I need to change the action on some managed rules in my WAF policy in Azure using AZ CLI from Jenkins' pipeline but I can't do it.
In Jenkins I connect to a container with AZ CLI where the command is executed. The version of azure cli that I use is 2.38, which is the latest stable.
I have the correct command because I try it in another console and it works but from Jenkins it returns an error.
To change the action on some managed rules in my WAF policy in Azure using AZ CLI from Jenkins I am using the following command:
az network application-gateway waf-policy managed-rule rule-set update --policy-name wp-main --resource-group rg-pre --type OWASP --version 3.2 --group-name REQUEST-930-APPLICATION-ATTACK-LFI --rule rule-id=930100 state=Enabled action=Log --rule rule-id=930110 state=Enabled action=Log
The command is correct because I have tested it in my local machine and it works. The problem is that when I launch the command from Jenkins it returns the following error:
14:18:19 ERROR: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
14:18:19 Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
14:18:19 Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
If I launch the command with debug flag it returned the following error:
09:07:06 DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
09:07:06 DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main?api-version=2021-08-01 HTTP/1.1" 400 482
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: Response status: 400
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '482'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'aff1d4c4-1227-4220-a8bd-3195865a4d19'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '90e02c91-d9c0-4f61-8127-3adea4d468a0'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-arm-service-request-id': '57bdc048-e44d-46fd-a255-5063097bc367'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Server': 'Microsoft-HTTPAPI/2.0, Microsoft-HTTPAPI/2.0'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'NORTHEUROPE:20230801T070706Z:90e02c91-d9c0-4f61-8127-3adea4d468a0'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 01 Aug 2023 07:07:06 GMT'
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: Response content:
09:07:06 DEBUG: cli.azure.cli.core.sdk.policies: {
09:07:06 "error": {
09:07:06 "code": "ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion",
09:07:06 "message": "Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.",
09:07:06 "details": []
09:07:06 }
09:07:06 }
09:07:06 DEBUG: cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
09:07:06 DEBUG: cli.azure.cli.core.util: Traceback (most recent call last):
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
09:07:06 cmd_result = self.invocation.execute(args)
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
09:07:06 raise ex
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
09:07:06 results.append(self._run_job(expanded_arg, cmd_copy))
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
09:07:06 result = cmd_copy(params)
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
09:07:06 return self.handler(*args, **kwargs)
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 240, in handler
09:07:06 result = cached_put(self.cmd, setter, **setterargs)
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 452, in cached_put
09:07:06 return _put_operation()
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 446, in _put_operation
09:07:06 result = operation(**kwargs)
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
09:07:06 return func(*args, **kwargs)
09:07:06 File "/usr/lib64/az/lib/python3.6/site-packages/azure/mgmt/network/v2021_08_01/operations/_operations.py", line 75623, in create_or_update
09:07:06 raise HttpResponseError(response=response, error_format=ARMErrorFormat)
09:07:06 azure.core.exceptions.HttpResponseError: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06 Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
09:07:06 Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06
09:07:06 ERROR: cli.azure.cli.core.azclierror: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06 Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
09:07:06 Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06 ERROR: az_command_data_logger: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06 Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
09:07:06 Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06 DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f8ff813e840>]
09:07:06 INFO: az_command_data_logger: exit code: 1
09:07:06 INFO: cli.__main__: Command ran in 1.268 seconds (init: 0.183, invoke: 1.085)
09:07:06 INFO: telemetry.save: Save telemetry record of length 3991 in cache
09:07:06 WARNING: telemetry.check: Negative: The /root/.azure/telemetry.txt was modified at 2023-08-01 07:06:38.955288, which in less than 600.000000 s
Also with the following command:
az network application-gateway waf-policy managed-rule rule-set update --policy-name wp-main --resource-group rg-pre --type OWASP --version 3.2 --group-name General --rule rule-id=200004 state=Enabled action=Log --rule rule-id=200002 state=Enabled action=Log --rule rule-id=200003 state=Enabled action=Log --debug
This command is correct too because I have tested it in my local machine and it works too and in Azure Portal i can see the rule and rule group therefore the rule and rule group exist. The error has no sense because the rule and rule group exist and the problem is that when I launch the command from Jenkins it returns the following error:
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: Response status: 400
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '241'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'ef9bd208-e07a-41b7-80fb-4d0cbecb5fed'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '2ae123db-63b7-4a69-8f83-9b843a24cb1a'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-arm-service-request-id': '675a862b-817e-4b15-9f1a-28f0eaa3bb96'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Server': 'Microsoft-HTTPAPI/2.0, Microsoft-HTTPAPI/2.0'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'NORTHEUROPE:20230801T060453Z:2ae123db-63b7-4a69-8f83-9b843a24cb1a'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 01 Aug 2023 06:04:53 GMT'
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: Response content:
08:04:54 DEBUG: cli.azure.cli.core.sdk.policies: {
08:04:54 "error": {
08:04:54 "code": "ApplicationGatewayFirewallUnknownRuleOverride",
08:04:54 "message": "The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.",
08:04:54 "details": []
08:04:54 }
08:04:54 }
08:04:54 DEBUG: cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
08:04:54 DEBUG: cli.azure.cli.core.util: Traceback (most recent call last):
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
08:04:54 cmd_result = self.invocation.execute(args)
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
08:04:54 raise ex
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
08:04:54 results.append(self._run_job(expanded_arg, cmd_copy))
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
08:04:54 result = cmd_copy(params)
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
08:04:54 return self.handler(*args, **kwargs)
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 240, in handler
08:04:54 result = cached_put(self.cmd, setter, **setterargs)
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 452, in cached_put
08:04:54 return _put_operation()
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 446, in _put_operation
08:04:54 result = operation(**kwargs)
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
08:04:54 return func(*args, **kwargs)
08:04:54 File "/usr/lib64/az/lib/python3.6/site-packages/azure/mgmt/network/v2021_08_01/operations/_operations.py", line 75623, in create_or_update
08:04:54 raise HttpResponseError(response=response, error_format=ARMErrorFormat)
08:04:54 azure.core.exceptions.HttpResponseError: (ApplicationGatewayFirewallUnknownRuleOverride) The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54 Code: ApplicationGatewayFirewallUnknownRuleOverride
08:04:54 Message: The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54
08:04:54 ERROR: cli.azure.cli.core.azclierror: (ApplicationGatewayFirewallUnknownRuleOverride) The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54 Code: ApplicationGatewayFirewallUnknownRuleOverride
08:04:54 Message: The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54 ERROR: az_command_data_logger: (ApplicationGatewayFirewallUnknownRuleOverride) The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54 Code: ApplicationGatewayFirewallUnknownRuleOverride
08:04:54 Message: The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54 DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f8b944e0840>]
08:04:54 INFO: az_command_data_logger: exit code: 1
08:04:54 INFO: cli.__main__: Command ran in 2.719 seconds (init: 0.138, invoke: 2.581)
08:04:54 INFO: telemetry.save: Save telemetry record of length 3523 in cache
08:04:54 WARNING: telemetry.check: Negative: The /root/.azure/telemetry.txt was modified at 2023-08-01 06:04:40.399674, which in less than 600.000000 s
Please I need help because I have no idea how to fix it. And I don't understand why the command works on my local machine and on Jenkins it doesn't.
The issue seems to be related to Azure CLI version installed on Jenkins agent. Upgrade to version at least 2.43 should solve the problem.