concat NSG rules

[dampfhamm3r]

I've troubles in deploying NSG rules. The idea is to have a set of default rules and another set of individual rules per NSG.
As I red, it's not possible to pass VARs to json(loadTextContent('../_nsgrules/${filename}.json')). That would solve my problem because I would create one file per NSG load them accordingly.

So, for now I tried:

Default rules
var nsgRulesDefault = json(loadTextContent('../_nsgrules/default.json')).securityRules

Example default.json
{ "securityRules": [ { //rule goes here }, { //rule goes here } ] }

Individual rules
`var nsgRulesIndividual = json(loadTextContent('../_nsgrules/individual.json'))``

Example individual.json
{ "nsg-spokea-201-subneta": { "securityRules": [ { //rule goes here }, { //rule goes here } ] }, "nsg-spokea-201-subnetb": { "securityRules": [ { //rule goes here }, { //rule goes here } ] } }

In my bicep file I want to create the NSG and try to match the NSG-name specified in individual.json and then concatenate default.json
var rules = [for item in items(nsgRulesIndividual): { match: (contains(item.key, name)) allRules: union(contains(item.key, name) ? item.value.securityRules : [], nsgRulesDefault) defRules: nsgRulesDefault }]

resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-05-01' = { name: name location: location tags: tags properties: { securityRules: [for item in rules: item.key == name ? item.allRules : item.defRules] } }

I've tried different things - but nothing worked so far...

[brwilkinson]

There is a sample here, that uses a lookup table and also union that allows two, or more sets of nsg rules to be merged.

Some are defaults in the same file, others may come from parameters etc.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/NSG.bicep#L291

Both of these are optional i.e. default rules or from the param file or other place.

var NSGInfo = [for (subnet, index) in subnetInfo: {
  match: ((Global.CN == '.') || contains(Global.CN, subnet.name))
  subnetNSGParam: contains(subnet, 'securityRules') ? subnet.securityRules : []
  subnetNSGDefault: contains(NSGDefault, subnet.name) ? NSGDefault[subnet.name] : []
}]

Essentially if they exist they are used, if not an empty array is created, which is ignored as part of the union().

You can extend that loop above to as many different places or sets of rules that you want to combine.

[dampfhamm3r]

Thank you!
Adopted this into my code - works like a charm.

Default rules

{
    "defaultRules": [
        {
            "name": "A-Mgmt-Access",
            "properties": {
                "access": "Allow",
                "description": "Allow SSH and RDP access",
                "destinationAddressPrefix": "VirtualNetwork",
                "destinationAddressPrefixes": [],
                "destinationPortRanges": [
                    "22",
                    "3389"
                ],
                "direction": "Inbound",
                "priority": 100,
                "protocol": "TCP",
                "sourceAddressPrefixes": [
                    "10.10.10.0/24",
                    "10.10.20.0/24"
                ],
                "sourcePortRange": "*",
                "sourcePortRanges": []
            }
        }
    ]
}

Individual rules

{
    "nsgA": [
        {
            "name": "A-FTP-Access",
            "properties": {
                "access": "Allow",
                "description": "Allow FTP access",
                "destinationAddressPrefix": "Internet",
                "destinationAddressPrefixes": [],
                "destinationPortRanges": [
                    "21"
                ],
                "direction": "Outbound",
                "priority": 200,
                "protocol": "TCP",
                "sourceAddressPrefix": "VirtualNetwork",
                "sourceAddressPrefixes": [],
                "sourcePortRange": "*",
                "sourcePortRanges": []
            }
        }
    ],
    "nsgB": [
        {
            "name": "A-DNS-Access",
            "properties": {
                "access": "Allow",
                "description": "Allow DNS access",
                "destinationAddressPrefix": "Internet",
                "destinationAddressPrefixes": [],
                "destinationPortRanges": [
                    "53"
                ],
                "direction": "Outbound",
                "priority": 200,
                "protocol": "*",
                "sourceAddressPrefix": "VirtualNetwork",
                "sourceAddressPrefixes": [],
                "sourcePortRange": "*",
                "sourcePortRanges": []
            }
        }
    ]
}

get the corresponding rules

var rules = {
  nsgIndividualRules: contains(nsgIndividualRules, name) ? nsgIndividualRules[name] : []
  nsgDefaultRules: contains(nsgDefaultRules, 'defaultRules') ? nsgDefaultRules['defaultRules'] : []
}

create NSG with rules

resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-05-01' = {
  name: name
  location: location
  tags: tags
  properties: {
    securityRules: union(rules.nsgDefaultRules, rules.nsgIndividualRules)
  }
}

[brwilkinson]

look good, this is nice and clean and also extensible.