Azure ARM template - Parameter combined with static value on property

3
votes

I have an ARM template, containing a "Microsoft.Web/sites" resource type. I'm trying to configure the "ipSecurityRestrictions" property of the resource.

The "ipSecurityRestrictions" block is configured as follows:

"ipSecurityRestrictions": [{
    "vnetSubnetResourceId": "[resourceId(parameters(''Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), variables('subnetName'))]",
    "action": "Allow",
    "description": "Grants the subnet access to this web app."
  },
  {
    "vnetSubnetResourceId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName2'), variables('subnetName2'))]",
    "action": "Allow",
    "description": "Grants the subnet2 access to this web app."
  }
]

This works as expected. However I'd also like to add ip addresses to the "ipSecurityRestrictions", which works fine if I add another object to the array, like so:

{
  "ipAddress": "12.123.123.12/32",
  "action": "Allow",
  "description": "Grants the IP access to this web app."
}

The thing is though, that I want to be able to specify the ip addresses which should be allowed access to the web app, via a parameter.

So somehow, I need to be able to combine a parameter which contains the ipAddress securityRestrictions, to add this after the vnets has been added. An object parameter which contains multiple "ipSecurityRestrictions".

This is doable on Azure Sql Server, since the firewall rules are created from it's own resource "Microsoft.Sql/servers/firewallRules", so I can create one hard coded resource for each vnet , and then use an object parameter (populated via a json) with multiple values using the copy function.

It's also doable on e.g. Key Vaults, since it has it's own property for vnets ("virtualNetworkRules") and for ip addresses ("ipRules"). So there I can just hard code the vnets, and then use a parameter for the ip addresses.

I've tried numerous ways, including all of the (from Microsoft documented) template functions etc.

I could also, as a last resort if this is not possible, settle with using an object parameter which contains both the vnets and the ip addresses. But how would I then get the resourceId of the vnet automatically in the template, so that I can reference the correct vnet, without knowing the resourceId beforehand?

Thankful for all input!

Best regards

1
azureazure-resource-managerarm-template
I'm not sure I understand your question/problem... can you share more of the template or maybe an example of what you want to do (or have tried) that isn't working?bmoore-msft

1 Answers

2
votes

You can concatenate two or more arrays together. One with the VNet/Subnets can be defined as a variable within the template and another can be passed in as a parameter of type array with the list of ipAddress objects.

"variables": {
  "ipSecurityRestrictionsSubnets": [
    {
      "vnetSubnetResourceId": "[resourceId(parameters(''Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), variables('subnetName'))]",
      "action": "Allow",
      "description": "Grants the subnet access to this web app."
    },
    {
      "vnetSubnetResourceId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName2'), variables('subnetName2'))]",
      "action": "Allow",
      "description": "Grants the subnet2 access to this web app."
    }
  ]
},

Then setup the property by concatenating the two arrays.

"ipSecurityRestrictions": "[concat(variables('ipSecurityRestrictionsSubnets'), parameters('ipSet'))]",

Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-array#concat