PS changes to show appgw and agc in waf policy #28197
Conversation
| Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status. |
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for displaying Application Gateway and Application Gateway for Containers resources within WAF (Web Application Firewall) policy objects. The change enables users to see which Application Gateway resources are associated with a particular WAF policy.
- Added two new properties to the WAF policy model to reference associated Application Gateway resources
- Added test validation to verify the Application Gateway reference is properly populated in the WAF policy
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| PSApplicationGatewayWebApplicationFirewallPolicy.cs | Added ApplicationGateways and ApplicationGatewayForContainers properties to the WAF policy model |
| ApplicationGatewayTests.ps1 | Added test assertions to verify Application Gateway reference in WAF policy and fixed typo in comment |
| public System.Collections.Generic.IList<ApplicationGateway> ApplicationGateways { get; set; } | ||
|
|
||
| public System.Collections.Generic.IList<ApplicationGatewayForContainersReferenceDefinition> ApplicationGatewayForContainers { get; set; } |
There was a problem hiding this comment.
Use the shorter 'IList' instead of the fully qualified 'System.Collections.Generic.IList' since 'System.Collections.Generic' is already imported at the top of the file.
| public System.Collections.Generic.IList<ApplicationGateway> ApplicationGateways { get; set; } | |
| public System.Collections.Generic.IList<ApplicationGatewayForContainersReferenceDefinition> ApplicationGatewayForContainers { get; set; } | |
| public IList<ApplicationGateway> ApplicationGateways { get; set; } | |
| public IList<ApplicationGatewayForContainersReferenceDefinition> ApplicationGatewayForContainers { get; set; } |
Copilot uses AI. Check for mistakes.
| public System.Collections.Generic.IList<ApplicationGateway> ApplicationGateways { get; set; } | ||
|
|
||
| public System.Collections.Generic.IList<ApplicationGatewayForContainersReferenceDefinition> ApplicationGatewayForContainers { get; set; } |
There was a problem hiding this comment.
Use the shorter 'IList' instead of the fully qualified 'System.Collections.Generic.IList' since 'System.Collections.Generic' is already imported at the top of the file.
| public System.Collections.Generic.IList<ApplicationGateway> ApplicationGateways { get; set; } | |
| public System.Collections.Generic.IList<ApplicationGatewayForContainersReferenceDefinition> ApplicationGatewayForContainers { get; set; } | |
| public IList<ApplicationGateway> ApplicationGateways { get; set; } | |
| public IList<ApplicationGatewayForContainersReferenceDefinition> ApplicationGatewayForContainers { get; set; } |
Copilot uses AI. Check for mistakes.
|
Thank you for your contribution @karanbazaz! We will review the pull request and get back to you soon. |
|
Please join your github account to Azure org.
|
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
Hi @karanbazaz , please update |
| @@ -3027,7 +3027,11 @@ function Test-ApplicationGatewayTopLevelFirewallPolicy | |||
| $appgw = Get-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname | |||
| $policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname | |||
|
|
|||
| # Second check firewll policy | |||
| # Check if Application Gateway resource can be seen in WAF Policy | |||
There was a problem hiding this comment.
Can you add a comment here explaining we are depending on a manually created AGC-security policy deployment in which subs and which rg?
There was a problem hiding this comment.
this is to check the application gateway resource id. For the AGC end to end test details are there in the description section.
There was a problem hiding this comment.
Sorry I thought those are the changes for AGC. So we are not adding scenario tests to verify if AGC are referencing the waf policy? If there is anything related can you share a link here?
| @@ -3027,7 +3027,11 @@ function Test-ApplicationGatewayTopLevelFirewallPolicy | |||
| $appgw = Get-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname | |||
| $policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname | |||
|
|
|||
| # Second check firewll policy | |||
| # Check if Application Gateway resource can be seen in WAF Policy | |||
There was a problem hiding this comment.
I dont see the new test, are you planning to write a new test? I see the test recording with a new test name
need it inside ApplicationGatewayTests.cs and ApplicationGatewayTests.ps1
There was a problem hiding this comment.
I dont need to create a new test to test the application gateway policy since the data is already there in the test. The test recording is the for the prod test which I did for the application gateway for containers field. Details are there in the description section.
| @@ -0,0 +1,83 @@ | |||
| { | |||
| "Entries": [ | |||
There was a problem hiding this comment.
if no test is added, dont think we need recording, check with PS team
There was a problem hiding this comment.
this recording is for the end to end test for AGC. Who can i check with in the ps team?
Description
Mandatory Checklist
Please choose the target release of Azure PowerShell. (⚠️ Target release is a different concept from API readiness. Please click below links for details.)
Check this box to confirm: I have read the Submitting Changes section of
CONTRIBUTING.mdand reviewed the following information:ChangeLog.mdfile(s) appropriatelysrc/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.## Upcoming Releaseheader in the past tense.ChangeLog.mdif no new release is required, such as fixing test case only.For the AGC testing, test was done by uploading the changes to Prod BVT and testing the network call.
Following is the snippet of the network call which was done in BVT environment
function Test-CrossTesting
{
$policy = Get-AzApplicationGatewayFirewallPolicy -Name "testwafpolicy" -ResourceGroupName "appgwTest"
}
Recorder snapshot
{
"Entries": [
{
"RequestUri": "/subscriptions/66de82f3-ad93-4605-bbdb-237fe7ef3a06/resourceGroups/appgwTest/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/testwafpolicy?api-version=2024-07-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNjZkZTgyZjMtYWQ5My00NjA1LWJiZGItMjM3ZmU3ZWYzYTA2L3Jlc291cmNlR3JvdXBzL2FwcGd3VGVzdC9wcm92aWRlcnMvTWljcm9zb2Z0Lk5ldHdvcmsvQXBwbGljYXRpb25HYXRld2F5V2ViQXBwbGljYXRpb25GaXJld2FsbFBvbGljaWVzL3Rlc3R3YWZwb2xpY3k/YXBpLXZlcnNpb249MjAyNC0wNy0wMQ==",
"RequestMethod": "GET",
"RequestHeaders": {
"Accept-Language": [
"en-US"
],
"x-ms-client-request-id": [
"3c7cba41-58c5-44b4-b9ab-0c151d8a00a1"
],
"User-Agent": [
"FxVersion/8.0.1825.31117",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.26100",
"Microsoft.Azure.Management.Network.NetworkManagementClient/27.0.0.0"
]
},
"RequestBody": "",
"ResponseHeaders": {
"Cache-Control": [
"no-cache"
],
"Pragma": [
"no-cache"
],
"ETag": [
"W/"a949eda1-7aa8-45e2-8cb8-a841e9abfda9""
],
"x-ms-request-id": [
"e4bd761a-88f6-41a0-8365-1f0be052247e"
],
"x-ms-correlation-request-id": [
"66c82526-dcbf-4c48-b285-883089b91c92"
],
"x-ms-arm-service-request-id": [
"a2233ca6-235f-4819-afa5-d65697024b56"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
],
"x-ms-ratelimit-remaining-subscription-reads": [
"1099"
],
"x-ms-ratelimit-remaining-subscription-global-reads": [
"16499"
],
"x-ms-routing-request-id": [
"WESTCENTRALUS:20250717T212311Z:66c82526-dcbf-4c48-b285-883089b91c92"
],
"X-Content-Type-Options": [
"nosniff"
],
"X-Cache": [
"CONFIG_NOCACHE"
],
"X-MSEdge-Ref": [
"Ref A: E73FDF56A0D5454CA123397B9E08DFC2 Ref B: CYS013050704031 Ref C: 2025-07-17T21:23:11Z"
],
"Date": [
"Thu, 17 Jul 2025 21:23:11 GMT"
],
"Content-Length": [
"973"
],
"Content-Type": [
"application/json; charset=utf-8"
],
"Expires": [
"-1"
]
},
"ResponseBody": "{\r\n "name": "testwafpolicy",\r\n "id": "/subscriptions/66de82f3-ad93-4605-bbdb-237fe7ef3a06/resourceGroups/appgwTest/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/testwafpolicy",\r\n "etag": "W/\"a949eda1-7aa8-45e2-8cb8-a841e9abfda9\"",\r\n "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",\r\n "location": "eastus2euap",\r\n "properties": {\r\n "provisioningState": "Succeeded",\r\n "customRules": [],\r\n "policySettings": {\r\n "requestBodyCheck": true,\r\n "maxRequestBodySizeInKb": 128,\r\n "fileUploadLimitInMb": 100,\r\n "state": "Disabled",\r\n "mode": "Detection",\r\n "requestBodyInspectLimitInKB": 128,\r\n "fileUploadEnforcement": true,\r\n "requestBodyEnforcement": true\r\n },\r\n "managedRules": {\r\n "managedRuleSets": [\r\n {\r\n "ruleSetType": "Microsoft_DefaultRuleSet",\r\n "ruleSetVersion": "2.1",\r\n "ruleGroupOverrides": []\r\n }\r\n ],\r\n "exclusions": []\r\n },\r\n "applicationGatewayForContainers": [\r\n {\r\n "id": "/subscriptions/66de82f3-ad93-4605-bbdb-237fe7ef3a06/resourcegroups/appgwtest/providers/microsoft.servicenetworking/trafficcontrollers/test1"\r\n }\r\n ]\r\n }\r\n}",
"StatusCode": 200
}
],
"Names": {},
"Variables": {
"SubscriptionId": "66de82f3-ad93-4605-bbdb-237fe7ef3a06"
}
}