity",
             )
+            properties.dedicated_backend_connection = AAZBoolType(
+                serialized_name="dedicatedBackendConnection",
+            )
             properties.host_name = AAZStrType(
                 serialized_name="hostName",
             )
@@ -1137,9 +1143,18 @@ def _build_schema_on_200_201(cls):
             properties.request_timeout = AAZIntType(
                 serialized_name="requestTimeout",
             )
+            properties.sni_name = AAZStrType(
+                serialized_name="sniName",
+            )
             properties.trusted_root_certificates = AAZListType(
                 serialized_name="trustedRootCertificates",
             )
+            properties.validate_cert_chain_and_expiry = AAZBoolType(
+                serialized_name="validateCertChainAndExpiry",
+            )
+            properties.validate_sni = AAZBoolType(
+                serialized_name="validateSNI",
+            )
 
             authentication_certificates = cls._schema_on_200_201.properties.application_gateways.Element.properties.backend_http_settings_collection.Element.properties.authentication_certificates
             authentication_certificates.Element = AAZObjectType()
@@ -1175,6 +1190,9 @@ def _build_schema_on_200_201(cls):
             )
 
             properties = cls._schema_on_200_201.properties.application_gateways.Element.properties.backend_settings_collection.Element.properties
+            properties.enable_l4_client_ip_preservation = AAZBoolType(
+                serialized_name="enableL4ClientIpPreservation",
+            )
             properties.host_name = AAZStrType(
                 serialized_name="hostName",
             )
@@ -1202,6 +1220,38 @@ def _build_schema_on_200_201(cls):
             custom_error_configurations.Element = AAZObjectType()
             _CreateHelper._build_schema_application_gateway_custom_error_read(custom_error_configurations.Element)
 
+            entra_jwt_validation_configs = cls._schema_on_200_201.properties.application_gateways.Element.properties.entra_jwt_validation_configs
+            entra_jwt_validation_configs.Element = AAZObjectType()
+
+            _element = cls._schema_on_200_201.properties.application_gateways.Element.properties.entra_jwt_validation_configs.Element
+            _element.etag = AAZStrType(
+                flags={"read_only": True},
+            )
+            _element.id = AAZStrType()
+            _element.name = AAZStrType()
+            _element.properties = AAZObjectType(
+                flags={"client_flatten": True},
+            )
+
+            properties = cls._schema_on_200_201.properties.application_gateways.Element.properties.entra_jwt_validation_configs.Element.properties
+            properties.audiences = AAZListType()
+            properties.client_id = AAZStrType(
+                serialized_name="clientId",
+            )
+            properties.provisioning_state = AAZStrType(
+                serialized_name="provisioningState",
+                flags={"read_only": True},
+            )
+            properties.tenant_id = AAZStrType(
+                serialized_name="tenantId",
+            )
+            properties.un_authorized_request_action = AAZStrType(
+                serialized_name="unAuthorizedRequestAction",
+            )
+
+            audiences = cls._schema_on_200_201.properties.application_gateways.Element.properties.entra_jwt_validation_configs.Element.properties.audiences
+            audiences.Element = AAZStrType()
+
             frontend_ip_configurations = cls._schema_on_200_201.properties.application_gateways.Element.properties.frontend_ip_configurations
             frontend_ip_configurations.Element = AAZObjectType()
 
@@ -1543,6 +1593,9 @@ def _build_schema_on_200_201(cls):
             )
 
             properties = cls._schema_on_200_201.properties.application_gateways.Element.properties.probes.Element.properties
+            properties.enable_probe_proxy_protocol_header = AAZBoolType(
+                serialized_name="enableProbeProxyProtocolHeader",
+            )
             properties.host = AAZStrType()
             properties.interval = AAZIntType()
             properties.match = AAZObjectType()
@@ -1656,6 +1709,10 @@ def _build_schema_on_200_201(cls):
                 serialized_name="backendHttpSettings",
             )
             _CreateHelper._build_schema_sub_resource_read(properties.backend_http_settings)
+            properties.entra_jwt_validation_config = AAZObjectType(
+                serialized_name="entraJWTValidationConfig",
+            )
+            _CreateHelper._build_schema_sub_resource_read(properties.entra_jwt_validation_config)
             properties.http_listener = AAZObjectType(
                 serialized_name="httpListener",
             )
@@ -1867,6 +1924,9 @@ def _build_schema_on_200_201(cls):
             )
 
             client_auth_configuration = cls._schema_on_200_201.properties.application_gateways.Element.properties.ssl_profiles.Element.properties.client_auth_configuration
+            client_auth_configuration.verify_client_auth_mode = AAZStrType(
+                serialized_name="verifyClientAuthMode",
+            )
             client_auth_configuration.verify_client_cert_issuer_dn = AAZBoolType(
                 serialized_name="verifyClientCertIssuerDN",
             )
@@ -3427,6 +3487,9 @@ def _build_schema_network_interface_read(cls, _schema):
         )
 
         properties = _schema_network_interface_read.properties.private_link_service.properties
+        properties.access_mode = AAZStrType(
+            serialized_name="accessMode",
+        )
         properties.alias = AAZStrType(
             flags={"read_only": True},
         )
@@ -3678,6 +3741,9 @@ def _build_schema_network_security_group_read(cls, _schema):
             serialized_name="provisioningState",
             flags={"read_only": True},
         )
+        properties.record_types = AAZStrType(
+            serialized_name="recordTypes",
+        )
         properties.retention_policy = AAZObjectType(
             serialized_name="retentionPolicy",
         )

src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/application_gateway/waf_policy/_delete.py

@@ -22,9 +22,9 @@ class Delete(AAZCommand):
     """
 
     _aaz_info = {
-        "version": "2024-07-01",
+        "version": "2025-03-01",
         "resources": [
-            ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.network/applicationgatewaywebapplicationfirewallpolicies/{}", "2024-07-01"],
+            ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.network/applicationgatewaywebapplicationfirewallpolicies/{}", "2025-03-01"],
         ]
     }
 
@@ -145,7 +145,7 @@ def url_parameters(self):
         def query_parameters(self):
             parameters = {
                 **self.serialize_query_param(
-                    "api-version", "2024-07-01",
+                    "api-version", "2025-03-01",
                     required=True,
                 ),
             }