Azure App Gateway and Subnet

I have a Hashicorp Sentinel policy that limits internet access. I need to add an exception for Azure app gateways and load balancers. Looking at the app gateway, I don’t see a way to relate an app gateway to a subnet.

I can upload the mocks and rule if needed.

@wblanchard-bmgf it would probably be best if we could get some mock data. The best way to do this would be via the Sentinel Playground @

Be sure to remove any data that may be considered private beforehand :slight_smile:

@wblanchard-bmgf I can see that you are using the common_functions library in your policy. I think you may have more success if you used a filter expression as follows:

import "tfplan/v2" as tfplan

allScopedNetworkSecurityRules = filter tfplan.resource_changes as _, resource_changes {
	resource_changes.type is "azurerm_network_security_rule" and
		resource_changes.mode is "managed" and
  		resource_changes.address not contains "app_gateway" and
        (resource_changes.change.actions contains "create" or
          resource_changes.change.actions is ["update"])

main = rule {

Playground Example

This however isn’t the most elegant solution as it is dependent on the name of the module that is in use. If a Terraform engineer does not follow the naming standard you define they could sneak in the back door and open you up to a fair amount of risk.

A better solution may be to use Azure Service Tags and then filter out any rules that have a particular tag value defined. Not sure if this is an option for you or not but definitely something worth exploring.

Hope this helps :smiley: