azure Bicep配置网络访问限制时无法识别现有规则

我是一个承包商，正在处理一个现有的Azure项目。目前，我的客户正在为每个环境（开发、QA、生产）手动配置他们所有的Azure资源。我知道这对人们来说很震惊，但他们的订阅是一团糟。我正在尝试使用二头肌设置IaC部署。
对于Azure应用程序服务，他们有一个IP访问限制设置，仅允许来自其APIM示例的流量。当我查看主站点的应用程序服务（在网络下）的访问限制时，我可以看到它已列出。
然而，当我使用what-if进行部署时，它返回说它将创建访问限制规则。我不希望出现这种情况，因为它应该已经存在了。我已经到处搜索，但没有找到答案。
apiAppService.bicep

@description('The name of the target app service without any prefix or suffix. i.e. Contoso')
param apiName string

@description('The abbreviation of the target environment. i.e. dev')
@allowed([
  'dev'
  'qa'
  'prod'
])
param environment string

@description('The Azure region the resource group is to be created in.')
param region string

@description('The abbreviation of the Azure region included as part of the resource group name. i.e. NCUS')
param regionAbbreviation string

@description('The properties of the SKU for the app service plan.')
param appServicePlanSku object

@description('The runtime stack of the target app service. i.e. DOTNETCORE|6.0')
param runtimeStack string

@description('The values required to setup the IP access restriction')
param ipRestriction object

var appServicePlanName = 'ASP-${apiName}-${regionAbbreviation}-${environment}'
var appServiceName = 'productname-${apiName}-api-${environment}'

resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
  name: appServicePlanName
  location: region
  sku: {
    name: appServicePlanSku.name
    tier: appServicePlanSku.tier
  }
  kind: 'linux'
  properties: {
    reserved: true
  }
}

resource appService 'Microsoft.Web/sites@2022-03-01' = {
  name: appServiceName
  location: region
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: appServicePlan.id
    httpsOnly: true
    siteConfig: {
      linuxFxVersion: runtimeStack
      ipSecurityRestrictions: [
        {
          name: ipRestriction.name
          action: ipRestriction.action
          priority: ipRestriction.priority
          ipAddress: ipRestriction.ipAddress
        }
      ]
    }
  }
}

假设分析部署的结果

~ Microsoft.Web/sites/productname-apiname-api-dev [2022-03-01]
    + properties.siteConfig.ipSecurityRestrictions: [
        0:

          action:    "allow"
          ipAddress: "a.b.c.d/32"
          name:      "Allow ONLY APIM"
          priority:  300

      ]
    + properties.siteConfig.localMySqlEnabled: false
    ~ properties.httpsOnly:                    false => true

我是否尝试配置不同的内容？我做错了什么？x1c 0d1x

使用Azure Resource Explorer被证明是非常有帮助的。如果你还没有并且你正在构建bicep文件，请检查它。IP限制实际上是在一个资源中，路径为“config/web”，离开应用服务资源。本质上，定义如下所示

resource webConfig 'Microsoft.Web/sites/config@2022-03-01' = {
  name: 'web'
  parent: appService
  properties: {
    linuxFxVersion: runtimeStack
    ipSecurityRestrictions: [
      {
        name: ipRestriction.name
        action: ipRestriction.action
        priority: ipRestriction.priority
        ipAddress: ipRestriction.ipAddress
      }
      {
        name: 'Deny all'
        description: 'Deny all access'
        action: 'Deny'
        priority: 2147483647
        ipAddress: 'Any'
      }
    ]
  }
}

name: 'web'和parent: appService非常重要，因为这是最后的默认deny all规则。

azure Bicep配置网络访问限制时无法识别现有规则

1条答案

相关问题

热门标签

最新问答