Nadia Hansen
Reputation: 947
environment() bicep function should be used to generate url's instead of hardcoding them
I have a application firewall rule where i need to rewrite some of the targetFqdns which are hardcoded urls, so i instead use the enviroment bicep function.
the urls are:
targetFqdns: [
'*.blob.core.windows.net'
'login.microsoftonline.com'
'management.core.windows.net'
'management.azure.com'
'graph.windows.net'
]but when I try to use enviroment() and then deploy the request is invalid
targetFqdns: [
'*.blob.${environment().suffixes.storage}' // '*.blob.core.windows.net'
'${environment().authentication.loginEndpoint}' // 'login.microsoftonline.com'
'${environment().authentication.audiences}' // 'management.core.windows.net'
'${environment().resourceManager}' // 'management.azure.com'
'${environment().graphAudience}' // 'graph.windows.net'
]enviroment() bicep function docs: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-deployment#environment
error message from deployment:
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"Message\": \"The request is invalid.\",\r\n \"ModelState\": {\r\n \"resource\": [\r\n \"{\\\"Status\\\":\\\"Failed\\\",\\\"Error\\\":{\\\"Code\\\":\\\"FirewallPolicyApplicationRuleInvalidTargetFqdn\\\",\\\"Message\\\":\\\"Firewall Policy Application Rule dev-firewall-rule has invalid target fqdn https://login.microsoftonline.com/\\\",\\\"Target\\\":null}}\"\r\n ]\r\n }\r\n}"
}
]
}
}Upvotes: 3
Views: 3579
Answers (1)
Thomas
Reputation: 29542
Looking at the documentation you are referencing, some of the environment() properties are URI not just domain:
{
"graphAudience": "https://graph.windows.net/",
"resourceManager": "https://management.azure.com/",
"authentication": {
"loginEndpoint": "https://login.windows.net/",
"audiences": [
"https://management.core.windows.net/",
"https://management.azure.com/"
]
}
}
you would need to remove scheme and // from the URI.
Also, the audiences property is an array of string:
// Extract domains from audience
var authAudienceDomains = [for aud in environment().authentication.audiences: replace(replace(aud, 'https://', ''), '/', '')]
// Concactenate fqdns
output targetFqdns array = concat(
[
// *.blob.core.windows.net
'*.blob.${environment().suffixes.storage}'
// login.windows.net
replace(replace(environment().authentication.loginEndpoint, 'https://', ''), '/', '')
// graph.windows.net
replace(replace(environment().graphAudience, 'https://', ''), '/', '')
],
// management.core.windows.net and management.azure.com
authAudienceDomains
)
Upvotes: 4
Related Questions
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Bicep publish runbook using URI
- How to output resource id in bicep
- Get resource from symbolic name array in Bicep
- Azure Bicep script : Ignore some manual configuration
- Bicep module outputs wrong resource id
- How to reference resources in other subscriptions with Bicep?
- Azure Bicep multiple scopes in template
- Deploying resources using bicep
- The template function 'reference' is not expected when feeding API Management private IP addresses into private DNS entry with Bicep