Unable to create vnet in Azure creation using bicep, errors with advanced subnet properties

Question

Having done some research and looked at the question, I am trying to use that to create a solution for vnet creation in azure, the vnet has multiple subnets which I can define in a json configuration file. The issue I am having is that the NSG/route table loop isnt working, there is some kind of issue with the loop. I have commented it out from the code below, at the moment the vnet gets created and the subnet also gets created.

As I cannot get the loop to work at present, makes me think if the values for route table etc are not provided, is bicep smart enough to simply ignore and not have such properties ?

param vnetConfiguration object
param location string = 'West Europe'

resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' = {
  name: vnetConfiguration.Name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        vnetConfiguration.addressPrefix
      ]
    }
    subnets: [for (subnet,index) in vnetConfiguration.subnets: {
        name: subnet.name
        properties: {
          addressPrefix: subnet.addressPrefix
          // routeTable: subnet.routeTable
          // unique: subnet.unique
          // nsg: {
          //   properties: {
          //     securityRules: [for (rule,index) in vnetConfiguration.subnet.nsgRules: {
          //         name: rule.name
          //         properties: {
          //           description: rule.description
          //           priority: rule.priority
          //           direction: rule.direction
          //           access: rule.access
          //           protocol: rule.protocol
          //           sourcePortRange: rule.sourcePortRange
          //           destinationPortRange: rule.destinationPortRange
          //           sourceAddressPrefix: rule.sourceAddressPrefix
          //           destinationAddressPrefix: rule.destinationAddressPrefix
          //         }
          //       }
          //     ]
          //   }
          // }
          serviceEndpoints: subnet.serviceEndpoints
          delegations: subnet.delegations
        }      
      
      }]
  }
}

output vnetId string = vnet.id

Configuration File.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {  
        "vnetConfiguration": {
            "value": {
                "Name": "my-vnet",
                "addressPrefix": "11.0.0.0/16",
                "subnets": [
                    {
                        "name": "subnet1",
                        "addressPrefix": "11.0.1.0/27",
                        "routeTable": "",
                        "unique": false,
                        "nsgRules": [
                            {
                                "name": "DENY-ALL-VNET-INBOUND",
                                "description": "Deny all Virtual Network traffic",
                                "priority": "4000",
                                "direction": "Inbound",
                                "access": "Deny",
                                "protocol": "*",
                                "sourcePortRange": "*",
                                "destinationPortRange": "*",
                                "sourceAddressPrefix": "VirtualNetwork",
                                "destinationAddressPrefix": "VirtualNetwork"
                            }
                        ],
                        "serviceEndpoints":[],
                        "delegations": [
                            {
                                "name": "Microsoft.Web.serverFarms",
                                "properties": {
                                    "serviceName": "Microsoft.Web/serverFarms"
                                }
                            } 
                        ]
                    }
                ]
            }
        }
    }
}

Yeah nested loop are not supported but you could create NSG independently tho — Thomas, Jun 19 '23 at 10:13
Not sure what is the question ? Just about if bicep will ignore non defined properties ? — Thomas, Jun 19 '23 at 10:14

score 0 · Answer 1 · answered Jun 19 '23 at 11:43

Is bicep smart enough to simply ignore and not have such properties

No, Bicep doesn't provide any smartness here.

Different Azure resource providers have different tolerances, some will be happy with a property value being an empty string, some prefer null and some don't want the property defined at all (meaning you need to lean on more creative IaC, eg. making use of union conditions).

As an example of creative-unioning, here's me creating an array of subnets conditionally based on input parameters.

var subnets = union(
  array(aks_subnet),
  cniDynamicIpAllocation ? array(aks_podsubnet) : [],
  azureFirewalls ? array(fw_subnet) : [],
  privateLinks ? array(private_link_subnet) : [],
  acrPrivatePool ? array(acrpool_subnet) : [],
  bastion ? array(bastion_subnet) : [],
  ingressApplicationGateway ? array(appgw_subnet) : [],
  azureFirewallsManagementSeperation ? array(fwmgmt_subnet) : []
)

Unable to create vnet in Azure creation using bicep, errors with advanced subnet properties

1 Answers1