Create networkSecurityGroup destinationPortRanges doesn't match documentation

[edgreenberg-mri]

Bicep version
Bicep CLI version 0.8.9 (33a8517)

Describe the bug
When using Microsoft.Network/networkSecurityGroups@2021-08-01 I provide an empty array in the parameter file, and get an error stating that destinationPortRanges is not a valid property. sourcePortRanges works fine.

To Reproduce
I'm attaching my bicep file and json parameter file. Sorry for the zip files, but github won't take a json or a bicep.

Additional context
Add any other context about the problem here.

This is needed to allow the securityRules section to be filled in by a loop. One needs both xxxPortRange and xxxPortRanges in the bicep file and data for them in the parameter files., since one doesn't know if which of future entries will require single ports or ranges and which will require an array of enumerated values.

The documentation at https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2021-08-01/networksecuritygroups?tabs=bicep states that the parameter destinationPortRange is valid. The error message doesn't list it as a valid parameter:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list       deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n  \"error\": {\r\n    \"code\": \"InvalidTemplate\",\r\n    \"message\": \"Unable to process template language expressions for resource '/subscriptions/a4181df7-ca7b-4f5d-9967-728e38f3ca86/resourceGroups/rg-us03-dev-happy/providers/Microsoft.Network/networkSecurityGroups/nsg-happy-dev-eastus-001' at line '32' and column '5'. 'The language expression property 'destinationPortRanges' doesn't exist, available properties are 'priority, name, description, access, destinationAddressPrefix, destinationAddressPrefixes, destinationPortRange, direction, protocol, sourceAddressPrefix, sourceAddressPrefixes, sourcePortRange, sourcePortRanges'.'\",\r\n    \"additionalInfo\": [\r\n      {\r\n        \"type\": \"TemplateViolation\",\r\n        \"info\": {\r\n          \"lineNumber\": 32,\r\n          \"linePosition\": 5,\r\n          \"path\": \"\"\r\n        }\r\n      }\r\n    ]\r\n  }\r\n}"}]}}

network-security-group.zip
nsg-happy-dev-eastus-001.zip

[alex-frankel]

So the issue is that you are creating several securityRules, where some require the singular property destinationPortRange and the other requires the plural destinationPortRanges? If the resource type does not support accepting both properties always, then I think the only way around is to use the union() function to conditionally include the relevant properties.

@brwilkinson have you come across this and happen to have an example somewhere?

[brwilkinson]

Hi @edgreenberg-mri / @alex-frankel

Here is an input that contains both of these elements. Which works fine... however since I pass the whole object in to create the NSG, I don't have to do any special processing for these two propeties.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/NSG.bicep#L53

    {
      name: 'Inbound_Bastion_GatewayManager_443'
      properties: {
        protocol: '*'
        sourcePortRange: '*'
        sourceAddressPrefix: 'GatewayManager'
        destinationPortRange: '443'
        destinationAddressPrefix: '*'
        access: 'Allow'
        priority: 110
        direction: 'Inbound'
      }
    }
    {
      name: 'Inbound_Bastion_DataPlane'
      properties: {
        protocol: '*'
        sourcePortRange: '*'
        sourceAddressPrefix: 'VirtualNetwork'
        destinationAddressPrefix: 'VirtualNetwork'
        access: 'Allow'
        priority: 120
        direction: 'Inbound'
        destinationPortRanges: [
          '8080'
          '5701'
        ]
      }
    }

I will take some time to review your code and see what I can find.

[brwilkinson]

Hi @edgreenberg-mri

Would you mind sharing your code inline or else linking to the code on a public shared repo?

I prefer not to download zip files from the internet, however I would like to review your issue.

[edgreenberg-mri]

Sorry about the zip. Github won't that .bicep or .json. Here's my code:

network-security-group.bicep

param shortname string
param devprod string
param location string
param sequence string
param securityRules array



var name =  'nsg-${shortname}-${devprod}-${location}-${sequence}'


resource symbolicname 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
  name: name
  location: location
  tags: {
    CreatedBy: 'Ed.Greenberg'
  }
  properties: {
    securityRules: [ for securityRule in securityRules: {
        id: securityRule.name
        name: securityRule.name
        properties: {
          access: securityRule.access
          description: 'https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure'
          destinationAddressPrefix: securityRule.destinationAddressPrefix
          destinationAddressPrefixes: securityRule.destinationAddressPrefixes
          destinationPortRange: securityRule.destinationPortRange
          destinationPortRanges: securityRule.destinationPortRanges
          direction: securityRule.direction
          priority: securityRule.priority
          protocol: securityRule.protocol
          sourceAddressPrefix: securityRule.sourceAddressPrefix
          sourcePortRange: securityRule.sourcePortRange
          sourcePortRanges: securityRule.sourcePortRanges
        }
      }]
  }
}

parameter file

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "shortname": {
            "value": "happy"
        },
        "devprod": {
            "value": "dev"
        },
        "location": {
            "value": "eastus"
        },
        "sequence": {
            "value": "001"
        },
        "securityRules": {
            "value": [
                {
                    "priority": 100,
                    "name": "AllowRequiredGatewayPorts",
                    "description": "https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure",
                    "access" : "Allow",
                    "destinationAddressPrefix" : "*",
                    "destinationAddressPrefixes" : [],
                    "destinationPortRange": "65200-65535",
                    "destinationPortRanges": [],
                    "direction": "Inbound",
                    "protocol": "*",
                    "sourceAddressPrefix": "GatewayManager",
                    "sourceAddressPrefixes": [],
                    "sourcePortRange": "*",
                    "sourcePortRanges": []
                },
                {
                    "priority": 110,
                    "name": "AllowAzureLoadBalancer",
                    "description": "https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure",
                    "access" : "Allow",
                    "destinationAddressPrefix" : "*",
                    "destinationAddressPrefixes" : [],
                    "destinationPortRange": "*",
                    "destinationPortRanges": [],
                    "direction": "Inbound",
                    "protocol": "*",
                    "sourceAddressPrefix": "AzureLoadBalancer",
                    "sourceAddressPrefixes": [],
                    "sourcePortRange": "*",
                    "sourcePortRanges": []
                }
           ]
        }
    }
}

[brwilkinson]

Hi @edgreenberg-mri

Thank you for the clean repro / sample.

You have quite a few options with this. . . The only thing is that I cannot repo your error?

I deployed above successfully....

I would recommend to update to the later API version, however I saw no different either way.

Microsoft.Network/networkSecurityGroups@2022-01-01

You could also consider the following options.

1. Pass in the whole Object as the property of the security rules.
   • https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/NSG.bicep#L447

resource NSG 'Microsoft.Network/networkSecurityGroups@2021-03-01' = [for (subnet, index) in subnetInfo: {
  name: '${Deployment}-nsg${toUpper(subnet.name)}'
  location: resourceGroup().location
  properties: {
    securityRules: union(NSGInfo[index].subnetNSGParam, NSGInfo[index].subnetNSGDefault)
  }
}]

2. Only provide values that you want to use
   • either destinationAddressPrefixes OR destinationAddressPrefix
   • either destinationPortRanges OR destinationPortRange

if you choose this option and don't follow 1) above, then you need to do some extra work similar to what is in 3) below.

  SNWAF01: [
    {
      name: 'WAF_Default_Inbound'
      properties: {
        protocol: 'Tcp'
        sourcePortRange: '*'
        destinationPortRange: '65200-65535'
        sourceAddressPrefix: 'GatewayManager'
        destinationAddressPrefix: '*'
        access: 'Allow'
        priority: 1000
        direction: 'Inbound'
      }
    }
    {
      name: 'WAF_Web_Inbound'
      properties: {
        protocol: 'Tcp'
        sourcePortRange: '*'
        sourceAddressPrefix: 'Internet'
        destinationAddressPrefix: 'VirtualNetwork'
        access: 'Allow'
        priority: 1010
        direction: 'Inbound'
        destinationPortRanges: [
          '80'
          '443'
        ]
      }
    }
  ]

For the extra work, I prefer the 1) option above, otherwise you have to start doing things like the following.

destinationAddressPrefixes: length(securityRule.destinationAddressPrefixes) == 0 ? null : securityRule.destinationAddressPrefixes

//or

destinationAddressPrefixes: contains(securityRule, 'destinationAddressPrefixes') ? securityRule.destinationAddressPrefixes : null

Anyway, let me know which specific sample is giving you the error, I can try to repro.

[edgreenberg-mri]

Ben, I'll try again over the weekend to deploy exactly what I sent you. If you can't duplicate it, and I can, I'll try to get you a complete screen transcript of everything I can.

Remember that this is actually an ARM problem. The bicep compiles to ARM successfully. It's ARM that's complaining. I didn't realize that until after I had filed the bug.

Looking at your suggestions... #1 is not a bad idea. If it'll work for me. It's actually less typing, since all those params only have to be specified in the parameters. Of course, ARM needs to take it.

#2 would work if ARM would take a DestinationPortRanges array with one port. For instance, I need a rule that let's my companies VPN access 3306 for mysql. If I can specify [3306] I'd be fine. I know that I need to specify [80,443] sooner or later.

What I don't want is to be unable to handle a single entry (a number or '*') or an array, at need.

Let me report back.

Ed

[brwilkinson]

Sounds good @edgreenberg-mri ... let me know how it goes, once you get the chance.

[brwilkinson]

HI @edgreenberg-mri did you get a chance to review?