Remove-AzApplicationGatewayFirewallCustomRule cmdlet (#23075)

* test

* test name

* edit trst

* pass test

* delete old test

Author: Shawnli222

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -293,6 +293,14 @@ public void TestApplicationGatewayFirewallPolicyWithRateLimitRuleGeoLocation()
             TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithRateLimitRuleGeoLocation");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyCustomRuleRemoval()
+        {
+            TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyCustomRuleRemoval");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -4983,6 +4983,67 @@ function Test-ApplicationGatewayFirewallPolicyWithInspectionLimit
 	}
 }
 
+function Test-ApplicationGatewayFirewallPolicyCustomRuleRemoval
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+	$rgname = Get-ResourceGroupName
+	$wafPolicyName = "wafPolicy1"
+
+	try {
+		
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		# WAF Policy with rate limiting rule custom Rule
+		$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Malicious-Header
+		$condition =  New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Any -NegationCondition $False
+		$groupbyVar = New-AzApplicationGatewayFirewallCustomRuleGroupByVariable -VariableName GeoLocation 
+		$groupbyUserSes = New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession -GroupByVariable $groupbyVar
+		$customRule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RateLimitDuration OneMin -RateLimitThreshold 10 -RuleType RateLimitRule -MatchCondition $condition -GroupByUserSession $groupbyUserSes -Action Block
+
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet 
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings -CustomRule $customRule
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+
+		# Check WAF policy
+		Assert-AreEqual $policy.CustomRules[0].Name $customRule.Name
+		Assert-AreEqual $policy.CustomRules[0].RuleType $customRule.RuleType
+		Assert-AreEqual $policy.CustomRules[0].Action $customRule.Action
+		Assert-AreEqual $policy.CustomRules[0].Priority $customRule.Priority
+		Assert-AreEqual $policy.CustomRules[0].RateLimitDuration $customRule.RateLimitDuration
+		Assert-AreEqual $policy.CustomRules[0].RateLimitThreshold $customRule.RateLimitThreshold
+		Assert-AreEqual $policy.CustomRules[0].State "Enabled"
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $customRule.MatchConditions[0].OperatorProperty
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $customRule.MatchConditions[0].NegationConditon
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $customRule.MatchConditions[0].MatchVariables[0].VariableName
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $customRule.MatchConditions[0].MatchVariables[0].Selector
+		Assert-AreEqual $policy.CustomRules[0].GroupByUserSession[0].GroupByVariables[0].VariableName $customRule.GroupByUserSession[0].GroupByVariables[0].VariableName
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+
+		$policy.CustomRules[0].State = "Disabled"
+		Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
+		$policy1 = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+		Assert-AreEqual $policy1.CustomRules[0].State "Disabled"
+
+		#Remove Custom Rule
+		Remove-AzApplicationGatewayFirewallCustomRule -Name $customRule.Name -ResourceGroupName $rgname -PolicyName $wafPolicyName
+		$policynew = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+		Assert-Null $policynew.CustomRules[0]
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 function Test-ApplicationGatewayFirewallPolicyWithCustomBlockResponse
 {
 	# Setup

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyCustomRuleRemoval.json

@@ -111,6 +111,7 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet', 
                'New-AzApplicationGatewayFirewallCondition', 
                'New-AzApplicationGatewayFirewallCustomRule', 
+               'Remove-AzApplicationGatewayFirewallCustomRule', 
                'New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession', 
                'New-AzApplicationGatewayFirewallCustomRuleGroupByVariable', 
                'New-AzApplicationGatewayFirewallMatchVariable', 

src/Network/Network/Az.Network.psd1

@@ -24,6 +24,7 @@
 * Updated cmdlet `New-AzLoadBalancerBackendAddressPool` to support managed IP based backend
 * Added cmdlet `New-AzSaaSNetworkVirtualAppliance` for creating a NetworkVirtualAppliance of SaaS type.
 * Added control knobs to virtual network gateways and ExpressRoute gateways as well to cmdlets operating on those.
+* Added cmdlet 'Remove-AzApplicationGatewayFirewallCustomRule' to support removing custom rule in Firewall Policy.
 
 ## Version 6.2.0
 * Added support for new Application Gateway SKU type, Basic SKU

src/Network/Network/ChangeLog.md

@@ -0,0 +1,108 @@
+
+
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.ResourceManager.Common.Tags;
+using Microsoft.Azure.Management.Network;
+using System;
+using System.Management.Automation;
+using System.Text;
+using MNM = Microsoft.Azure.Management.Network.Models;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet("Remove", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallCustomRule", SupportsShouldProcess = true), OutputType(typeof(bool))]
+    public class RemoveAzureApplicationGatewayFirewallCustomRuleCommand : ApplicationGatewayFirewallPolicyBaseCmdlet
+    {
+        [Alias("ResourceName")]
+        [Parameter(
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "The resource name.")]
+        [ResourceNameCompleter("Microsoft.Network/applicationGatewayWebApplicationFirewallCustomRule", "ResourceGroupName")]
+        [ValidateNotNullOrEmpty]
+        public virtual string Name { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "The resource group name.")]
+        [ResourceGroupCompleter]
+        [ValidateNotNullOrEmpty]
+        public virtual string ResourceGroupName { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "The policy name.")]
+        [ResourceGroupCompleter]
+        [ValidateNotNullOrEmpty]
+        public virtual string PolicyName { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Do not ask for confirmation.")]
+        public SwitchParameter Force { get; set; }
+
+        [Parameter(Mandatory = false)]
+        public SwitchParameter PassThru { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+
+            if (!this.IsApplicationGatewayFirewallPolicyPresent(ResourceGroupName, PolicyName))
+            {
+                throw new ArgumentException(Microsoft.Azure.Commands.Network.Properties.Resources.ResourceNotFound);
+            }
+
+            var firewallPolicy = this.GetApplicationGatewayFirewallPolicy(ResourceGroupName, PolicyName);
+
+            foreach (PSApplicationGatewayFirewallCustomRule rule in firewallPolicy.CustomRules)
+            {
+                if(rule.Name == this.Name)
+                {
+                    firewallPolicy.CustomRules.Remove(rule);
+                }
+                break;
+            }
+
+            // Map to the sdk object
+            var firewallPolicyModel = NetworkResourceManagerProfile.Mapper.Map<MNM.WebApplicationFirewallPolicy>(firewallPolicy);
+            firewallPolicyModel.Tags = TagsConversionHelper.CreateTagDictionary(firewallPolicy.Tag, validate: true);
+
+            // Execute the Create VirtualNetwork call
+            this.ApplicationGatewayFirewallPolicyClient.CreateOrUpdate(ResourceGroupName, PolicyName, firewallPolicyModel);
+
+            var getApplicationGatewayFirewallPolicy = this.GetApplicationGatewayFirewallPolicy(ResourceGroupName, PolicyName);
+
+            // Assign the CustomBlockResponse fields from policy settings to policy (Feature parity with AFD WAF Policy)
+            getApplicationGatewayFirewallPolicy.CustomBlockResponseStatusCode = getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseStatusCode;
+
+            // decode the body value as it is base64 encoded
+            if (!string.IsNullOrEmpty(getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseBody))
+            {
+                string decodedCustomBlockResponseBody = Encoding.UTF8.GetString(Convert.FromBase64String(getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseBody));
+                getApplicationGatewayFirewallPolicy.CustomBlockResponseBody = decodedCustomBlockResponseBody;
+            }
+
+            WriteObject(getApplicationGatewayFirewallPolicy.CustomRules);
+
+        }
+    }
+}

src/Network/Network/FirewallPolicy/FirewallCustomRule/RemoveAzureApplicationGatewayFirewallCustomRuleCommand.cs

@@ -0,0 +1,185 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.Network.dll-Help.xml
+Module Name: Az.Network
+online version: https://learn.microsoft.com/powershell/module/az.network/remove-azapplicationgatewayfirewallcustomrule
+schema: 2.0.0
+---
+
+# Remove-AzApplicationGatewayFirewallCustomRule
+
+## SYNOPSIS
+Removes an application gateway firewall custom rule.
+
+## SYNTAX
+
+```
+Remove-AzApplicationGatewayFirewallCustomRule -Name <String> -ResourceGroupName <String> -PolicyName <String> [-Force] [-PassThru]
+ [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+```
+
+## DESCRIPTION
+The **Remove-AzApplicationGatewayFirewallCustomRule** cmdlet removes an application gateway firewall custom rule.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+Remove-AzApplicationGatewayFirewallCustomRule -Name "ApplicationGatewayFirewallCustomRule01" -ResourceGroupName "ResourceGroup01" -PolicyName "PolicyName01"
+```
+
+This command removes the application gateway firewall custom rule named ApplicationGatewayFirewallCustomRule01 in the resource group named ResourceGroup01 in policy named PolicyName01.
+
+## PARAMETERS
+
+### -AsJob
+Run cmdlet in the background
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Do not ask for confirmation.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+
+### -Name
+The resource name.
+
+```yaml
+Type: System.String
+Parameter Sets: ByFactoryName
+Aliases: ResourceName
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -PassThru
+Returns an object representing the item with which you are working.
+By default, this cmdlet does not generate any output.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: ByFactoryName
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -PolicyName
+The policy name.
+
+```yaml
+Type: System.String
+Parameter Sets: ByFactoryName
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS