normalian blog

Let's talk about Microsoft Azure, ASP.NET and Java!

Bicep ファイル で Azure Firewall のルール上の IP Group を更新する

Windows Azure Azure

ちょっと人から聞かれて軽く書いておいたので供養致します。特に「IP Group が複数の場合にどうするの?」と聞かれたので、以下が bicep ファイルの内容です。

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-04-01' existing = {
  name: 'StandardPolicy'
}

resource ipgroup1 'Microsoft.Network/ipGroups@2023-04-01' existing = {
    name: 'IPG-Test01-WestUS2'
}

resource ipgroup2 'Microsoft.Network/ipGroups@2023-04-01' existing = {
    name: 'IPG-Test02-WestUS2'
}

resource networkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2022-01-01' = {
  parent: firewallPolicy
  name: 'DefaultNetworkRuleCollectionGroup'
  properties: {
    priority: 2000
    ruleCollections: [
      {
        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
        action: {
          type: 'Allow'
        }
        name: 'Net-RuleCollection-01'
        priority: 1250
        rules: [
          {
            ruleType: 'NetworkRule'
            name: 'time-windows'
            ipProtocols: [
              'ANY'
            ]
            destinationAddresses: [
              'AzureCloud'
            ]
            sourceIpGroups: [
                ipgroup1.id
                ipgroup2.id
            ]
            destinationPorts: [
              '80'
            ]
          }
        ]
      }
    ]
  }
}

それを以下のコマンドでデプロイしました。

az deployment group create --resource-group "your resource group" --template-file "your bicep file"--mode incremental

ここでのポイントは既存のリソースに対する update なので bicep 側で existing キーワードを忘れない様にすることです。IP Group 辺りでうっかり忘れると以下の様になるのでご注意を。

az deployment group create --resource-group RG-Firewall-Test-WestUS2 --template-file .\hello01.bicep --mode incremental
az : WARNING: C:\Users\daisami\OneDrive - Microsoft\Desktop\hello01.bicep(1,7) : Warning no-unused-params: Parameter "location" is declared but never used. 
[https://aka.ms/bicep/linter/no-unused-params]
At line:1 char:1
+ az deployment group create --resource-group RG-Firewall-Test-WestUS2  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (WARNING: C:\Use...-unused-params]:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/423a72cd-b110-476f-8b8b-0569fe1773bd/resourceGroups/RG-Firewall-Test-West
US2/providers/Microsoft.Resources/deployments/hello01","message":"At least one resource deployment operation failed. Please list deployment operations for 
details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"BadRequest","target":"/subscriptions/423a72cd-b110-476f-8b
8b-0569fe1773bd/resourceGroups/RG-Firewall-Test-WestUS2/providers/Microsoft.Resources/deployments/hello01","message":"{\r\n  \"Message\": \"The request is 
invalid.\",\r\n  \"ModelState\": {\r\n    \"resource\": [\r\n      
\"{\\\"Error\\\":{\\\"Code\\\":\\\"FirewallPolicyRuleCollectionGroupInvalidPriorityValue\\\",\\\"Message\\\":\\\"Invalid Rule Collection Group . Invalid 
priority value 0, must be between 100 and 65000\\\",\\\"Target\\\":null,\\\"Details\\\":null},\\\"Status\\\":\\\"Failed\\\"}\"\r\n    ]\r\n  }\r\n}"}]}}

Reference

learn.microsoft.com