az network application-gateway waf-policy custom-rule create always fails since 2.61.0

[elindoorn]

Describe the bug

We use a dynamic az cli script to add a WAF rule in our build pipeline so we can temporarily give our build agent access to our app and test something. After we're done we remove the rule again, something like the following:

az network application-gateway waf-policy custom-rule create
az network application-gateway waf-policy custom-rule match-condition add
do something
az network application-gateway waf-policy custom-rule delete

However after upgrading to 2.61.0 (from 2.60.0) the cli command to create a custom WAF rule (the custom-rule create command) always (unless the rule already exists) fails with the following error: Custom Rule 'demoIssue' does not have a match condition defined in context 'properties.customRules[8]'

Related command

az network application-gateway waf-policy custom-rule create
--subscription xxx
--resource-group xxx
--policy-name xxx
--name demoIssue
--action Allow
--priority 99
--rule-type MatchRule

Errors

(ApplicationGatewayFirewallCustomRuleNoMatchConditionNotSupported) Custom Rule 'demoIssue' does not have a match condition defined in context 'properties.customRules[8]'.
Code: ApplicationGatewayFirewallCustomRuleNoMatchConditionNotSupported
Message: Custom Rule 'demoIssue' does not have a match condition defined in context 'properties.customRules[8]'.

Issue script & Debug output

az network application-gateway waf-policy custom-rule create --resource-group xxx --policy-name xxx --name demoIssue --action Allow --priority 99 --rule-type MatchRule

Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
(ApplicationGatewayFirewallCustomRuleNoMatchConditionNotSupported) Custom Rule 'demoIssue' does not have a match condition defined in context 'properties.customRules[8]'.
Code: ApplicationGatewayFirewallCustomRuleNoMatchConditionNotSupported
Message: Custom Rule 'demoIssue' does not have a match condition defined in context 'properties.customRules[8]'.

Expected behavior

Expected the following response:

{
"action": "Allow",
"matchConditions": [],
"name": "demoIssue",
"priority": 99,
"ruleType": "MatchRule",
"state": "Enabled"
}

Environment Summary

azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Extensions:
application-insights 1.2.1
azure-devops 1.0.1
bastion 0.3.0
datafactory 1.0.0
interactive 0.5.3
ssh 2.0.3

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\e.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Additional context

Confirmed on multiple laptops as well as azure pipeline

[yonzhan]

Thank you for opening this issue, we will look into it.

[akshaym6]

Hi @yonzhan, Could you post a status of this bug item? This issue persists and we have open tickets due to this bug. If this is not an active work item, kindly prioritize this.

[necusjz]

there is nothing changed within 2.61.0 from client side, but could you input proper --match-conditions for your command?

i will also ask service team for help

[elindoorn]

@necusjz I haven't tried to get --match-conditions to work since it's not mandatory and we setup our rule in the second step (using a match-condition add statement).

If you have an example of a create statement with --match-conditions, I'd be happy to try it though.