How to deploy NSG security rules from PowerShell

[markallisongit]

I have some security rules in an array that is read from Azure to set network intent policy rules for a Managed Instance deployment. As a test I want to read these into PowerShell and then pass them to bicep as a parameter. Here are my test scripts.

common-security-rules.json

{
    "securityRules": [
        {
            "name": "allow-smtp-outbound",
            "properties": {
                "description": "Allow outbound SMTP traffic",
                "protocol": "Tcp",
                "sourcePortRange": "*",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "AzureCloud",
                "access": "Allow",
                "priority": 110,
                "direction": "Outbound",
                "destinationPortRanges": [
                    "25"
                ]
            }
        }
    ]
}

test.bicep

param securityRules array = [] 
var location = resourceGroup().location

resource miNsg 'Microsoft.Network/networkSecurityGroups@2020-06-01' = {
  name: 'test-nsg'
  location: location
  properties: {
    securityRules: securityRules
  }
}

test.ps1

$rules = (Get-Content -Path common-security-rules.json | ConvertFrom-Json -AsHashtable).securityRules

New-AzResourceGroupDeployment -ResourceGroupName test-rg `
    -TemplateFile ./test.bicep `
    -securityRules $rules

I get this error: A parameter cannot be found that matches parameter name 'securityRules'.

If I try using AzureCLI instead with

az deployment group create --name myTestDeployment `
    --resource-group 'test-rg' `
    --template-file './test.bicep' `
    --parameters securityRules=$rules

I get a different error:

Failed to parse JSON: System.Collections.Hashtable
Error detail: Expecting value: line 1 column 1 (char 0)

Any help appreciated.

[brwilkinson]

I would recommend to just use a ARM parameter file for this then maintain all settings in that file in json format.

in vscode, create a new file, then set the language to ARM

then use the snippet to create the contents.

then you can drop your security rules right in that file.

then add the Templateparameter parameter and value (path to the file) onto your deployment.

If you prefer to still go the powershell route, let me know I can share some samples.

[markallisongit]

Thanks, the problem I'm having is I first have to get the security rules from the network security group using PowerShell because of the network intent policy rules enforced for managed instances. These are created by Azure on initial deployment.

For this reason, I can't define the rules in a file, I provided the file above to show a working example of what I'm trying to do. I did get it working by getting the PowerShell to write to a file, like this

$securityRules | ConvertTo-Json -Depth 3 > "$PSScriptRoot\SecurityRules\PolicyRules.json"

and then bicep to read it in with this:

var securityRules = json(loadTextContent('./SecurityRules/PolicyRules.json'))

However for initial deployments there are no rules, and hence there will be no file, which causes it to fail.

[brwilkinson]

I would just keep doing what you are doing, always read in the NSG rules from the file, and just have an empty json array in there the first time around.

{
    "securityRules": [ ]
}