How do fix ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion error in azure cli?

huangapple
go评论60阅读模式
英文:

How do fix ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion error in azure cli?

问题

我需要在Azure中使用AZ CLI从Jenkins的管道中更改我的WAF策略中的一些托管规则的操作,但我无法执行此操作。

在Jenkins中,我连接到一个包含AZ CLI的容器,然后执行命令。
我使用的Azure CLI版本是2.38,这是最新的稳定版本。

我有正确的命令,因为我在另一个控制台中尝试过它,它有效,但是从Jenkins运行它会返回错误。

为了从Jenkins中使用AZ CLI更改WAF策略中的一些托管规则的操作,我使用以下命令:

az network application-gateway waf-policy managed-rule rule-set update --policy-name wp-main --resource-group rg-pre --type OWASP --version 3.2 --group-name REQUEST-930-APPLICATION-ATTACK-LFI --rule rule-id=930100 state=Enabled action=Log --rule rule-id=930110 state=Enabled action=Log

该命令是正确的,因为我在本地机器上测试过它,它有效。问题是,当我从Jenkins运行该命令时,它返回以下错误:

ERROR: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) 指定的api版本2021-08-01不符合要求的最低api版本2022-05-01,无法在上下文/subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main中具有“Enabled”覆盖状态。

如果我使用调试标志运行该命令,它会返回以下错误:

DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main?api-version=2021-08-01 HTTP/1.1" 400 482
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 400
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
...

另外,使用以下命令也会出现类似的问题:

az network application-gateway waf-policy managed-rule rule-set update --policy-name wp-main --resource-group rg-pre --type OWASP --version 3.2 --group-name General --rule rule-id=200004 state=Enabled action=Log --rule rule-id=200002 state=Enabled action=Log --rule rule-id=200003 state=Enabled action=Log --debug

此命令也是正确的,因为我在本地机器上测试过,它有效,并且在Azure门户中我可以看到规则和规则组,所以规则和规则组是存在的。错误没有意义,因为规则和规则组存在,问题是当我从Jenkins运行命令时,它返回以下错误:

DEBUG: cli.azure.cli.core.sdk.policies: Response status: 400
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
...

请帮助我解决这个问题,因为我不知道如何修复它,而且我不理解为什么该命令在我的本地机器上运行正常,但在Jenkins上却无法正常运行。

英文:

I need to change the action on some managed rules in my WAF policy in Azure using AZ CLI from Jenkins' pipeline but I can't do it.

In Jenkins I connect to a container with AZ CLI where the command is executed.
The version of azure cli that I use is 2.38, which is the latest stable.

I have the correct command because I try it in another console and it works but from Jenkins it returns an error.

To change the action on some managed rules in my WAF policy in Azure using AZ CLI from Jenkins I am using the following command:

az network application-gateway waf-policy managed-rule rule-set update --policy-name wp-main --resource-group rg-pre --type OWASP --version 3.2 --group-name REQUEST-930-APPLICATION-ATTACK-LFI --rule rule-id=930100 state=Enabled action=Log --rule rule-id=930110 state=Enabled action=Log

The command is correct because I have tested it in my local machine and it works. The problem is that when I launch the command from Jenkins it returns the following error:

14:18:19  ERROR: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
14:18:19  Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
14:18:19  Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.

If I launch the command with debug flag it returned the following error:

09:07:06  DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
09:07:06  DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main?api-version=2021-08-01 HTTP/1.1" 400 482
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies: Response status: 400
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '482'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Expires': '-1'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'aff1d4c4-1227-4220-a8bd-3195865a4d19'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '90e02c91-d9c0-4f61-8127-3adea4d468a0'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-arm-service-request-id': '57bdc048-e44d-46fd-a255-5063097bc367'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-HTTPAPI/2.0, Microsoft-HTTPAPI/2.0'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '1199'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'NORTHEUROPE:20230801T070706Z:90e02c91-d9c0-4f61-8127-3adea4d468a0'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 01 Aug 2023 07:07:06 GMT'
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies: Response content:
09:07:06  DEBUG: cli.azure.cli.core.sdk.policies: {
09:07:06    "error": {
09:07:06      "code": "ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion",
09:07:06      "message": "Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.",
09:07:06      "details": []
09:07:06    }
09:07:06  }
09:07:06  DEBUG: cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
09:07:06  DEBUG: cli.azure.cli.core.util: Traceback (most recent call last):
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
09:07:06      cmd_result = self.invocation.execute(args)
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
09:07:06      raise ex
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
09:07:06      results.append(self._run_job(expanded_arg, cmd_copy))
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
09:07:06      result = cmd_copy(params)
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
09:07:06      return self.handler(*args, **kwargs)
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 240, in handler
09:07:06      result = cached_put(self.cmd, setter, **setterargs)
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 452, in cached_put
09:07:06      return _put_operation()
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 446, in _put_operation
09:07:06      result = operation(**kwargs)
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
09:07:06      return func(*args, **kwargs)
09:07:06    File "/usr/lib64/az/lib/python3.6/site-packages/azure/mgmt/network/v2021_08_01/operations/_operations.py", line 75623, in create_or_update
09:07:06      raise HttpResponseError(response=response, error_format=ARMErrorFormat)
09:07:06  azure.core.exceptions.HttpResponseError: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06  Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
09:07:06  Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06  
09:07:06  ERROR: cli.azure.cli.core.azclierror: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06  Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
09:07:06  Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06  ERROR: az_command_data_logger: (ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion) Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06  Code: ApplicationGatewayFirewallEnabledOverrideStateCannotBeConfiguredForApiVersion
09:07:06  Message: Specified api-version 2021-08-01 does not meet the minimum required api-version 2022-05-01 to have 'Enabled' override state in context /subscriptions/13934565-331c-4c7e-8ec2-a33e1f98de4c/resourceGroups/rg-pre-common-euw-dr/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/wp-pre-common-euw-dr-main.
09:07:06  DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f8ff813e840>]
09:07:06  INFO: az_command_data_logger: exit code: 1
09:07:06  INFO: cli.__main__: Command ran in 1.268 seconds (init: 0.183, invoke: 1.085)
09:07:06  INFO: telemetry.save: Save telemetry record of length 3991 in cache
09:07:06  WARNING: telemetry.check: Negative: The /root/.azure/telemetry.txt was modified at 2023-08-01 07:06:38.955288, which in less than 600.000000 s

Also with the following command:

az network application-gateway waf-policy managed-rule rule-set update --policy-name wp-main --resource-group rg-pre --type OWASP --version 3.2 --group-name General --rule rule-id=200004 state=Enabled action=Log --rule rule-id=200002 state=Enabled action=Log --rule rule-id=200003 state=Enabled action=Log --debug

This command is correct too because I have tested it in my local machine and it works too and in Azure Portal i can see the rule and rule group therefore the rule and rule group exist. The error has no sense because the rule and rule group exist and the problem is that when I launch the command from Jenkins it returns the following error:

08:04:54  DEBUG: cli.azure.cli.core.sdk.policies: Response status: 400
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '241'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Expires': '-1'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'ef9bd208-e07a-41b7-80fb-4d0cbecb5fed'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': '2ae123db-63b7-4a69-8f83-9b843a24cb1a'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-arm-service-request-id': '675a862b-817e-4b15-9f1a-28f0eaa3bb96'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-HTTPAPI/2.0, Microsoft-HTTPAPI/2.0'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '1199'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'NORTHEUROPE:20230801T060453Z:2ae123db-63b7-4a69-8f83-9b843a24cb1a'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 01 Aug 2023 06:04:53 GMT'
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies: Response content:
08:04:54  DEBUG: cli.azure.cli.core.sdk.policies: {
08:04:54    "error": {
08:04:54      "code": "ApplicationGatewayFirewallUnknownRuleOverride",
08:04:54      "message": "The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.",
08:04:54      "details": []
08:04:54    }
08:04:54  }
08:04:54  DEBUG: cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
08:04:54  DEBUG: cli.azure.cli.core.util: Traceback (most recent call last):
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
08:04:54      cmd_result = self.invocation.execute(args)
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
08:04:54      raise ex
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
08:04:54      results.append(self._run_job(expanded_arg, cmd_copy))
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
08:04:54      result = cmd_copy(params)
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
08:04:54      return self.handler(*args, **kwargs)
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 240, in handler
08:04:54      result = cached_put(self.cmd, setter, **setterargs)
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 452, in cached_put
08:04:54      return _put_operation()
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 446, in _put_operation
08:04:54      result = operation(**kwargs)
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
08:04:54      return func(*args, **kwargs)
08:04:54    File "/usr/lib64/az/lib/python3.6/site-packages/azure/mgmt/network/v2021_08_01/operations/_operations.py", line 75623, in create_or_update
08:04:54      raise HttpResponseError(response=response, error_format=ARMErrorFormat)
08:04:54  azure.core.exceptions.HttpResponseError: (ApplicationGatewayFirewallUnknownRuleOverride) The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54  Code: ApplicationGatewayFirewallUnknownRuleOverride
08:04:54  Message: The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54  
08:04:54  ERROR: cli.azure.cli.core.azclierror: (ApplicationGatewayFirewallUnknownRuleOverride) The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54  Code: ApplicationGatewayFirewallUnknownRuleOverride
08:04:54  Message: The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54  ERROR: az_command_data_logger: (ApplicationGatewayFirewallUnknownRuleOverride) The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54  Code: ApplicationGatewayFirewallUnknownRuleOverride
08:04:54  Message: The override Rule 'rule-id=200003' is unknown for RuleGroup 'General' for Application Gateway Firewall in context ''.
08:04:54  DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f8b944e0840>]
08:04:54  INFO: az_command_data_logger: exit code: 1
08:04:54  INFO: cli.__main__: Command ran in 2.719 seconds (init: 0.138, invoke: 2.581)
08:04:54  INFO: telemetry.save: Save telemetry record of length 3523 in cache
08:04:54  WARNING: telemetry.check: Negative: The /root/.azure/telemetry.txt was modified at 2023-08-01 06:04:40.399674, which in less than 600.000000 s

Please I need help because I have no idea how to fix it. And I don't understand why the command works on my local machine and on Jenkins it doesn't.

答案1

得分: 0

问题似乎与安装在Jenkins代理上的Azure CLI版本相关。升级至至少2.43版本应该可以解决问题。

英文:

The issue seems to be related to Azure CLI version installed on Jenkins agent. Upgrade to version at least 2.43 should solve the problem.

huangapple
  • 本文由 发表于 2023年7月31日 22:26:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/76804576.html
  • azure
  • azure-cli
  • jenkins
  • jenkins-pipeline
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定