我正在用二头肌迈出第一步,但我感觉完全卡住了 :-/
我想从应用服务获取公共 ips,之后,我想限制对存储帐户的访问。我面临两个问题:
这是我的代码:
////// FIRST PART: TO GET THE APP SERVICE IP
resource sitewww 'Microsoft.Web/sites@2022-03-01' existing = {
name: 'mywebapp'
}
//Here I get the list of IPs
var ipSalidaString = string(sitewww.properties.outboundIpAddresses)
//I split the IPs list to an Array String, so I can use it
var allowedIpAddresses = split(ipSalidaString,',')
/// THIS FOR LOOP DOES NOT WORK AND I DO NOT KNOW WHY
var additionalIpSecurityRestrictions = [for ip in allowedIpAddresses: {
action: 'Allow'
value: ip
}]
////// Second Part: Update the IpRules of the Storage Account
resource almacenamiento 'Microsoft.Storage/storageAccounts@2022-09-01'{
name: 'teststorage'
location:localizacion
properties:{
publicNetworkAccess: 'Enabled'
networkAcls:{
defaultAction:'Deny'
ipRules: [{ /// MUST BE UPDATED
action: 'Allow'
value: '20.26.196.151'
}
]
}
}
}
我尝试了几种方法来迭代 for 循环,但总是说“这个表达式正在 for 表达式中使用,它需要一个可以在部署开始时计算的值。你正在引用一个无法计算的变量“
我希望为我的存储帐户创建一个带有 IpRules 的对象
我建议改为将该 AppService 加入 VNet,然后使用服务终结点来限制对存储帐户的访问。应用服务计划的公共 IP 可能会更改,这样您就不必费心更新规则了。
param location string = resourceGroup().location
// Create a virtual network
resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
name: 'myVnet'
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
subnets: [
{
name: 'mySubnet'
properties: {
addressPrefix: '10.0.1.0/24'
// Enable service endpoint for Microsoft.Storage
serviceEndpoints: [
{
service: 'Microsoft.Storage'
locations: [
location
]
}
]
}
}
]
}
}
// Create a storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'mystorage${uniqueString(resourceGroup().id)}'
location: location
kind: 'StorageV2'
sku: {
name: 'Standard_LRS'
}
properties: {
// Restrict access to the storage account from the subnet only
networkAcls: {
bypass: 'None'
defaultAction: 'Deny'
virtualNetworkRules: [
{
id: vnet.properties.subnets[0].id // Reference the subnet id
action: 'Allow'
}
]
}
supportsHttpsTrafficOnly: true
}
}
// Create an app service plan
resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = {
name: 'myAppServicePlan'
location: location
sku: {
name: 'S1'
tier: 'Standard'
size: 'S1'
family: 'S'
capacity: 1
}
}
// Create an app service
resource appService 'Microsoft.Web/sites@2022-03-01' = {
name: 'myAppService${uniqueString(resourceGroup().id)}'
location: location
kind: 'app'
properties: {
serverFarmId: appServicePlan.id
siteConfig: {
alwaysOn: true
http20Enabled: true
webSocketsEnabled: true
}
virtualNetworkSubnetId: vnet.properties.subnets[0].id // Reference the subnet id
}
}
正如@silent 所建议的,您绝对应该使用 VNET 集成来限制流向存储帐户的流量,而不是添加 webApp 的出站 Ips。
您看到的问题可以通过在其自己的模块中创建存储帐户来解决:
// storage-account.bicep
param location string = resourceGroup().location
param storageAccountName string
param ips array
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: storageAccountName
location: location
kind: 'StorageV2'
sku: {
name: 'Standard_LRS'
}
properties: {
publicNetworkAccess: 'Enabled'
networkAcls: {
defaultAction: 'Deny'
ipRules: [for ip in ips: {
action: 'Allow'
value: ip
}]
}
}
}
然后您可以从父二头肌调用此模块:
// main.bicep
param location string = resourceGroup().location
param webAppName string = 'mywebapp'
param storageAccountName string = 'teststorage'
// Get a reference to the existing webapp
resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {
name: webAppName
}
// Create the storage with the IP rules
module storageAccount 'storage-account.bicep' = {
name: 'storage-account'
params: {
location: location
storageAccountName: storageAccountName
ips: split(webApp.properties.outboundIpAddresses, ',')
}
}