az network firewall policy update: (FirewallPolicyPremiumOnlyProperties) error on standard policy

[AndrevdG]

Describe the bug

ran:
az network firewall policy update --name --resource-group --threat-intel-mode Deny
on an existing Azure Firewall Policy in standard mode. This failes with the listed eror message. If running with --debug the command first appears to do a 'GET' to obtain all the properties for the policy, which does not contain the 'identity' property.

When doing the update the command includes "identity": {"type": "None"} in the payload, which it seems causes the listed error message.

Command Name
az network firewall policy update Extension Name: azure-firewall. Version: 0.12.0.

Errors:

(FirewallPolicyPremiumOnlyProperties) Firewall Policy 541ac3f6-a8e8-4691-a0d7-40a3bf89fd36 contains premium only properties - Identity

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az network firewall policy update --name {} --resource-group {} --threat-intel-mode {}

Expected Behavior

To be able to change settings for an existing Azure Firewall Policy in standard mode

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.27.1 *

Extensions:
azure-firewall 0.12.0

Additional Context

'GET' from --debug output:

urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/0000000-000-000-0000-000000/resourceGroups/rg-mgt-hub-t/providers/Microsoft.Network/firewallPolicies/afp-hub-mgt-t-01?api-version=2020-07-01 HTTP/1.1" 200 None
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Content-Encoding': 'gzip'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'ETag': '"75e55771-6308-4a04-87a9-1087c36c84d6"'
cli.azure.cli.core.sdk.policies:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-HTTPAPI/2.0'
<snip>
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 11 Nov 2021 13:20:59 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "properties": {
    "sku": {
      "tier": "Standard"
    },
    "threatIntelMode": "Deny",
    "threatIntelWhitelist": {
      "fqdns": [],
      "ipAddresses": []
    },
    "dnsSettings": {
      "servers": [],
      "enableProxy": true
    },
    "childPolicies": [],
    "ruleCollectionGroups": [
      {
        "id": "/subscriptions/0000000-000-000-0000-000000/resourcegroups/rg-mgt-hub-t/providers/Microsoft.Network/firewallPolicies/afp-hub-mgt-t-01/ruleCollectionGroups/defaultNetworkRuleCollectionGroup",
        "resourceType": "NotDefined"
      },
      {
        "id": "/subscriptions/0000000-000-000-0000-000000/resourcegroups/rg-mgt-hub-t/providers/Microsoft.Network/firewallPolicies/afp-hub-mgt-t-01/ruleCollectionGroups/defaultApplicationRuleCollectionGroup",
        "resourceType": "NotDefined"
      }
    ],
    "firewalls": [],
    "provisioningState": "Succeeded"
  },
  "id": "/subscriptions/0000000-000-000-0000-000000/resourcegroups/rg-mgt-hub-t/providers/Microsoft.Network/firewallPolicies/afp-hub-mgt-t-01",
  "name": "afp-hub-mgt-t-01",
  "type": "Microsoft.Network/FirewallPolicies",
  "etag": "0000000-000-000-0000-000000",
  "location": "westeurope",
  "tags": {
    "Cluster": "Cluster"
  }
}

'PUT' from --debug

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/0000000-000-000-0000-000000/resourceGroups/rg-mgt-hub-t/providers/Microsoft.Network/firewallPolicies/afp-hub-mgt-t-01?api-version=2020-07-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '529'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '35d10b5b-42f2-11ec-a72d-000d3a2f65a6'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network firewall policy update'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --resource-group --threat-intel-mode --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.27.1 (MSI) azsdk-python-azure-mgmt-network/18.0.0 Python/3.8.9 (Windows-10-10.0.19041-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"id": "/subscriptions/0000000-000-000-0000-000000/resourcegroups/rg-mgt-hub-t/providers/Microsoft.Network/firewallPolicies/afp-hub-mgt-t-01", "location": "westeurope", "tags": {"Cluster": "cluster"}, "identity": {"type": "None"}, "properties": {"threatIntelMode": "Deny", "threatIntelWhitelist": {"ipAddresses": [], "fqdns": []}, "dnsSettings": {"servers": [], "enableProxy": true}, "sku": {"tier": "Standard"}}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/0000000-000-000-0000-000000/resourceGroups/rg-mgt-hub-t/providers/Microsoft.Network/firewallPolicies/afp-hub-mgt-t-01?api-version=2020-07-01 HTTP/1.1" 400 213
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '213'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
<snip>
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 11 Nov 2021 13:21:00 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
  "status": "Failed",
  "error": {
    "code": "FirewallPolicyPremiumOnlyProperties",
    "message": "Firewall Policy 0000000-000-000-0000-000000 contains premium only properties - Identity"
  }
}

[yonzhan]

network

[kairu-ms]

Please create policy with --sku Premium. Identity only support for 'Premium' sku

[AndrevdG]

Please create policy with --sku Premium. Identity only support for 'Premium' sku

I feel you misunderstood or misread what I wrote. I was updating an existing standard sku policy and at no point did I set identity myself, this was inserted by the az cli network firewall update command.

It is easily reproduced:
run:
az network firewall policy create -n test-policy -g Group-l westeurope --threat-intel-mode Alert

or

az network firewall policy create -n test-policy -g Group-l westeurope --sku Standard --threat-intel-mode Alert

(Omiting the preview parameter --sku will create a standard policy anyway)

Next try to change the 'threat-intel-mode' with:

'az network firewall policy update -n test-policy -g Group --threat-intel-mode Deny'

This will result in the error message:

'(FirewallPolicyPremiumOnlyProperties) Firewall Policy c7f3f29b-9c8d-4cd0-bd6c-67362034c959 contains premium only properties - Identity
Code: FirewallPolicyPremiumOnlyProperties
Message: Firewall Policy c7f3f29b-9c8d-4cd0-bd6c-67362034c959 contains premium only properties - Identity'

At no point did I set Identity or any other Premium sku option.

Using 'create' again to change the property value does work:

az network firewall policy create -n test-policy -g Group -l westeurope --threat-intel-mode Deny

If I run both with debug mode on, you can see that the 'update' command inserts the arbitrary "identity": {"type": "None"} while create does not.

'az network firewall policy create -n test-policy -g Group-l westeurope --sku Standard --threat-intel-mode Alert':

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<snip>/resourceGroups/Shared/providers/Microsoft.Network/firewallPolicies/test-policy?api-version=2020-07-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '69'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '74864183-437e-11ec-bb29-ec5c68a2077a'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network firewall policy create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-n -g -l --threat-intel-mode --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.30.0 (MSI) azsdk-python-azure-mgmt-network/18.0.0 Python/3.8.9 (Windows-10-10.0.22000-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "westeurope", "properties": {"threatIntelMode": "Deny"}}

'az network firewall policy update -n test-policy -g Group --threat-intel-mode Deny':

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/<snip>/resourceGroups/Shared/providers/Microsoft.Network/firewallPolicies/test-policy?api-version=2020-07-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '269'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'dae86a49-437d-11ec-a78c-ec5c68a2077a'
cli.azure.cli.core.sdk.policies:     'CommandName': 'network firewall policy update'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-n -g --threat-intel-mode --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.30.0 (MSI) azsdk-python-azure-mgmt-network/18.0.0 Python/3.8.9 (Windows-10-10.0.22000-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"id": "/subscriptions/<snip>/resourceGroups/Shared/providers/Microsoft.Network/firewallPolicies/test-policy", "location": "westeurope", "identity": {"type": "None"}, "properties": {"threatIntelMode": "Deny", "sku": {"tier": "Standard"}}}

As you can see the only difference between using 'create' or 'update' is the request body

Edit:
For this answer I ran the commands from a different workstation, which is updated to the last available az cli:

Environment Summary

Windows-10-10.0.22000-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.30.0

Extensions:
azure-firewall 0.12.0
interactive 0.4.5