[AVM Module Issue]: How to conditionally define network security group in subnets #1681
Comments
teemukom
added
Needs: Triage 🔍
|
Important The "Needs: Triage 🔍" label must be removed once the triage process is complete! Tip For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation. Note This label was added as per ITA06. |
|
Hi @teemukom, thank you very much for opening the issue. We will com back to you with an answer as soon as possible |
|
I have checked various options and found that as soon as the parameter The submodule for subnets has handled this better. It checks whether the parameter is empty, not whether it is included. From subnet module: I suggest that the main module also checks for “empty”. In addition to “contains”. From virtual network module: My proposal for networkSecurityGroups.
And at the same time we should also adapt it for natGateway and routeTable. For all other parameters I can either pass “null” directly or an empty array, so that's fine. Any objections? |
|
HIi @cloudchristoph , could you please create a PR with the changes you are proposing? Thank you very much |
|
Sure! Will send a PR tomorrow. |
|
I'm a bit late to the part, but one option to achieve this with the module today would be to only add the property to the subnets if the condition is true in the first place. This can be done using the This would look like this var test = [
for subnet in subnets: union(
{
name: subnet.name
addressPrefix: subnet.addressPrefix
},
(subnet.name == 'AzureBastionSubnet' ? { networkSecurityGroupResourceId : nsg.id } : {})
)
] |
@AlexanderSehr thanks for the reply. Actually I also figured this earlier. Not nice but doable. |
We continue to discuss the best solution in @cloudchristoph's PR 😉 |
…k` (#1772) ## Description You cannot provide the following parameters in your subnet parameter, if they are empty: - networkSecurityGroup - natGateway - routeTable As soon as they are set, they have to have a correct resource id. This PR implements additional checks for given, but empty, parameters. I also added a new subnet definition in the `max` test to check for the correct behaviour. Fixes #1681 Closes #1681 ## Pipeline Reference | Pipeline | | -------- | | [](https://github.com/cloudchristoph/bicep-registry-modules/actions/workflows/avm.res.network.virtual-network.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module effecting changes) - [x] Azure Verified Module updates: - [x] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [x] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [x] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings <!-- Please keep up to day with the contribution guide at https://aka.ms/avm/contribute/bicep -->
](https://github.com/cloudchristoph/bicep-registry-modules/actions/workflows/avm.res.network.virtual-network.yml){kind=link}
…k` (Azure#1772) ## Description You cannot provide the following parameters in your subnet parameter, if they are empty: - networkSecurityGroup - natGateway - routeTable As soon as they are set, they have to have a correct resource id. This PR implements additional checks for given, but empty, parameters. I also added a new subnet definition in the `max` test to check for the correct behaviour. Fixes Azure#1681 Closes Azure#1681 ## Pipeline Reference | Pipeline | | -------- | | [](https://github.com/cloudchristoph/bicep-registry-modules/actions/workflows/avm.res.network.virtual-network.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module effecting changes) - [x] Azure Verified Module updates: - [x] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [x] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [x] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings <!-- Please keep up to day with the contribution guide at https://aka.ms/avm/contribute/bicep -->
Check for previous/existing GitHub issues
Issue Type?
I'm not sure
Module Name
avm/res/network/virtual-network
(Optional) Module Version
0.1.1
Description
I'm unable to find a way to conditionally define network security group for a subnet. For example I would like to define NSG id if the subnet's name is AzureBastionSubnet but not for others. The most obvious approach would be:
But it seems that the value if set can't be null:
The text was updated successfully, but these errors were encountered: