search

Azure / arm-template-whatif

A repository to track issues related to what-if noise suppression
MIT License
86 stars 14 forks source link

What-if noise for ASE v3 #340

Open karpikpl opened 11 months ago

karpikpl commented 11 months ago

Describe the noise

Resource type Microsoft.Web/hostingEnvironments and Microsoft.Network/virtualNetworks

apiVersion (i.e. 2022-03-01)

Client (PowerShell, Azure CLI, or API) Azure CLI

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

@description('Required. Resource Group name of virtual network if using existing vnet and subnet.')
param vNetResourceGroupName string = resourceGroup().name

@description('Required. The Virtual Network (vNet) Name.')
param virtualNetworkName string = '${aseName}-vnet' //'vnet-asev3'

@description('Required. Location for all resources.')
param location string = resourceGroup().location

@description('Required. An Array of 1 or more IP Address Prefixes for the Virtual Network.')
param vNetAddressPrefixes array = [
  '192.168.10.0/23'
]

@description('Required. The subnet range of ASEv3.')
param subnetAddressPrefix string = '192.168.10.0/24'

@description('Required. The subnet Name of ASEv3.')
param subnetName string = 'ase03'

@description('Required. The subnet properties.')
param subnets array = [
  {
    name: 'ase03'
    addressPrefix: subnetAddressPrefix
    delegations: [
      {
        name: 'Microsoft.Web.hostingEnvironments'
        properties: {
          serviceName: 'Microsoft.Web/hostingEnvironments'
        }
      }
    ]
    privateEndpointNetworkPolicies: 'Enabled'
    privateLinkServiceNetworkPolicies: 'Enabled'
    networkSecurityGroupName: 'nsg-asev3'
  }
]

@description('Required. Name of ASEv3.')
param aseName string

@description('Required. Dedicated host count of ASEv3.')
param dedicatedHostCount int = 0

@description('Optional. Create a private DNS zone for ASEv3.')
param createPrivateDNS bool = true
@description('Required. Load balancer mode: 0-external load balancer, 3-internal load balancer for ASEv3.')
@allowed([
  'Web, Publishing'
  'None'
])
param internalLoadBalancingMode string = 'Web, Publishing'

@description('Required. Name of the Network Security Group.')
@minLength(1)
param networkSecurityGroupName string = 'nsg-asev3'

@description('Required. Array of Security Rules to deploy to the Network Security Group.')
param networkSecurityGroupSecurityRules array = []

@description('Workspace ID')
@secure()
param diagnosticWorkspaceId string

@description('Required. Environment Tag.')
param Environment string = 'tst'

var uniStr = uniqueString(resourceGroup().id)
var virtualNetworkId = resourceId(vNetResourceGroupName, 'Microsoft.Network/virtualNetworks', virtualNetworkName)
var subnetId = resourceId(vNetResourceGroupName, 'Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, subnetName)

var ipsslAddressCount = 0
var privateDNSZoneName = asev3.properties.dnsSuffix
var upgradePreference = 'None'
var remoteDebugEnabled = false
var ftpEnabled = true
var inboundIpAddressOverride = '192.168.10.4'
var allowNewPrivateEndpointConnections = false

var zoneRedundantMap = {
  dev: false
  tst: false
  prd: true
}
var zoneRedundant = zoneRedundantMap[Environment]

var clusterSettings = [
  {
    name: 'DisableTls1.0'
    value: '1'
  }
]

//Default Logging Values
var diagnosticLogCategoriesToEnable = [ 'allLogs' ]
var diagnosticSettingsName = 'diag-${aseName}-asev3-log'
var diagnosticStorageAccountId = ''
var diagnosticEventHubAuthorizationRuleId = ''
var diagnosticEventHubName = ''

var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs'): {
  category: category
  enabled: true
}]

var diagnosticsLogs = contains(diagnosticLogCategoriesToEnable, 'allLogs') ? [
  {
    categoryGroup: 'allLogs'
    enabled: true
  }
] : diagnosticsLogsSpecified

resource networksecuritygroup 'Microsoft.Network/networkSecurityGroups@2020-11-01' = {
  name: networkSecurityGroupName
  location: location
  properties: {
    securityRules: [for item in networkSecurityGroupSecurityRules: {
      name: item.name
      properties: {
        description: toLower(item.properties.description)
        access: item.properties.access
        destinationAddressPrefix: ((item.properties.destinationAddressPrefix == '') ? null : item.properties.destinationAddressPrefix)
        destinationAddressPrefixes: ((length(item.properties.destinationAddressPrefixes) == 0) ? null : item.properties.destinationAddressPrefixes)
        destinationPortRanges: ((length(item.properties.destinationPortRanges) == 0) ? null : item.properties.destinationPortRanges)
        destinationPortRange: ((item.properties.destinationPortRange == '') ? null : item.properties.destinationPortRange)
        direction: item.properties.direction
        priority: int(item.properties.priority)
        protocol: item.properties.protocol
        sourceAddressPrefix: ((item.properties.sourceAddressPrefix == '') ? null : item.properties.sourceAddressPrefix)
        sourcePortRanges: ((length(item.properties.sourcePortRanges) == 0) ? null : item.properties.sourcePortRanges)
        sourcePortRange: item.properties.sourcePortRange
      }
    }]
  }
}

resource virtualnetwork 'Microsoft.Network/virtualNetworks@2020-11-01' = {
  name: virtualNetworkName
  location: location
  dependsOn: [
    networksecuritygroup
  ]
  properties: {
    addressSpace: {
      addressPrefixes: vNetAddressPrefixes
    }
    subnets: [for item in subnets: {
      name: item.name
      properties: {
        addressPrefix: item.addressPrefix
        networkSecurityGroup: (empty(item.networkSecurityGroupName) ? null : json('{"id": "${resourceId('Microsoft.Network/networkSecurityGroups', item.networkSecurityGroupName)}"}'))
        delegations: item.delegations
      }
    }]
  }
}

resource asev3 'Microsoft.Web/hostingEnvironments@2022-03-01' = {
  name: aseName
  location: location
  kind: 'ASEV3'
  dependsOn: [
    virtualnetwork
  ]
  properties: {
    clusterSettings: clusterSettings
    dedicatedHostCount: dedicatedHostCount != 0 ? dedicatedHostCount : null
    //dnsSuffix: dnsSuffix
    //frontEndScaleFactor: frontEndScaleFactor
    internalLoadBalancingMode: internalLoadBalancingMode
    ipsslAddressCount: ipsslAddressCount != 0 ? ipsslAddressCount : null
    //multiSize: !empty(multiSize) ? any(multiSize) : null
    upgradePreference: upgradePreference
    //userWhitelistedIpRanges: !empty(userWhitelistedIpRanges) ? userWhitelistedIpRanges : null

    virtualNetwork: {
      id: subnetId
    }
    zoneRedundant: zoneRedundant
  }
}

resource configuration 'Microsoft.Web/hostingEnvironments/configurations@2022-03-01' = {
  name: 'networking'
  parent: asev3
  properties: {
    allowNewPrivateEndpointConnections: allowNewPrivateEndpointConnections
    ftpEnabled: ftpEnabled
    inboundIpAddressOverride: inboundIpAddressOverride
    remoteDebugEnabled: remoteDebugEnabled
  }
}

resource asev3_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId)) {
  name: !empty(diagnosticSettingsName) ? diagnosticSettingsName : '${aseName}-diagnosticSettings'
  properties: {
    storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
    workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
    eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
    eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
    logs: diagnosticsLogs
  }
  scope: asev3
}

module privatednszone 'modules/privatednszone.bicep' = if (createPrivateDNS && internalLoadBalancingMode == 3) {
  name: 'private-dns-zone-deployment-${uniStr}'
  params: {
    privateDNSZoneName: privateDNSZoneName
    virtualNetworkId: virtualNetworkId
    aseName: aseName
  }
}

@description('The resource ID of the App Service Environment.')
output resourceId string = asev3.id

@description('The resource group the App Service Environment was deployed into.')
output resourceGroupName string = resourceGroup().name

@description('The name of the App Service Environment.')
output name string = asev3.name

@description('The location the resource was deployed into.')
output location string = asev3.location

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed) I expect no changes since the what-if was executed right after deployment. It always returns list of changes that in reality are not applied.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Scope: /subscriptions/XXX/resourceGroups/ase-testing-rg

  ~ Microsoft.Network/virtualNetworks/pka-ase-test-vnet [2020-11-01]
    ~ properties.subnets: [
      ~ 0:

        ~ properties.privateEndpointNetworkPolicies: "Disabled" => "Enabled"

      ]

  ~ Microsoft.Web/hostingEnvironments/pka-ase-test [2022-03-01]
    - properties.environmentIsHealthy: true
    - properties.networkingConfiguration:

        allowNewPrivateEndpointConnections: false
        ftpEnabled:                         true
        internalInboundIpAddresses: [
          0: "192.168.10.4"
        ]
        linuxOutboundIpAddresses: [
          0: "20.242.187.226"
          1: "20.232.53.99"
        ]
        numberOfOutboundIpAddresses:        2
        remoteDebugEnabled:                 false
        targetNumberOfOutboundIpAddresses:  2
        windowsOutboundIpAddresses: [
          0: "20.242.187.226"
          1: "20.232.53.99"
        ]

    - properties.subscriptionId:       "XXX"
    x properties.upgradePreference:    "None"

  ~ Microsoft.Web/hostingEnvironments/pka-ase-test/configurations/networking [2022-03-01]
    - properties.numberOfOutboundIpAddresses:       2
    - properties.targetNumberOfOutboundIpAddresses: 2
    + properties.inboundIpAddressOverride:          "192.168.10.4"

  ~ Microsoft.Web/hostingEnvironments/pka-ase-test/providers/Microsoft.Insights/diagnosticSettings/diag-pka-ase-test-asev3-log [2021-05-01-preview]
    - properties.metrics: [
        0:

          category:                "AllMetrics"
          enabled:                 false
          retentionPolicy.days:    0
          retentionPolicy.enabled: false

      ]
    ~ properties.logs: [
      ~ 0:

        - retentionPolicy.days: 0

      - 1:

          categoryGroup:           "audit"
          enabled:                 false
          retentionPolicy.days:    0
          retentionPolicy.enabled: false

      ]
    ~ properties.workspaceId: "/subscriptions/XXX/resourcegroups/ase-testing-support-rg/providers/microsoft.operationalinsights/workspaces/ase-law" => "*******"

  = Microsoft.Network/networkSecurityGroups/nsg-asev3 [2020-11-01]

Additional context Issue is impacting Customer.

artisticcheese commented 4 months ago

Still the case in April 2024