Springstone
commented
8 months ago Hi @onetypicaluser. Please note, policy definitions in this repo are intended to be deployed through ALZ reference implementations, and not directly as a standalone policy definition. If you do want to deploy this policy separate to ALZ, you will need to remove all the escape [ that are required for Bicep processing. So you need to change all the leading double [[ to a single [, and then the policy can be deployed as a regular Azure policy using powershell or CLI, or whatever.
I don't understand the port range issue you're describing, kindly provide more context.
onetypicaluser
It appears the way this template structured parameters is throwing an error when I try to create it as a policy. When creating a definition in Azure CloudShell PowerShell (while the template is unmodified) I get:
A function or parameter in policy 'deny-mgmtports-from-internet ' could not be validated. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Evaluation result of language expression '[[parameters('ports')]' is type 'String', expected type is 'Array'.'. CorrelationId: d20ac0bc-ef3e-4a06-b3ca-5c7a51ecc768
When I change the parameters to look like '[parameters('ports')]' it happily accepts the new definition. However, when testing I noticed the policy was only blocking when dest port = '*', '22', or '3389' with the Internet service tag. When I included 22 or 3389 in a range, the rule was allowed and I wasn't sure if this had something to do with modifying the syntax of the parameters.