Skip to content

Commit

Permalink
Save & Commit (Azure#25376)
Browse files Browse the repository at this point in the history
* wip

* markdowns

* markdown fix

* breaking changes fix

* markdown fixes

* markdowns fixes 3

* markdown 4

---------

Co-authored-by: Lior Stauber <[email protected]>
  • Loading branch information
liorstauber and t-lstauber authored Jul 1, 2024
1 parent 8c1d35d commit 80e8c80
Show file tree
Hide file tree
Showing 33 changed files with 9,411 additions and 32 deletions.
16 changes: 16 additions & 0 deletions src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -212,5 +212,21 @@ public void TestAzureFirewallPolicyIDPSProfiles()
{
TestRunner.RunTestScript("Test-AzureFirewallPolicyIDPSProfiles");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
public void TestAzureFirewallPolicyDraft()
{
TestRunner.RunTestScript("Test-AzureFirewallPolicyDraft");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
public void TestAzureFirewallPolicyRCGyDraft()
{
TestRunner.RunTestScript("Test-AzureFirewallPolicyRCGDraft");
}
}
}
173 changes: 173 additions & 0 deletions src/Network/Network.Test/ScenarioTests/AzureFirewallPolicyTests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -2095,4 +2095,177 @@ function Test-AzureFirewallPolicyIDPSProfiles {
# Cleanup
Clean-ResourceGroup $rgname
}
}
<#
.SYNOPSIS
Tests function Test-AzureFirewallPolicyDraft.
#>
function Test-AzureFirewallPolicyDraft {
# Setup
$rgname = Get-ResourceGroupName
$azureFirewallPolicyName = Get-ResourceName
$azureFirewallPolicyAsJobName = Get-ResourceName
$resourceTypeParent = "Microsoft.Network/FirewallPolicies"
$location = "westus2"
$tier = "Premium"

try {
# Create the resource group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
# Intrusion Detection Settings
$intrusionDetection = New-AzFirewallPolicyIntrusionDetection -Mode "Alert"
# Create AzureFirewallPolicy
$azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $location -SkuTier $tier -IntrusionDetection $intrusionDetection
# Create AzureFirewallPolicyDraft
$newAzureFirewallPolicyDraft = New-AzFirewallPolicyDraft -FirewallPolicyObject $azureFirewallPolicy
# Get AzureFirewallPolicyDraft
$getAzureFirewallPolicyDraft = Get-AzFirewallPolicyDraft -AzureFirewallPolicyName $azureFirewallPolicyName -ResourceGroupName $rgname

# verification
Assert-NotNull $getAzureFirewallPolicyDraft.IntrusionDetection
Assert-AreEqual "Alert" $getAzureFirewallPolicyDraft.IntrusionDetection.Mode
Assert-Null $getAzureFirewallPolicyDraft.Snat

# Updated Intrusion Detection Settings
$intrusionDetection = New-AzFirewallPolicyIntrusionDetection -Mode "Deny"
$setAzureFirewallPolicy = Set-AzFirewallPolicyDraft -AzureFirewallPolicyName $azureFirewallPolicyName -ResourceGroupName $rgname -IntrusionDetection $intrusionDetection
# Get AzureFirewallPolicyDraft
$getAzureFirewallPolicyDraft = Get-AzFirewallPolicyDraft -AzureFirewallPolicyName $azureFirewallPolicyName -ResourceGroupName $rgname

# verification
Assert-AreEqual "Deny" $getAzureFirewallPolicyDraft.IntrusionDetection.Mode

# Deploy policy draft
Deploy-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname
# Get AzureFirewallPolicy
$getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname
# verification
Assert-NotNull $getAzureFirewallPolicyDraft.IntrusionDetection
Assert-AreEqual "Deny" $getAzureFirewallPolicyDraft.IntrusionDetection.Mode
}

finally {
# Cleanup
Clean-ResourceGroup $rgname
}
}

<#
.SYNOPSIS
Tests function Test-AzureFirewallPolicyRCGDraft.
#>
function Test-AzureFirewallPolicyRCGDraft {
# Setup
$rgname = Get-ResourceGroupName
$azureFirewallPolicyName = Get-ResourceName
$azureFirewallPolicyAsJobName = Get-ResourceName
$resourceTypeParent = "Microsoft.Network/FirewallPolicies"
$location = "canadacentral"

$ruleGroupName = Get-ResourceName
$ruleGroupDraftName = Get-ResourceName

# AzureFirewallPolicyNatRuleCollection
$natRcName = "natRc"
$natRcName2 = "natRc2"
$natRcPriority = 100
$natRcActionType = "Dnat"

# AzureFirewallPolicyNatRule 1
$natRule1Name = "natRule"
$natRule1Desc = "desc1"
$natRule1SourceAddress1 = "10.0.0.0"
$natRule1SourceAddress2 = "111.1.0.0/24"
$natRule1Protocol1 = "UDP"
$natRule1Protocol2 = "TCP"
$natRule1DestinationAddress1 = "10.10.10.1"
$natRule1DestinationPort1 = "90"
$natRule1TranslatedFqdn = "server1.internal.com"
$natRule1TranslatedPort = "91"

$pipelineRcPriority = 154

try
{
# Create the resource group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "testval" }
# Create AzureFirewallPolicy
$azureFirewallPolicy = New-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname -Location $location
# Get AzureFirewallPolicy
$getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname
# Create NAT rule
$natRule = New-AzFirewallPolicyNatRule -Name $natRule1Name -Description $natRule1Desc -Protocol $natRule1Protocol1, $natRule1Protocol2 -SourceAddress $natRule1SourceAddress1, $natRule1SourceAddress2 -DestinationAddress $natRule1DestinationAddress1 -DestinationPort $natRule1DestinationPort1 -TranslatedFqdn $natRule1TranslatedFqdn -TranslatedPort $natRule1TranslatedPort
# Create a NAT Rule Collection
$natRc = New-AzFirewallPolicyNatRuleCollection -Name $natRcName -ActionType $natRcActionType -Priority $natRcPriority -Rule $natRule
New-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -Priority 100 -RuleCollection $natRc -FirewallPolicyObject $azureFirewallPolicy
# Set AzureFirewallPolicy
Set-AzFirewallPolicy -InputObject $azureFirewallPolicy

# Create Policy Draft
New-AzFirewallPolicyDraft -AzureFirewallPolicyName $azureFirewallPolicyName -ResourceGroupName $rgname
# Create a NAT Rule Collection
$natRc2 = New-AzFirewallPolicyNatRuleCollection -Name $natRcName2 -ActionType $natRcActionType -Priority $natRcPriority -Rule $natRule
# Create RuleCollection Group Draft
New-AzFirewallPolicyRuleCollectionGroupDraft -AzureFirewallPolicyRuleCollectionGroupName $ruleGroupName -Priority 100 -RuleCollection $natRc2 -FirewallPolicyObject $azureFirewallPolicy
# Get AzureFirewallPolicy Rule Collection Group draft
$getAzureFirewallPolicyDraft = Get-AzFirewallPolicyDraft -AzureFirewallPolicyName $azureFirewallPolicyName -ResourceGroupName $rgName
$getAzureFirewallPolicyRuleCollectionGroupDraft = Get-AzFirewallPolicyRuleCollectionGroupDraft -AzureFirewallPolicyRuleCollectionGroupName $ruleGroupName -FirewallPolicyObject $azureFirewallPolicy

# Verification
Assert-AreEqual 1 @($getAzureFirewallPolicyRuleCollectionGroupDraft.properties.ruleCollection).Count
$natRuleCollection = $getAzureFirewallPolicyRuleCollectionGroupDraft.Properties.GetRuleCollectionByName($natRcName2)

# Verify NAT rule collection and NAT rule
$natRule = $natRuleCollection.GetRuleByName($natRule1Name)

Assert-AreEqual $natRcName2 $natRuleCollection.Name
Assert-AreEqual $natRcPriority $natRuleCollection.Priority

Assert-AreEqual $natRule1Name $natRule.Name

Assert-AreEqual 2 $natRule.SourceAddresses.Count
Assert-AreEqual $natRule1SourceAddress1 $natRule.SourceAddresses[0]
Assert-AreEqual $natRule1SourceAddress2 $natRule.SourceAddresses[1]

Assert-AreEqual 1 $natRule.DestinationAddresses.Count

Assert-AreEqual 2 $natRule.Protocols.Count
Assert-AreEqual $natRule1Protocol1 $natRule.Protocols[0]
Assert-AreEqual $natRule1Protocol2 $natRule.Protocols[1]

Assert-AreEqual 1 $natRule.DestinationPorts.Count
Assert-AreEqual $natRule1DestinationPort1 $natRule.DestinationPorts[0]

Assert-AreEqual $natRule1TranslatedFqdn $natRule.TranslatedFqdn
Assert-AreEqual $natRule1TranslatedPort $natRule.TranslatedPort
$testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroupDraft -AzureFirewallPolicyRuleCollectionGroupName $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
$testPipelineRg|Set-AzFirewallPolicyRuleCollectionGroupDraft -Priority $pipelineRcPriority

$testPipelineRg = Get-AzFirewallPolicyRuleCollectionGroupDraft -AzureFirewallPolicyRuleCollectionGroupName $ruleGroupName -AzureFirewallPolicyName $getAzureFirewallPolicy.Name -ResourceGroupName $rgname
Assert-AreEqual $pipelineRcPriority $testPipelineRg.properties.Priority

$azureFirewallPolicyAsJob = New-AzFirewallPolicy -Name $azureFirewallPolicyAsJobName -ResourceGroupName $rgname -Location $location -AsJob
$result = $azureFirewallPolicyAsJob | Wait-Job
Assert-AreEqual "Completed" $result.State

# Deploy policy draft
Deploy-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgname
# Get AzureFirewallPolicy
$getAzureFirewallPolicyRuleCollectionGroup = Get-AzFirewallPolicyRuleCollectionGroup -Name $ruleGroupName -ResourceGroupName $rgname -AzureFirewallPolicyName $azureFirewallPolicyName
$getAzureFirewallPolicy = Get-AzFirewallPolicy -Name $azureFirewallPolicyName -ResourceGroupName $rgName

# verification
Assert-AreEqual $rgName $getAzureFirewallPolicy.ResourceGroupName
Assert-AreEqual $azureFirewallPolicyName $getAzureFirewallPolicy.Name
Assert-NotNull $getAzureFirewallPolicy.Location
Assert-AreEqual $location $getAzureFirewallPolicy.Location

# Check rule collection groups count
Assert-AreEqual 1 @($getAzureFirewallPolicy.RuleCollectionGroups).Count
Assert-AreEqual 1 @($getAzureFirewallPolicyRuleCollectionGroup.properties.ruleCollection).Count
}
finally {
# Cleanup
Clean-ResourceGroup $rgname
}
}
Loading

0 comments on commit 80e8c80

Please sign in to comment.