I am trying to deploy the Azure Firewall Premium with Policies enabled and need to add a load of network rule collections.
I have the rule collections in the parameters file and need to cycle through each and add to the policy.
"FirewallSettings": {
"value": {
"firewallPrefix": "efw",
"numberOfPublicIPAddresses": 2,
"threatIntelMode": "Deny",
"networkRuleCollections": [
{
"name": "allowPing",
"priority": 200,
"type": "Allow",
"rules": [
{
"name": "Ping",
"protocols": [
"ICMP"
],
"sourceAddresses": [
"*"
],
"destinationAddresses": [
"*"
],
"sourceIpGroups": [],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"*"
]
}
]
},
{
"name": "allowEventHub",
"priority": 301,
"type": "Allow",
"rules": [
{
"name": "eventHubOut",
"protocols": [
"TCP"
],
"sourceAddresses": [
"10.4.1.4"
],
"destinationAddresses": [
"*"
],
"sourceIpGroups": [],
"destinationIpGroups": [],
"destinationFqdns": [],
"destinationPorts": [
"*"
]
}
]
},
...
and within my template i am trying:
resource networkRules 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-08-01' = {
name: 'firewallNetworkPolicies'
parent: azureFirewallPolicy
properties: {
priority: 100
ruleCollections: [for i in range(0, length(firewallSettings.networkRuleCollections)): {
name: '${firewallSettings.networkRuleCollections[i].name}'
priority: '${firewallSettings.networkRuleCollections[i].priority}'
ruleCollectionType: 'NetworkRule'
destinationAddresses: [
'${firewallSettings.networkRuleCollections[i].rules.destinationAddresses}'
]
destinationFqdns: [
'${firewallSettings.networkRuleCollections[i].rules.destinationFqdns}'
]
destinationIpGroups: [
'${firewallSettings.networkRuleCollections[i].rules.destinationIpGroups}'
]
destinationPorts: [
'${firewallSettings.networkRuleCollections[i].rules.destinationPorts}'
]
ipProtocols: [
'${firewallSettings.networkRuleCollections[i].rules.protocols}'
]
sourceAddresses: [
'${firewallSettings.networkRuleCollections[i].rules.sourceAddresses}'
]
sourceIpGroups: [
'${firewallSettings.networkRuleCollections[i].rules.sourceIpGroups}'
]
}]
}
}
But it throws an error
The language expression property 'destinationAddresses' has an invalid array index which I think is because it's expected an array of destinationAddresses but i don't cant work out the syntax to specify the array?
Any ideas?
CodePudding user response:
Few things here:
The
rulesproperty insidenetworkRuleCollectionsis defined as an array. So you would need to query it like that:${firewallSettings.networkRuleCollections[i].rules[0](assuming there is only one rule).The rule properties defined in the parameters file are already arrays (i.e.: protocols, sourceAddresses ...) so you could just assign the property directly:
destinationAddresses: firewallSettings.networkRuleCollections[i].rules[0].destinationAddresses.
Full sample based on your parameters files:
resource networkRules 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-08-01' = {
name: 'firewallNetworkPolicies'
parent: azureFirewallPolicy
properties: {
priority: 100
ruleCollections: [for i in range(0, length(firewallSettings.networkRuleCollections)): {
name: '${firewallSettings.networkRuleCollections[i].name}'
priority: '${firewallSettings.networkRuleCollections[i].priority}'
ruleCollectionType: 'NetworkRule'
destinationAddresses: firewallSettings.networkRuleCollections[i].rules[0].destinationAddresses
destinationFqdns: firewallSettings.networkRuleCollections[i].rules[0].destinationFqdns
destinationIpGroups: firewallSettings.networkRuleCollections[i].rules[0].destinationIpGroups
destinationPorts: firewallSettings.networkRuleCollections[i].rules[0].destinationPorts
ipProtocols: firewallSettings.networkRuleCollections[i].rules[0].protocols
sourceAddresses: firewallSettings.networkRuleCollections[i].rules[0].sourceAddresses
sourceIpGroups: firewallSettings.networkRuleCollections[i].rules[0].sourceIpGroups
}]
}
}