Adding support for per rule actions feature in application gateway WAF (#19574)

* Saving changes

* Updating tests

* Update documentation and set Action

* Update change log

* Fix md file

* Fix

* Fix

* Fix test

* Revert test change

* Merge latest

* Update test recording

* Update comment

* Ignore network api-version check for Event hub and Service bus as the tests are failing

* Update ServiceBusTestRunner.cs

* Update EventHubTestRunner.cs

Co-authored-by: Yunchi Wang <[email protected]>

Author: sindhualuguvelli1

src/EventHub/EventHub.Test/ScenarioTests/EventHubTestRunner.cs

@@ -60,7 +60,8 @@ protected EventHubTestRunner(ITestOutputHelper output)
                         {"Microsoft.Authorization", null},
                         {"Microsoft.Storage", null},
                         {"Microsoft.KeyVault", null},
-                        {"Microsoft.ManagedServiceIdentity", null}
+                        {"Microsoft.ManagedServiceIdentity", null},
+			{"Microsoft.Network", null}
                     }
                 )
                 .Build();

src/Network/Network.Test/Network.Test.csproj

@@ -14,7 +14,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Graph.RBAC" Version="3.4.0-preview" />
-    <PackageReference Include="Microsoft.Azure.Management.Network" Version="23.0.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Network" Version="24.0.0" />
     <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.5" />
     <PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="4.0.0-preview.1" />
     <PackageReference Include="Microsoft.Azure.Insights" Version="0.16.0-preview" />

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -3352,10 +3352,11 @@ function Test-ApplicationGatewayFirewallPolicyExclusions
 
 		$ruleOverrideEntry1 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 942100
 		$ruleOverrideEntry2 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 942110
-		$sqlRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-942-APPLICATION-ATTACK-SQLI -Rule $ruleOverrideEntry1,$ruleOverrideEntry2
+		$ruleOverrideEntry3 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 942160  -State Enabled -Action Log
+		$sqlRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-942-APPLICATION-ATTACK-SQLI -Rule $ruleOverrideEntry1,$ruleOverrideEntry2, $ruleOverrideEntry3
 
-		$ruleOverrideEntry3 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 941100
-		$xssRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-941-APPLICATION-ATTACK-XSS -Rule $ruleOverrideEntry3
+		$ruleOverrideEntry4 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 941100
+		$xssRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-941-APPLICATION-ATTACK-XSS -Rule $ruleOverrideEntry4
 
 		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2" -RuleGroupOverride $sqlRuleGroupOverrideEntry,$xssRuleGroupOverrideEntry
 		$managedRules = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet -Exclusion $exclusionEntry1,$exclusionEntry2,$exclusionEntry3,$exclusionEntry4,$exclusionEntry5,$exclusionEntry6,$exclusionEntry7,$exclusionEntry8,$exclusionEntry9
@@ -3369,6 +3370,7 @@ function Test-ApplicationGatewayFirewallPolicyExclusions
 		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
 		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.Count 1
 		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides.Count 2
+		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides[0].Rules[2].Action Log
 		Assert-AreEqual $policy.ManagedRules.Exclusions.Count 9
 		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
 		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestTopLevelWafPolicyExclusions.json

@@ -30,6 +30,8 @@
     - `NewAzureRmVpnGatewayCommand.cs`
     - `UpdateAzureRmVpnGatewayCommand.cs`
 * Added Uppercase Transform in New-AzApplicationGatewayFirewallCondition
+* Updated commandlet to support specifying an action for a managed rule override in Application Gateway WAF Policy.
+    - `New-AzApplicationGatewayFirewallPolicyManagedRuleOverride`
 
 ## Version 4.20.1
 * Added breaking change notification for `Get-AzFirewall`, `New-AzFirewall`, `Set-AzFirewall` and `New-AzFirewallHubIpAddress`

src/Network/Network/ChangeLog.md

@@ -29,10 +29,17 @@ public class AzureApplicationGatewayFirewallPolicyManagedRuleOverride : NetworkB
         [Parameter(
             Mandatory = false,
             HelpMessage = "State of the Rule.")]
-        [ValidateSet("Disabled", IgnoreCase = true)]
+        [ValidateSet("Disabled", "Enabled", IgnoreCase = true)]
         [ValidateNotNullOrEmpty]
         public string State { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Action of the Rule.")]
+        [ValidateSet("AnomalyScoring", "Allow", "Block", "Log", IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public string Action { get; set; }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
@@ -43,7 +50,8 @@ protected PSApplicationGatewayFirewallPolicyManagedRuleOverride NewObject()
             return new PSApplicationGatewayFirewallPolicyManagedRuleOverride()
             {
                 RuleId = this.RuleId,
-                State = string.IsNullOrEmpty(State) ? "Disabled" : this.State 
+                State = string.IsNullOrEmpty(State) ? "Disabled" : this.State,
+                Action = this.Action
             };
         }
     }

src/Network/Network/FirewallPolicy/ManagedRules/ManagedRuleSet/ManagedRuleGroupOverride/ManagedRuleOverride/AzureApplicationGatewayFirewallPolicyManagedRuleOverride.cs

@@ -27,5 +27,8 @@ public partial class PSApplicationGatewayFirewallPolicyManagedRuleOverride
 
         [Ps1Xml(Target = ViewControl.Table)]
         public string State { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string Action { get; set; }
     }
 }

src/Network/Network/Models/PSApplicationGatewayFirewallPolicyManagedRuleOverride.cs

@@ -14,7 +14,7 @@
 
   <ItemGroup>
     <PackageReference Include="AutoMapper" Version="6.2.2" />
-    <PackageReference Include="Microsoft.Azure.Management.Network" Version="23.0.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Network" Version="24.0.0" />
   </ItemGroup>
 
   <ItemGroup>

src/Network/Network/Network.csproj

@@ -13,7 +13,7 @@ Creates a managedRuleOverride entry for RuleGroupOverrideGroup entry.
 ## SYNTAX
 
 ```
-New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId <String> [-State <String>]
+New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId <String> [-State <String>] [-Action <String>]
  [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
@@ -29,8 +29,31 @@ $ruleOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -
 
 Creates a ruleOverride Entry with RuleId as $ruleId and State as Disabled.
 
+### Example 2
+```powershell
+$ruleOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId $ruleId -State Enabled -Action Log
+```
+
+Creates a ruleOverride Entry with RuleId as $ruleId, State as Enabled and Action as Log.
+
 ## PARAMETERS
 
+### -Action
+Specify the Action in override rule entry.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+Accepted values: AnomalyScoring, Allow, Block, Log
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -DefaultProfile
 The credentials, account, tenant, and subscription used for communication with Azure.
 
@@ -68,7 +91,7 @@ Specify the RuleId in override rule entry.
 Type: System.String
 Parameter Sets: (All)
 Aliases:
-Accepted values: Disabled
+Accepted values: Disabled, Enabled
 
 Required: False
 Position: Named

src/Network/Network/help/New-AzApplicationGatewayFirewallPolicyManagedRuleOverride.md

@@ -52,7 +52,8 @@ protected ServiceBusTestRunner(ITestOutputHelper output)
                         {"Microsoft.Features", null},
                         {"Microsoft.Authorization", null},
                         {"Microsoft.KeyVault", null},
-                        {"Microsoft.EventGrid", null }
+                        {"Microsoft.EventGrid", null },
+			{"Microsoft.Network", null }
                     }
                 )
                 .Build();