[Network] AppGateway: Support for zones, autoscale config and trusted root certs

azure-cli2017.pyproj

@@ -13,7 +13,8 @@
     <LaunchProvider>Standard Python launcher</LaunchProvider>
     <InterpreterId>MSBuild|env|$(MSBuildProjectFullPath)</InterpreterId>
     <EnableNativeCodeDebugging>False</EnableNativeCodeDebugging>
-    <CommandLineArguments>--version</CommandLineArguments>
+    <CommandLineArguments>
+    </CommandLineArguments>
     <IsWindowsApplication>False</IsWindowsApplication>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)' == 'Debug'" />

scripts/dependency/requirements.Darwin.external.txt

@@ -39,7 +39,7 @@ azure-mgmt-marketplaceordering==0.1.0
 azure-mgmt-media==1.0.0rc1
 azure-mgmt-monitor==0.5.2
 azure-mgmt-msi==0.2.0
-azure-mgmt-network==2.2.1
+azure-mgmt-network==2.3.0
 azure-mgmt-nspkg==2.0.0
 azure-mgmt-policyinsights==0.1.0
 azure-mgmt-rdbms==1.3.0

scripts/dependency/requirements.Linux.external.txt

@@ -39,7 +39,7 @@ azure-mgmt-marketplaceordering==0.1.0
 azure-mgmt-media==1.0.0rc1
 azure-mgmt-monitor==0.5.2
 azure-mgmt-msi==0.2.0
-azure-mgmt-network==2.2.1
+azure-mgmt-network==2.3.0
 azure-mgmt-nspkg==2.0.0
 azure-mgmt-policyinsights==0.1.0
 azure-mgmt-rdbms==1.3.0

src/command_modules/azure-cli-container/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+0.3.9
++++++
+* Minor fixes
+
 0.3.8
 +++++
 * Show identity when exporting a container group to yaml

src/command_modules/azure-cli-container/setup.py

@@ -14,7 +14,7 @@
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
     cmdclass = {}
 
-VERSION = "0.3.8"
+VERSION = "0.3.9"
 
 CLASSIFIERS = [
     'Development Status :: 4 - Beta',
@@ -34,7 +34,7 @@
     'azure-mgmt-containerinstance==1.2.1',
     'azure-mgmt-loganalytics==0.2.0',
     'azure-mgmt-resource==2.0.0',
-    'azure-mgmt-network==2.2.1',
+    'azure-mgmt-network==2.3.0',
     'azure-mgmt-authorization==0.50.0',
     'azure-cli-core',
     'pyyaml>=3.13',

src/command_modules/azure-cli-network/HISTORY.rst

@@ -3,6 +3,15 @@
 Release History
 ===============
 
+2.2.9
++++++
+* `application-gateway`: Added `root-cert` subcommands to handle trusted root certifcates.
+* `application-gateway create/update`:
+   Added `--min-capacity` for configuring autoscale on v2 app gateways.
+   Added `--custom-error-pages` for configuring custom error pages.
+* `application-gateway create`: Added `--zones` for availability zone support.
+* `application-gateway waf-config set`: Added arguments `--file-upload-limit`, `--max-request-body-size` and `--request-body-check`.
+
 2.2.8
 +++++
 * Deprecated `network interface-endpoint` command names in favor of `network private-endpoint`.

src/command_modules/azure-cli-network/azure/cli/command_modules/network/_help.py

@@ -686,8 +686,46 @@
         - name: Gets SSL predefined policy with the specified policy name.
           text: az network application-gateway ssl-policy predefined show -n AppGwSslPolicy20170401
 """
+# endregion
+
+# region Application Gateway Trusted Root Certs
+helps['network application-gateway root-cert'] = """
+    type: group
+    short-summary: Manage trusted root certificates of an application gateway.
+"""
+helps['network application-gateway root-cert create'] = """
+    type: command
+    short-summary: Upload a trusted root certificate.
+"""
 
+helps['network application-gateway root-cert delete'] = """
+    type: command
+    short-summary: Delete a trusted root certificate.
+    examples:
+        - name: Delete a trusted root certificate.
+          text: az network application-gateway root-cert delete -g MyResourceGroup --gateway-name MyAppGateway -n MyRootCert
+"""
 
+helps['network application-gateway root-cert list'] = """
+    type: command
+    short-summary: List trusted root certificates.
+    examples:
+        - name: List trusted root certificates.
+          text: az network application-gateway root-cert list -g MyResourceGroup --gateway-name MyAppGateway
+"""
+
+helps['network application-gateway root-cert show'] = """
+    type: command
+    short-summary: Get the details of a trusted root certificate.
+    examples:
+        - name: Get the details of a trusted root certificate.
+          text: az network application-gateway root-cert show -g MyResourceGroup --gateway-name MyAppGateway -n MyRootCert
+"""
+
+helps['network application-gateway root-cert update'] = """
+    type: command
+    short-summary: Update a trusted root certificate.
+"""
 # endregion
 
 # region Application Gateway URL path map

src/command_modules/azure-cli-network/azure/cli/command_modules/network/_params.py

@@ -11,14 +11,14 @@
 from knack.arguments import CLIArgumentType, ignore_type
 
 from azure.cli.core.commands.parameters import (get_location_type, get_resource_name_completion_list,
-                                                tags_type, zone_type,
+                                                tags_type, zone_type, zones_type,
                                                 file_type, get_resource_group_completion_list,
                                                 get_three_state_flag, get_enum_type)
 from azure.cli.core.commands.validators import get_default_location_from_resource_group
 from azure.cli.core.commands.template_create import get_folded_parameter_help_string
 from azure.cli.command_modules.network._validators import (
     dns_zone_name_type,
-    validate_auth_cert, validate_cert, validate_inbound_nat_rule_id_list,
+    validate_ssl_cert, validate_cert, validate_inbound_nat_rule_id_list,
     validate_address_pool_id_list, validate_inbound_nat_rule_name_or_id,
     validate_address_pool_name_or_id, load_cert_file, validate_metadata,
     validate_peering_type, validate_dns_record_type, validate_route_filter, validate_target_listener,
@@ -27,7 +27,7 @@
     get_network_watcher_from_vm, get_network_watcher_from_location,
     get_asg_validator, get_vnet_validator, validate_ip_tags, validate_ddos_name_or_id,
     validate_service_endpoint_policy, validate_delegations, validate_subresource_list,
-    validate_er_peer_circuit, validate_ag_address_pools)
+    validate_er_peer_circuit, validate_ag_address_pools, validate_custom_error_pages)
 from azure.mgmt.trafficmanager.models import MonitorProtocol, ProfileStatus
 from azure.cli.command_modules.network._completers import (
     subnet_completion_list, get_lb_subresource_completion_list, get_ag_subresource_completion_list,
@@ -93,7 +93,10 @@ def load_arguments(self, _):
     with self.argument_context('network application-gateway') as c:
         c.argument('application_gateway_name', name_arg_type, help='The name of the application gateway.', completer=get_resource_name_completion_list('Microsoft.Network/applicationGateways'), id_part='name')
         c.argument('sku', arg_group='Gateway', help='The name of the SKU.', arg_type=get_enum_type(ApplicationGatewaySkuName), default=ApplicationGatewaySkuName.standard_medium.value)
+        c.argument('min_capacity', min_api='2018-07-01', help='Lower bound on the number of application gateway instances.', type=int)
         c.ignore('virtual_network_type', 'private_ip_address_allocation')
+        c.argument('zones', zones_type)
+        c.argument('custom_error_pages', min_api='2018-08-01', nargs='+', help='Space-separated list of custom error pages in `STATUS_CODE=URL` format.', validator=validate_custom_error_pages)
 
     with self.argument_context('network application-gateway', arg_group='Network') as c:
         c.argument('virtual_network_name', virtual_network_name_type)
@@ -104,7 +107,7 @@ def load_arguments(self, _):
 
     with self.argument_context('network application-gateway', arg_group='Gateway') as c:
         c.argument('servers', ag_servers_type)
-        c.argument('capacity', help='The number of instances to use with the application gateway.')
+        c.argument('capacity', help='The number of instances to use with the application gateway.', type=int)
         c.argument('http_settings_cookie_based_affinity', cookie_based_affinity_type, help='Enable or disable HTTP settings cookie-based affinity.')
         c.argument('http_settings_protocol', http_protocol_type, help='The HTTP settings protocol.')
         c.argument('enable_http2', arg_type=get_three_state_flag(positive_label='Enabled', negative_label='Disabled'), options_list=['--http2'], help='Use HTTP2 for the application gateway.', min_api='2017-10-01')
@@ -128,7 +131,7 @@ def load_arguments(self, _):
     with self.argument_context('network application-gateway update', arg_group=None) as c:
         c.argument('sku', default=None)
         c.argument('enable_http2')
-        c.argument('capacity', help='The number of instances to use with the application gateway.')
+        c.argument('capacity', help='The number of instances to use with the application gateway.', type=int)
 
     ag_subresources = [
         {'name': 'auth-cert', 'display': 'authentication certificate', 'ref': 'authentication_certificates'},
@@ -143,6 +146,8 @@ def load_arguments(self, _):
         {'name': 'url-path-map', 'display': 'URL path map', 'ref': 'url_path_maps'},
         {'name': 'redirect-config', 'display': 'redirect configuration', 'ref': 'redirect_configurations'}
     ]
+    if self.supported_api_version(min_api='2018-08-01'):
+        ag_subresources.append({'name': 'root-cert', 'display': 'trusted root certificate', 'ref': 'trusted_root_certificates'})
 
     for item in ag_subresources:
         with self.argument_context('network application-gateway {}'.format(item['name'])) as c:
@@ -165,8 +170,12 @@ def load_arguments(self, _):
     with self.argument_context('network application-gateway address-pool') as c:
         c.argument('servers', ag_servers_type, arg_group=None)
 
-    with self.argument_context('network application-gateway auth-cert') as c:
-        c.argument('cert_data', options_list=['--cert-file'], help='Certificate file path.', type=file_type, completer=FilesCompleter(), validator=validate_auth_cert)
+    for scope in ['auth-cert', 'root-cert']:
+        with self.argument_context('network application-gateway {}'.format(scope)) as c:
+            c.argument('cert_data', options_list='--cert-file', help='Certificate file path.', type=file_type, completer=FilesCompleter(), validator=validate_cert)
+
+    with self.argument_context('network application-gateway root-cert') as c:
+        c.argument('keyvault_secret', help='KeyVault secret ID.')
 
     with self.argument_context('network application-gateway frontend-ip') as c:
         c.argument('subnet', validator=get_subnet_validator(), help='The name or ID of the subnet.')
@@ -225,7 +234,7 @@ def load_arguments(self, _):
         c.argument('url_path_map', help='The name or ID of the URL path map.', completer=get_ag_subresource_completion_list('url_path_maps'))
 
     with self.argument_context('network application-gateway ssl-cert') as c:
-        c.argument('cert_data', options_list=('--cert-file',), type=file_type, completer=FilesCompleter(), help='The path to the PFX certificate file.', validator=validate_cert)
+        c.argument('cert_data', options_list=('--cert-file',), type=file_type, completer=FilesCompleter(), help='The path to the PFX certificate file.', validator=validate_ssl_cert)
         c.argument('cert_password', help='Certificate password.')
 
     with self.argument_context('network application-gateway ssl-policy') as c:
@@ -263,6 +272,11 @@ def load_arguments(self, _):
         c.argument('enabled', help='Specify whether the application firewall is enabled.', arg_type=get_enum_type(['true', 'false']))
         c.argument('firewall_mode', min_api='2016-09-01', help='Web application firewall mode.', arg_type=get_enum_type(ApplicationGatewayFirewallMode, default='detection'))
 
+    with self.argument_context('network application-gateway waf-config', min_api='2018-08-01') as c:
+        c.argument('file_upload_limit', help='File upload size limit in MB.', type=int)
+        c.argument('max_request_body_size', help='Max request body size in KB.', type=int)
+        c.argument('request_body_check', arg_type=get_three_state_flag(), help='Allow WAF to check the request body.')
+
     for item in ['ssl-policy', 'waf-config']:
         with self.argument_context('network application-gateway {}'.format(item)) as c:
             c.argument('application_gateway_name', options_list=['--gateway-name'], help='The name of the application gateway.')

src/command_modules/azure-cli-network/azure/cli/command_modules/network/_template_builder.py

@@ -36,7 +36,8 @@ def build_application_gateway_resource(cmd, name, location, tags, sku_name, sku_
                                        private_ip_address, private_ip_allocation, cert_data, cert_password,
                                        cookie_based_affinity, http_settings_protocol, http_settings_port,
                                        http_listener_protocol, routing_rule_type, public_ip_id, subnet_id,
-                                       connection_draining_timeout, enable_http2):
+                                       connection_draining_timeout, enable_http2, min_capacity, zones,
+                                       custom_error_pages):
 
     # set the default names
     frontend_ip_name = 'appGatewayFrontendIP'
@@ -142,6 +143,11 @@ def _ag_subresource_id(_type, name):
         ag_properties.update({'sslCertificates': [ssl_cert]})
     if enable_http2 and cmd.supported_api_version(min_api='2017-10-01'):
         ag_properties.update({'enableHttp2': enable_http2})
+    if min_capacity and cmd.supported_api_version(min_api='2018-07-01'):
+        ag_properties.update({'autoscaleConfiguration': {'minCapacity': min_capacity}})
+        del ag_properties['sku']['capacity']
+    if custom_error_pages and cmd.supported_api_version(min_api='2018-08-01'):
+        ag_properties.update({'customErrorConfigurations': custom_error_pages})
 
     ag = {
         'type': 'Microsoft.Network/applicationGateways',
@@ -152,6 +158,8 @@ def _ag_subresource_id(_type, name):
         'dependsOn': [],
         'properties': ag_properties
     }
+    if cmd.supported_api_version(min_api='2018-08-01'):
+        ag.update({'zones': zones})
     return ag
 
 

src/command_modules/azure-cli-network/azure/cli/command_modules/network/_validators.py

@@ -179,11 +179,12 @@ def read_base_64_file(filename):
             return str(base64_data)
 
 
-def validate_auth_cert(namespace):
-    namespace.cert_data = read_base_64_file(namespace.cert_data)
+def validate_cert(namespace):
+    if namespace.cert_data:
+        namespace.cert_data = read_base_64_file(namespace.cert_data)
 
 
-def validate_cert(namespace):
+def validate_ssl_cert(namespace):
     params = [namespace.cert_data, namespace.cert_password]
     if all([not x for x in params]):
         # no cert supplied -- use HTTP
@@ -609,22 +610,18 @@ def process_ag_url_path_map_rule_create_namespace(cmd, namespace):  # pylint: di
 
 def process_ag_create_namespace(cmd, namespace):
     get_default_location_from_resource_group(cmd, namespace)
-
     get_servers_validator(camel_case=True)(namespace)
 
     # process folded parameters
     if namespace.subnet or namespace.virtual_network_name:
         get_subnet_validator(has_type_field=True, allow_new=True)(cmd, namespace)
-
     validate_address_prefixes(namespace)
-
     if namespace.public_ip_address:
         get_public_ip_validator(
             has_type_field=True, allow_none=True, allow_new=True, default_none=True)(cmd, namespace)
-
-    validate_cert(namespace)
-
+    validate_ssl_cert(namespace)
     validate_tags(namespace)
+    validate_custom_error_pages(namespace)
 
 
 def process_auth_create_namespace(cmd, namespace):
@@ -1266,3 +1263,18 @@ def validate_ag_address_pools(cmd, namespace):
                 child_name_1=item)
             ids.append(item)
     namespace.app_gateway_backend_address_pools = ids
+
+
+def validate_custom_error_pages(namespace):
+
+    if not namespace.custom_error_pages:
+        return
+
+    values = []
+    for item in namespace.custom_error_pages:
+        try:
+            (code, url) = item.split('=')
+            values.append({'statusCode': code, 'customErrorPageUrl': url})
+        except (ValueError, TypeError):
+            raise CLIError('usage error: --custom-error-pages STATUS_CODE=URL [STATUS_CODE=URL ...]')
+    namespace.custom_error_pages = values

src/command_modules/azure-cli-network/azure/cli/command_modules/network/commands.py

@@ -291,6 +291,8 @@ def load_command_table(self, _):
         {'prop': 'probes', 'name': 'probe'},
         {'prop': 'url_path_maps', 'name': 'url-path-map', 'validator': process_ag_url_path_map_create_namespace}
     ]
+    if self.supported_api_version(min_api='2018-08-01'):
+        subresource_properties.append({'prop': 'trusted_root_certificates', 'name': 'root-cert'})
 
     def _make_singular(value):
         try: