-
|
Bicep version Describe the bug To Reproduce param fwpObject object
resource fwpolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
name: fwpObject.name
location: location
properties: {
sku: { tier: 'Standard' }
}
}
resource ipgroup_nat 'Microsoft.Network/ipGroups@2022-07-01' = {
name: 'ipgroup_nat'
location: location
properties: {
ipAddresses: fwpObject.ipgroup_nat
}
}
resource ipgroup_aks 'Microsoft.Network/ipGroups@2022-07-01' = {
dependsOn: [ipgroup_nat]
name: 'ipgroup_aks'
location: location
properties: {
ipAddresses: fwpObject.ipgroup_aks
}
}
resource rulecollection1 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2022-07-01' = {
name: 'from_Internet_to_Jumpbox'
parent: fwpolicy
properties: {
priority: 1000
ruleCollections: [
{
name: 'from_Internet_to_Jumpbox'
priority: 1010
ruleCollectionType: 'FirewallPolicyNatRuleCollection'
action: {
type: 'DNAT'
}
rules: [
{
description: 'NAT TO Jumpbox'
name: 'NAT_to_Jumpbox_linux'
ruleType: 'NatRule'
destinationAddresses: fwpObject.fw_addr
destinationPorts: ['22']
ipProtocols: ['TCP']
// sourceAddresses: fwpObject.src_addr
sourceIpGroups: [ipgroup_aks.id]
translatedAddress: fwpObject.jumpbox_dst_addr
// translatedFqdn: 'string'
translatedPort: '22'
}
]
}
]
}
}
resource rulecollection2 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2022-07-01' = {
dependsOn: [rulecollection1]
name: 'from_Jumpbox_to_Internet'
parent: fwpolicy
properties: {
priority: 2000
ruleCollections: [
{
name: 'from_DEV-VNet_to_Internet_AzCli_FQDN'
priority: 2010
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'allow'
}
rules: [
{
name: 'objects.githubusercontent.com'
ruleType: 'ApplicationRule'
// destinationAddresses: ['string']
// fqdnTags: ['string']
protocols: [{port: 443, protocolType: 'https'}]
// sourceAddresses: ['string']
sourceIpGroups: [ipgroup_aks.id]
targetFqdns: ['objects.githubusercontent.com']
// targetUrls: ['string']
// terminateTLS: bool
// webCategories: ['string']
}
]
}
]
}
}
just deploy NAT rule collection using ipgroup_nat and APP rule collection using ipgroup_aks. error message was: after using 1 ip groups (I unified the use of one IP group), it deployed succesfully. It appears that other users have encountered similar issues with Terraform. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
This looks like a question about a specific resource provider and not a Bicep bug. We will convert this to a discussion. |
Beta Was this translation helpful? Give feedback.
-
|
Have you tried adding a dependency from the first IP Group to the second (dependsOn: [ipgroup_nat])? Forcing a dependcy on the completion of the first IPGroup may give it time to complete successfully. You could also put your IPGroups into an array and loop over them using the @batchsize(1) decorator to run the deployments serially. I am seeing the same issue with deploying more than one firewall rule collection group. Azure support has recommended adding some kind of delay to allow for each to complete successfully, The @batchsize decorator should create this delay by adding a dependency for the previous iteration of the loop. @batchSize(1)
module firewallPolicy_ruleCollectionGroups '../../CRML/ruleCollectionGroups/deploy.bicep' = [for (ruleCollectionGroup, index) in varApplicationFirewallRules: {
name: '${uniqueString(deployment().name, parLocation)}-firewallPolicy_ruleCollectionGroups-${index}'
params: {
firewallPolicyName: resFirewallPolicies.name
name: ruleCollectionGroup.name
priority: ruleCollectionGroup.priority
ruleCollections: ruleCollectionGroup.ruleCollections
}
dependsOn:[
resHubVnet
]
}] |
Beta Was this translation helpful? Give feedback.
-
|
I've tried to add dependencies, but it doesn't help. |
Beta Was this translation helpful? Give feedback.
-
|
This is what we had to do, for each IPGroup we add we add a dependency on the previous IPGroup. It works fine. What error are you getting @dima-b? |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your response. I think the error is caused by trying to update the rule collection group of the firewall at the same time. I need to write the dependency and batchsize carefully to prevent the error. |
Beta Was this translation helpful? Give feedback.
-
I keep getting "Put on IP Groups ipg-ipgname Failed with 1 faulted referenced firewalls", but it seems I discovered the root cause. It happens in case I use the same IP Group in 2 FirewallPolicyFilterRuleCollection. If to use one sourceAddresses instead of sourceIpGroups in any of them the deploy work with no issues. |
Beta Was this translation helpful? Give feedback.
-
|
Just ran into this. //...
resource workloadIpGroup 'Microsoft.Network/ipGroups@2022-09-01' = {
name: workloadIpGroupName
location: location
properties: {
ipAddresses: [
'10.0.128.0/20'
]
}
}
resource applicationRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2022-09-01' = {
parent: firewallPolicy
name: 'DefaultApplicationRuleCollectionGroup'
dependsOn: [
networkRuleCollectionGroup
/*
* wait for updates from workloadIpGroup to finish before attempting to
* update this firewall policy, since it has sub resources which depend on the IP group.
*/
workloadIpGroup
]
//...
} |
Beta Was this translation helpful? Give feedback.
Have you tried adding a dependency from the first IP Group to the second (dependsOn: [ipgroup_nat])? Forcing a dependcy on the completion of the first IPGroup may give it time to complete successfully. You could also put your IPGroups into an array and loop over them using the @batchsize(1) decorator to run the deployments serially.
I am seeing the same issue with deploying more than one firewall rule collection group. Azure support has recommended adding some kind of delay to allow for each to complete successfully, The @batchsize decorator should create this delay by adding a dependency for the previous iteration of the loop.