From f3c3179c7b0ba4c6e17659618dcb64b286a61003 Mon Sep 17 00:00:00 2001
From: Xinwei <nadialiuwei@gmail.com>
Date: Wed, 27 May 2026 15:58:26 +1000
Subject: [PATCH 1/2] [feat] add firewall lib steps

Add CreateFirewall (public IP + firewall + IP config, exports FWPRIVATE_IP)
and UpdateFirewallPolicy (applies rule JSON via az rest PUT with dynamic
location substitution) to lib/steps/azure.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 kcl/lib/steps/azure/firewall.k | 51 ++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 kcl/lib/steps/azure/firewall.k

diff --git a/kcl/lib/steps/azure/firewall.k b/kcl/lib/steps/azure/firewall.k
new file mode 100644
index 0000000000..f449cfcb22
--- /dev/null
+++ b/kcl/lib/steps/azure/firewall.k
@@ -0,0 +1,51 @@
+import azure_pipelines.ap.steps
+
+CreateFirewall = lambda serviceConnection: str, resourceGroup: str, name: str, location: str, vnetName: str, publicIpName: str, subscription: str -> steps.Step {
+    script = """
+az extension add --name azure-firewall
+
+az network public-ip create \\
+  --resource-group "${resourceGroup}" \\
+  --name "${publicIpName}" \\
+  --sku Standard \\
+  --location "${location}" \\
+  --subscription "${subscription}"
+
+az network firewall create \\
+  --resource-group "${resourceGroup}" \\
+  --name "${name}" \\
+  --location "${location}" \\
+  --enable-dns-proxy true \\
+  --subscription "${subscription}"
+
+az network firewall ip-config create \\
+  --resource-group "${resourceGroup}" \\
+  --firewall-name "${name}" \\
+  --name "${name}-ipconfig" \\
+  --public-ip-address "${publicIpName}" \\
+  --vnet-name "${vnetName}" \\
+  --subscription "${subscription}"
+
+FWPRIVATE_IP=$(az network firewall show \\
+  --resource-group "${resourceGroup}" \\
+  --name "${name}" \\
+  --subscription "${subscription}" \\
+  --query "ipConfigurations[0].privateIPAddress" -o tsv)
+echo "##vso[task.setvariable variable=FWPRIVATE_IP]$FWPRIVATE_IP"
+"""
+    AzCli(serviceConnection, "Create firewall ${name}", script)
+}
+
+UpdateFirewallPolicy = lambda serviceConnection: str, resourceGroup: str, name: str, subscription: str, policyPath: str, location: str -> steps.Step {
+    script = """
+POLICY_TMP=$(mktemp)
+sed 's|"location": "[^"]*"|"location": "${location}"|g' "${policyPath}" > "$POLICY_TMP"
+az rest \\
+  --method put \\
+  --uri "https://management.azure.com/subscriptions/${subscription}/resourceGroups/${resourceGroup}/providers/Microsoft.Network/azureFirewalls/${name}?api-version=2023-09-01" \\
+  --headers "Content-Type=application/json" \\
+  --body "@$POLICY_TMP"
+rm -f "$POLICY_TMP"
+"""
+    AzCli(serviceConnection, "Update firewall policy ${name}", script)
+}

From dca3064b7afe426a144f492a747fe58894a753b6 Mon Sep 17 00:00:00 2001
From: Xinwei <nadialiuwei@gmail.com>
Date: Thu, 28 May 2026 15:38:06 +1000
Subject: [PATCH 2/2] change to newer api version and fix nit

---
 kcl/lib/steps/azure/firewall.k | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kcl/lib/steps/azure/firewall.k b/kcl/lib/steps/azure/firewall.k
index f449cfcb22..7df83105e6 100644
--- a/kcl/lib/steps/azure/firewall.k
+++ b/kcl/lib/steps/azure/firewall.k
@@ -1,6 +1,6 @@
 import azure_pipelines.ap.steps
 
-CreateFirewall = lambda serviceConnection: str, resourceGroup: str, name: str, location: str, vnetName: str, publicIpName: str, subscription: str -> steps.Step {
+CreateFirewall = lambda serviceConnection: str, subscription: str, resourceGroup: str, name: str, location: str, vnetName: str, publicIpName: str, exportVar: str = "FWPRIVATE_IP" -> steps.Step {
     script = """
 az extension add --name azure-firewall
 
@@ -31,18 +31,18 @@ FWPRIVATE_IP=$(az network firewall show \\
   --name "${name}" \\
   --subscription "${subscription}" \\
   --query "ipConfigurations[0].privateIPAddress" -o tsv)
-echo "##vso[task.setvariable variable=FWPRIVATE_IP]$FWPRIVATE_IP"
+echo "##vso[task.setvariable variable=${exportVar}]$FWPRIVATE_IP"
 """
     AzCli(serviceConnection, "Create firewall ${name}", script)
 }
 
-UpdateFirewallPolicy = lambda serviceConnection: str, resourceGroup: str, name: str, subscription: str, policyPath: str, location: str -> steps.Step {
+UpdateFirewallPolicy = lambda serviceConnection: str, subscription: str, resourceGroup: str, name: str, policyPath: str, location: str -> steps.Step {
     script = """
 POLICY_TMP=$(mktemp)
 sed 's|"location": "[^"]*"|"location": "${location}"|g' "${policyPath}" > "$POLICY_TMP"
 az rest \\
   --method put \\
-  --uri "https://management.azure.com/subscriptions/${subscription}/resourceGroups/${resourceGroup}/providers/Microsoft.Network/azureFirewalls/${name}?api-version=2023-09-01" \\
+  --uri "https://management.azure.com/subscriptions/${subscription}/resourceGroups/${resourceGroup}/providers/Microsoft.Network/azureFirewalls/${name}?api-version=2025-05-01" \\
   --headers "Content-Type=application/json" \\
   --body "@$POLICY_TMP"
 rm -f "$POLICY_TMP"