Question 174322 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – How can I Remove/Add a specific object on PowerShell output

I have automated the process of creating custom rules on Azure Application Gateway WAF. However, whenever I update any existing custom rule, it automatically removes all other custom rules. I have been unable to find a specific command in the Azure PowerShell documentation to update individual custom rules. I have also raised this issue with Microsoft, and they have confirmed that the command is not available in Azure PowerShell.

During my research, I discovered that we can achieve this by using the ".Add" and ".Remove" operations. However, I am encountering some errors while attempting to do so.

Currently, I am trying two approaches:

  1. Adding new malicious IPs to the specific existing custom rule. When I try to execute this, I receive the following error message:

    PS C:Usersjaputhiyakath> $policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $policyRG
PS C:Usersjaputhiyakath> (($policy.CustomRules | Where-Object {$_.Name -match "IPRestrict"}).MatchConditions.MatchValues).Add('2.3.6.9')
MethodInvocationException: Exception calling "Add" with "1" argument(s): "Collection was of a fixed size."

  2. Remove the IPRestrict custom rule from the firewall policy and replace it with a modified custom rule. The approach of working well using .RemoveAt(0), but we might encounter difficulties in determining the exact position of the object to be removed.

    I attempted to remove the object using the command provided below, but despite the absence of any errors, the object remains unaffected and does not get removed.

    PS C:Usersjaputhiyakath> ($policy.CustomRules | Where-Object {$_.Name -match "IPRestrict"}).Remove

For Reference;

enter image description here

Tags:

2

Answers


  1. 0

    I think a more PowerShelly way is to;

    $policy.CustomRules | Where-Object Name -ne "IPRestrict"
    Login or Signup to reply.
  2. 0

    As an aside: Where-Object Name -eq IPRestrict rather than Where-Object {$_.Name -match "IPRestrict"} is used below to identify the policy of interest: -eq ensures literal, full-value matching, whereas -match also finds substrings (by way of a regex pattern). Separately, the omission of { ... } and $_ is an application of simplified syntax.

    Re 1:

    • It isn’t obvious, but your command applies member-access enumeration, because the .MatchConditions and also the .MatchValues property contain lists (array-like collections of type System.Collections.Generic.List`1).

    • Due to the resulting member-access enumeration, .MatchConditions.MatchValues returns a regular .NET array (System.Array containing the .MatchValues list entries across all .MatchCondition list entries.

      • .NET arrays are fixed-size data structures, and only implement an .Add() method in the context of implementing the IList interface.
      • Calling this – unsupported by arrays – method results in the exception you saw: "Collection was of a fixed size".

    • To successfully extend the list stored in .MatchValues (which does support .Add()), you either need to identify which particular .MatchConditions list entry you want to target or you must iterate over all .MatchConditions list entries and call .Add() on each (assuming that makes sense); e.g.:

    # Target the *first* .MatchCondition list element
($policy.CustomRules | Where-Object Name -eq IPRestrict).MatchConditions[0].
  MatchValues.Add('2.3.6.9')

# Target *all* .MatchCondition list elements (don't know if that makes sense)
($policy.CustomRules | Where-Object Name -eq IPRestrict).MatchConditions |
  ForEach-Object { $_.MatchValues.Add('2.3.6.9') }

    Re 2:

    The System.Collections.Generic.List`1 type has a .Remove() method that allows you to pass the object to remove from the list rather than having to know its index in the list:

    $ruleToRemove = $policy.CustomRules | Where-Object Name -eq IPRestrict
$policy.CustomRules.Remove($ruleToRemove)
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search