Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logic app accesscontrol validations #1365

Open
psyduck101 opened this issue Dec 3, 2020 · 1 comment
Open

Logic app accesscontrol validations #1365

psyduck101 opened this issue Dec 3, 2020 · 1 comment

Comments

@psyduck101
Copy link

psyduck101 commented Dec 3, 2020
edited
Loading

Hey,
We are building arm templates for our logic apps and APIM apis( only apis, not the apim instance) and we get some positives that we wonder if they are correct and we are missing something or we can just disable them.

Version 4.14 in powershell

  1. We have logic apps where we added accesscontrol ipranges ( hardcoded and by parameter). And we keep getting the warnings of methods CheckTriggersAccessControl/CheckContentsAccessControl that they are not present or missing.

    Azure_LogicApps_AuthZ_Provide_Triggers_Access_Control | Failed | High | Not found |   | $.properties.accessControl.triggers.allowedCallerIpAddresses.addressRange | Verify current value | resources[0] | 70 | If Logic App fires on an HTTP Request (e.g.   Request or Webhook) then provide IP ranges for triggers ...

Azure_LogicApps_AuthZ_Provide_Contents_Access_Control | Failed | High | Not found |   | $.properties.accessControl.contents.allowedCallerIpAddresses.addressRange | Verify current value | resources[0] | 70 | Must provide IP ranges for contents to prevent unauthorized access to..._

  2. We deploy our apim apis, seperately from the apim instance. But for the apis, we get the remark that our api is not linked to a vnet. As far as i know, vnet is only configured on the apim instance.

       _Azure_APIManagement_NetSec_Configure_Virtual_Network_For_APIM | **Microsoft.ApiManagement/service ,  Microsoft.ApiManagement/service/apis** | Medium | Not found | -1 |   | $.properties.virtualNetworkType | NotAllow 'None' |resources[6] | 159 | Consider hosting APIM within a virtual   network for improved isolation_

Part of my logic app (also tried with parameters instead of hardcoded, or used cidr syntax '10.0.0.0/24')

  "type": "Microsoft.Logic/workflows",
      "apiVersion": "2017-07-01",
      "name": "[parameters('logicapp-testcon-name')]",
      "location": "[parameters('logicapp-location')]",
      "tags": "[parameters('resourceTags')]",
      "properties": {
        "state": "Enabled",
        "accessControl": {
          "triggers": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.0.0-11.0.0.0"
              }
            ]
          },
          "contents": {
            "allowedCallerIpAddresses": [
              {
                "addressRange": "10.0.0.0-11.0.0.0"
              }
            ]
          }
        },

To reproduce

Execute on a logic app arm template with accesscontrol configured.

Expected behavior

Not to have the errors

Actual behavior

Getting validation errors
@ritika-msft
Copy link
Contributor

Can you please confirm if you are getting these errors at the time of template deployment. Is it a validation error or yoy can see these errors in Arm Checker.

If the above mentioned controls are going in error in ArmTemplate Checker. Can you please share the stack trace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@psyduck101 @ritika-msft