Closed onetypicaluser closed 8 months ago
Hi @onetypicaluser. Please note, policy definitions in this repo are intended to be deployed through ALZ reference implementations, and not directly as a standalone policy definition. If you do want to deploy this policy separate to ALZ, you will need to remove all the escape [
that are required for Bicep processing. So you need to change all the leading double [[
to a single [
, and then the policy can be deployed as a regular Azure policy using powershell or CLI, or whatever.
I don't understand the port range issue you're describing, kindly provide more context.
Hi @onetypicaluser. Please note, policy definitions in this repo are intended to be deployed through ALZ reference implementations, and not directly as a standalone policy definition. If you do want to deploy this policy separate to ALZ, you will need to remove all the escape
[
that are required for Bicep processing. So you need to change all the leading double[[
to a single[
, and then the policy can be deployed as a regular Azure policy using powershell or CLI, or whatever.I don't understand the port range issue you're describing, kindly provide more context.
@Springstone,
Replacing all the [[ with [ did work and fixed the range logic so the policy is working as expected now. Thank you.
It appears the way this template structured parameters is throwing an error when I try to create it as a policy. When creating a definition in Azure CloudShell PowerShell (while the template is unmodified) I get:
A function or parameter in policy 'deny-mgmtports-from-internet ' could not be validated. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Evaluation result of language expression '[[parameters('ports')]' is type 'String', expected type is 'Array'.'. CorrelationId: d20ac0bc-ef3e-4a06-b3ca-5c7a51ecc768
When I change the parameters to look like '[parameters('ports')]' it happily accepts the new definition. However, when testing I noticed the policy was only blocking when dest port = '*', '22', or '3389' with the Internet service tag. When I included 22 or 3389 in a range, the rule was allowed and I wasn't sure if this had something to do with modifying the syntax of the parameters.