[FEATURE REQ] AZR-000302

[skynetsysadmin]

Please describe the feature or suggestion.

When the WAF Mode in BICEP or the ARM Template uses a conditional statement, it's flagging it as an error. Here is an example, in the development environment we set the mode to detection, but in all other environments we set to prevention.

"mode": "[if(equals(toLower(parameters('environment')), 'dev'), 'Detection', 'Prevention')]"

But, the templateanalyzer tool flags it as an error since it's not a fixed value of 'Prevention'. AZR-000302: Azure.AppGwWAF.PreventionMode.

Alternatively, if there was a way to ignore the rule I suppose that would be a stop gap.

Thanks

Additional context

No response

[VeraBE]

Is this rule also flagging your template if you specify the parameters file that has the environment variable not set to dev? I believe TemplateAnalyzer should resolve the if properly

[skynetsysadmin]

We are using the Microsoft Security DevOps extension to run the templateanalyzer tool. I'll need to research how to invoke the '-p' option via that extension. Thanks for the tip!