Feature azure firewall packet capture operation #9274
Conversation
nikhilpadhye1
requested review from
jsntcy,
kairu-ms and
necusjz
as code owners
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| network azure-firewall | sub group network azure-firewall added |
|
Hi @nikhilpadhye1, |
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
There was a problem hiding this comment.
Pull Request Overview
Adds Azure Firewall packet capture command supporting start, status, and stop operations, along with associated test coverage and a raised minimum CLI core version.
- Introduces new command: network azure-firewall packet-capture-operation
- Adds end-to-end scenario test for packet capture
- Updates extension minimum CLI core version to 2.75.0
Reviewed Changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| azext_firewall/tests/latest/test_azure_firewall_scenario.py | Adds scenario test for packet capture (start/status/stop) workflow. |
| azext_firewall/azext_metadata.json | Raises required az cli core version. |
| aaz/latest/network/azure_firewall/_packet_capture_operation.py | Implements the new packet capture operation command. |
| aaz/latest/network/azure_firewall/init.py | Exposes new command module. |
| aaz/latest/network/azure_firewall/__cmd_group.py | Command group definition (no functional logic change). |
| self.cmd('storage account create -g {rg} -n {storageaccountname} --sku Standard_LRS --https-only true --kind StorageV2 --access-tier Hot') | ||
| self.cmd('storage container create -n {containername} --account-name {storageaccountname} --public-access off') | ||
| storage_account = self.cmd('az storage account show -g {rg} -n {storageaccountname}').get_output_in_json() | ||
| sas_response = self.cmd('az storage container generate-sas --account-name {storageaccountname} --name {containername} --permissions acdlrw --expiry {expirystring}').get_output_in_json() |
There was a problem hiding this comment.
generate-sas returns a SAS token string (TSV/plain) rather than JSON; using get_output_in_json() will fail to parse. Use .output (optionally with -o tsv) and avoid JSON parsing, e.g. self.cmd('... -o tsv').output.strip().
| sas_response = self.cmd('az storage container generate-sas --account-name {storageaccountname} --name {containername} --permissions acdlrw --expiry {expirystring}').get_output_in_json() | |
| sas_response = self.cmd('az storage container generate-sas --account-name {storageaccountname} --name {containername} --permissions acdlrw --expiry {expirystring}').output.strip() |
| 'rg' : resource_group, | ||
| 'sub_id': "020a3f33-bdd2-4ddc-9275-6041363e2876", | ||
| 'location': "centralus", | ||
| 'storageaccountname': f"azfwcontainerpcaptestcli", |
There was a problem hiding this comment.
Storage account names must be globally unique; this hard-coded value increases risk of collisions/flaky tests in parallel runs. Recommend generate a randomized name (e.g. self.create_random_name('fwpcap', 20).lower()) and ensure it meets naming constraints.
| 'storageaccountname': f"azfwcontainerpcaptestcli", | |
| 'storageaccountname': self.create_random_name('fwpcap', 20).lower(), |
| "public_ip_name": self.create_random_name("public-ip-", 16), | ||
| "m_public_ip_name": self.create_random_name("mpublic-ip-", 16), | ||
| 'rg' : resource_group, | ||
| 'sub_id': "020a3f33-bdd2-4ddc-9275-6041363e2876", |
There was a problem hiding this comment.
Hard-coded subscription ID is not used elsewhere in this test function and can cause confusion; remove it or reference the dynamic test subscription if needed (e.g. self.get_subscription_id()).
| 'sub_id': "020a3f33-bdd2-4ddc-9275-6041363e2876", |
| _aaz_info = { | ||
| "version": "2024-10-01", | ||
| "resources": [ | ||
| ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.network/azurefirewalls/{}/packetcaptureoperation", "2024-10-01"], |
There was a problem hiding this comment.
Resource path casing in _aaz_info differs from the actual request URL (resourcegroups vs resourceGroups, microsoft.network vs Microsoft.Network, azurefirewalls vs azureFirewalls, packetcaptureoperation vs packetCaptureOperation). This inconsistency can break tooling relying on _aaz_info for resource ID normalization; align casing with the canonical path used in the request (line 206).
| ["mgmt-plane", "/subscriptions/{}/resourcegroups/{}/providers/microsoft.network/azurefirewalls/{}/packetcaptureoperation", "2024-10-01"], | |
| ["mgmt-plane", "/subscriptions/{}/resourceGroups/{}/providers/Microsoft.Network/azureFirewalls/{}/packetCaptureOperation", "2024-10-01"], |
There was a problem hiding this comment.
Should i make this change?
| _args_schema.sas_url = AAZStrArg( | ||
| options=["--sas-url"], | ||
| arg_group="Parameters", | ||
| help="Upload capture location", |
There was a problem hiding this comment.
Help text for --sas-url is vague; clarify it (e.g. 'SAS URL of the destination blob container where the packet capture file will be uploaded').
| help="Upload capture location", | |
| help="SAS URL of the destination blob container where the packet capture file will be uploaded.", |
|
This reverts commit 85427a7.
…-packets-to-capture as num-packets and fixing hard coded elements in the test and updated version/history as per pr bot
github-actions
bot
added
the
release-version-block
necusjz
added
skip-cal-version
and removed
release-version-block
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
3 participants
This adds the packet capture operation for azure firewall. Enabling support for start/status/stop packet capture. This feature is looking to be taken to GA in the coming weeks. Used the UI to generate the command as per the rest-api spec and added descriptions and tests to ensure functionality.
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
az network azure-firewall packetcaptureoperation
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.