Linter Warning - Firewall Rule Collection Group #4360
-
|
I'm in the process of converting an ARM template to Bicep (AKS baseline), and am hitting a The target Fqdns are: The resource definition is below: resource fwPolicy_DefaultApplicationRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = {
parent: fwPolicy
name: 'DefaultApplicationRuleCollectionGroup'
properties: {
priority: 300
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
rules: [
{
ruleType: 'ApplicationRule'
name: 'azure-monitor-addon'
protocols: [
{
protocolType: 'Https'
port: 443
}
]
fqdnTags: []
webCategories: []
targetFqdns: [
'*.ods.opinsights.azure.com'
'*.oms.opinsights.azure.com'
'${location}.monitoring.azure.com'
]
targetUrls: []
terminateTLS: false
sourceAddresses: []
destinationAddresses: []
sourceIpGroups: [
aksIpGroup.id
]
}
{
ruleType: 'ApplicationRule'
name: 'azure-policy-addon'
protocols: [
{
protocolType: 'Https'
port: 443
}
]
fqdnTags: []
webCategories: []
targetFqdns: [
'data.policy.core.windows.net' // linter warning
'store.policy.core.windows.net' // linter warning
]
targetUrls: []
terminateTLS: false
sourceAddresses: []
destinationAddresses: []
sourceIpGroups: [
aksIpGroup.id
]
}
{
ruleType: 'ApplicationRule'
name: 'service-requirements'
protocols: [
{
protocolType: 'Https'
port: 443
}
]
fqdnTags: [
'AzureKubernetesService'
]
webCategories: []
targetFqdns: []
targetUrls: []
terminateTLS: false
sourceAddresses: []
destinationAddresses: []
sourceIpGroups: [
aksIpGroup.id
]
}
]
name: 'AKS-Global-Requirements'
priority: 200
}
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
rules: [
{
ruleType: 'ApplicationRule'
name: 'flux-to-github'
protocols: [
{
protocolType: 'Https'
port: 443
}
]
fqdnTags: []
webCategories: []
targetFqdns: [
'github.com'
'api.github.com'
]
targetUrls: []
terminateTLS: false
sourceAddresses: []
destinationAddresses: []
sourceIpGroups: [
aksIpGroup.id
]
}
{
ruleType: 'ApplicationRule'
name: 'pull-flux-images'
protocols: [
{
protocolType: 'Https'
port: 443
}
]
fqdnTags: []
webCategories: []
targetFqdns: [
'*.docker.com'
'*.docker.io'
'docker.io'
'ghcr.io'
'github-production-container-registry.s3.amazonaws.com'
]
targetUrls: []
terminateTLS: false
sourceAddresses: []
destinationAddresses: []
sourceIpGroups: [
aksIpGroup.id
]
}
]
name: 'Flux-Requirements'
priority: 300
}
]
}
dependsOn: [
fwPolicy_DefaultDnatRuleCollectionGroup
]
}Does anyone have any suggestions on how to resolve this warning please? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
you can use the environment() function to retrieve specific environment related URLs and other information. You can see the sample of the output on the above link. example: "storage": "core.windows.net" storageUri: 'https://${SADiagName}.blob.${environment().suffixes.storage}'If you cannot find a match for the URL that you need, then you can setup an exclusion for the linter. Create the bicepconfig.json file in a relative directory in the project, then setup the exclusions. First remove the URI from 'disallowedhosts', then add the URI to 'excludedhosts'. https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/linter#customize-linter |
Beta Was this translation helpful? Give feedback.
-
|
Hi @brwilkinson thanks for responding so quickly, I've just set both as below now and the warning has gone: targetFqdns: [
'data.policy.${environment().suffixes.storage}'
'store.policy.${environment().suffixes.storage}'
]Appreciate your help! 👍 |
Beta Was this translation helpful? Give feedback.
Hi @thepaulmacca
you can use the environment() function to retrieve specific environment related URLs and other information.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-deployment#example-1
You can see the sample of the output on the above link.
example: "storage": "core.windows.net"
If you cannot find a match for the URL that you need, then you can setup an exclusion for the linter.
Create the bicepconfig.json file in a relative directory in the project, then setup the exclusions. First remove the URI from 'disallowedhosts', then add the URI to 'excludedhosts'.
https://docs.…