Azure
How to update API Policy?
Is there a way to update the policy for a given API through the CLI? Everytime I update an API the policy gets wiped out and has to be manually added back.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 86f27e34-66e0-1d08-f734-26ce29c56c36
- Version Independent ID: d1a421eb-807c-c0bd-cee3-a5aed7335625
- Content: az apim api
- Content Source: src/azure-cli/azure/cli/command_modules/apim/_help.py
- GitHub Login: @rloutlaw
- Microsoft Alias: routlaw
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @miaojiang.
@nezoic thanks for the feedback. Can you please elaborate on how you update an API and steps to reproduce?
cc @RupengLiu
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @miaojiang.
Issue Details
Is there a way to update the policy for a given API through the CLI? Everytime I update an API the policy gets wiped out and has to be manually added back.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 86f27e34-66e0-1d08-f734-26ce29c56c36
- Version Independent ID: d1a421eb-807c-c0bd-cee3-a5aed7335625
- Content: az apim api
- Content Source: src/azure-cli/azure/cli/command_modules/apim/_help.py
- GitHub Login: @rloutlaw
- Microsoft Alias: routlaw
| Author: | nezoic |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
@nezoic Apologies for the late reply. We are looking into this issue. We will update this thread once we have more details.
@adrianhall Could you please provide an update on this issue ? Awaiting your reply.
I'm also experiencing difficulties with this.
I publish a function app ...
func azure functionapp publish $STAGING_FUNCTION_APP_NAME --typescript --subscription $SUBSCRIPTION_ID
Then reimport the API into APIM using OpenAPI schema...
az apim api import -g $STAGING_RESOURCE_GROUP --service-name $STAGING_GATEWAY_NAME --api-id $STAGING_FUNCTION_APP_NAME --path myPath --specification-path $CI_PROJECT_DIR/OpenAPI/schema.yaml --specification-format OpenApi
This works fine, apart from the fact that it wipes out any policies as they're not defined in the OpenAPI spec as described in the original question.
It would be great if this could be catered for by defining policies in OpenAPI but an az command to set policies (specifically validate-jwt for me) would be great, and to be honest, needed!
The ability to add a policy via CLI will be added to the next release of the APIM CLI - we are targeting end of May for this release. In the interim, you can use the az rest command to upload policies. Something like the following:
az rest --method PUT
--uri "https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.ApiManagement/service/{svc}/apis/{apiId}/policies/policy?api-version=2021-08-01"
--body "{ \"value\": \"<your-policy-document-json-encoded-string>\",\"format\":\"xml\" }"
Ensure you encode the string as a JSON encoded string (quote quotes, newlines, etc.) This is not the most obvious format - the CLI command we are developing will allow you to use a file reference as well.
@intercity-technology - if you are importing a new OpenAPI spec, it does not create policies for you. You have to define them. So your observed behaviour is expected - we agree, a CLI command to inject the policy is needed.
@adrianhall, when I try the REST workaround then I get the az error The command line is too long. Does it mean the Az PowerShell is the only solution for big policies now?
For large policies, you can use ARM / Bicep / Terraform or you can use the Azure Portal. You will run into the same size issues in Azure PowerShell.
@adrianhall Hi. How should I proceed with the above example to upload a policy for a specific API operation? Also can we use names instead of IDs? IDs change every time we re-deploy.
Found how to do it. But even though it goes through, it doesn't work 😅 I am using the following and my policies are not updated
--body "{ \"properties\":{\"method\":\"PUT\"},\"value\": \"<policies><inbound><base/><ip-filter action="allow"><address>192.168.1.1</address></ip-filter></inbound><backend><base/></backend><outbound><base/></outbound><on-error><base/></on-error></policies>\",\"format\":\"xml\" }"
Any idea what goes wrong? I didn't escape the action value because if I do it doesn't go through at all.
You definitely need to escape the quotes in the action. Syntax is slightly wrong.
az rest --method PUT --uri https://management.azure.com/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiId}/operations/{operationId}/policies/policy?api-version=2021-08-01 --body @body.json
Then have a file body.json that contains the following:
{
"value": "{{ json encoded policy file }}",
"format": "rawxml"
}
Replace the {subId}, {rgName}, {serviceName}, {apiId}, and {operationId} in the URI with your values.
Thanks a lot for your feedback. I've tried the new way but still no luck.
If I don't put the properties field, it complains
Bad Request({"error":{"code":"ValidationError","message":"Invalid payload format. Contract should have 'properties' specified.","details":null}})
So I put properties, but if it's empty it complains. So I use this:
{
"properties": {
"method": "PUT"
},
"value": "<policies>
<inbound>
<ip-filter action=\"allow\">
<address>192.168.1.1</address>
</ip-filter>
</inbound>
</policies>",
"format": "rawxml"
}
The request goes through, but when I check on Azure console, nothing changed. Any idea why?
And just like that, 2 min later I find the solution 😅
The right body is the following. Need to put value and format under properties
{
"properties": {
"method": "PUT",
"value": "<policies>
<inbound>
<ip-filter action=\"allow\">
<address>192.168.1.1</address>
</ip-filter>
</inbound>
</policies>",
"format": "rawxml"
},
}
Sorry - yes - I missed the properties when I was typing. Glad it worked out for you
#please-close
The ability to add a policy via CLI will be added to the next release of the APIM CLI - we are targeting end of May for this release.
Is there any update on this? Is there an open issue that we can follow to track this feature?
Thanks!
There isn't an open issue to track on GitHub (we track these work items in our internal issues tracker). We obviously did not meet the May target, but I don't have a new date at the moment.
There isn't an open issue to track on GitHub (we track these work items in our internal issues tracker). We obviously did not meet the May target, but I don't have a new date at the moment.
Thanks for the update.
For large policies, you can use ARM / Bicep / Terraform or you can use the Azure Portal. You will run into the same size issues in Azure PowerShell.
~~When this feature is implemented in Azure CLI, do you know if it will also have the same issues with large policies? I'm trying to determine if it's worth waiting for the feature to be implemented in Azure CLI or if I should look into the alternatives.~~
Nevermind, I just did some research on the error message that your comment was referring to ("The command line is too long"). This seems to be an issue with the Windows terminal, which appears to have a command length limit of 8191 characters. But I'm running the Azure CLI from Linux (technically a container in Linux) and it looks like the command length limit is over 100k characters. That should be enough :)
$ docker run --rm -it mcr.microsoft.com/azure-cli bash
bash-5.1# getconf ARG_MAX
131072
Thanks!
@adrianhall, when I try the REST workaround then I get the az error The command line is too long. Does it mean the Az PowerShell is the only solution for big policies now?
@MariaLysik You could try what I'm doing in case that helps to get around the limit: How to run the Azure CLI in a Docker container
This works fine, apart from the fact that it wipes out any policies as they're not defined in the OpenAPI spec as described in the original question.
It would be great if this could be catered for by defining policies in OpenAPI but an
azcommand to set policies (specifically validate-jwt for me) would be great, and to be honest, needed!
Putting the policies in the OpenAPI definition would be amazing. For what it's worth, this is how IBM API Connect works; it puts the policies inside a custom x-ibm-configuration section in the API definition, e.g.
x-ibm-configuration:
assembly:
execute:
- if:
title: if
condition: apim.getvariable('bypass-saml-validation') !== 'true'
execute:
- set-variable:
title: Get SAMLResponse from headers
actions:
# ...
Coming to Azure API Management from IBM API Connect feels like a step backward in that sense. Right now with API Connect all of our policies are easily version controlled because they're right inside the API definition. It's going to be a challenge to figure out how to do this with Azure.
I'm also looking forward to this feature! @adrianhall can you tell us what your release cycle is?
Sorry @fellnerse - I don't have a good line of sight at this point as to when the work will be completed.
#close
Any news on this? @adrianhall would you be open for contributions to help with this?
Always happy for contributions. I still don't have a line of sight onto additional work in the Azure CLI.
Just do your work on a fork - we'll manage the merged changes on this end.
