Block secure outputs in local deploy (#17235)

## Description

Block secure outputs in local deploy

Discovered when trying to test
https://github.com/anthony-c-martin/samples/tree/main/bicep/local-deploy-github-oidc.

## Checklist

- [x] I have read and adhere to the [contribution
guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md).

Author: anthony-c-martin

.vscode/launch.json

@@ -12,7 +12,8 @@
             ],
             "env": {
                 "BICEP_TRACING_ENABLED": "true",
-
+                "BICEP_TRACING_VERBOSITY": "basic",
+                "BICEP_EXTENSION_TRACING_ENABLED": "false",
                 // Defaulting to "verbose" when debugging so that new telemetry IDs during development aren't accidentally sent and created before they're finalized
                 "DEBUGTELEMETRY": "v", // "" or "0" or "false": send telemetry as normal; "1": debug mode (no telemetry sent); "verbose": telemetry in console, don't send (from microsoft/vscode-azext-utils)
             },
@@ -32,25 +33,10 @@
                 "build",
                 "${file}"
             ],
-          "env": {
-            "BICEP_TRACING_ENABLED": "true"
-          },
-            "cwd": "${workspaceFolder}/src/Bicep.Cli",
-            "console": "internalConsole",
-            "stopAtEntry": false
-        },
-        {
-            "name": "CLI-Test",
-            "type": "coreclr",
-            "request": "launch",
-            "preLaunchTask": "Build CLI",
-            "program": "${workspaceFolder}/src/Bicep.Cli/bin/Debug/net8.0/bicep",
-            "args": [
-                "test",
-                "${file}"
-            ],
             "env": {
                 "BICEP_TRACING_ENABLED": "true",
+                "BICEP_TRACING_VERBOSITY": "basic",
+                "BICEP_EXTENSION_TRACING_ENABLED": "false",
             },
             "cwd": "${workspaceFolder}/src/Bicep.Cli",
             "console": "internalConsole",
@@ -113,4 +99,4 @@
             "cwd": "${workspaceFolder}/src/vscode-bicep-ui/apps/deploy-pane"
         },
     ]
-}
+}

docs/experimental/local-deploy.md

@@ -95,9 +95,26 @@ Here's an example bicepconfig.json you can use to share your extension with othe
 
 * You will need to update `extensions.http`: the key (`http`) should be the name of your extension, and the value (`br:bicepextdemo.azurecr.io/extensions/http:0.1.1`) should be the OCI reference path (or relative local file system path if building locally).
 
+### Troubleshooting
+
+The following environment variables can be used to enable detailed logging for extension binary stdout, stderr and gRPC requests & responses. This can be useful for extension authors to troubleshoot problems invoking extensions.
+
+Note that this can include sensitive data, and should only be used for local debugging.
+
+1. (Mac/Linux) Run the following:
+   ```sh
+   export BICEP_TRACING_ENABLED=true
+   export BICEP_EXTENSION_TRACING_ENABLED=true
+   ```
+1. (Windows) Run the following in a PowerShell window:
+   ```powershell
+   $env:BICEP_TRACING_ENABLED = $true
+   $env:BICEP_EXTENSION_TRACING_ENABLED = $true
+   ```
 
 ## Limitations
 1. Code signing for the proof-of-concept extensions has not been implemented, meaning you may run into errors running the samples on a Mac.
+1. Secure outputs are not currently supported.
 
 ## Raising bugs or feature requests
 Please raise bug reports or feature requests under [Bicep Issues](https://github.com/Azure/bicep/issues) as usual.

src/Bicep.Cli/Commands/LocalDeployCommand.cs

@@ -63,9 +63,14 @@ parameters.Parameters is not { } parametersString ||
             return 1;
         }
 
-        await using var extensionHostManager = dispatcherFactory.Create();
-        await extensionHostManager.InitializeExtensions(compilation);
-        var result = await extensionHostManager.Deploy(templateString, parametersString, cancellationToken);
+
+        // this using block is intentional to ensure that the dispatcher completes running before we write the summary
+        LocalDeploymentResult result;
+        await using (var dispatcher = dispatcherFactory.Create())
+        {
+            await dispatcher.InitializeExtensions(compilation);
+            result = await dispatcher.Deploy(templateString, parametersString, cancellationToken);
+        }
 
         await WriteSummary(result);
         return result.Deployment.Properties.ProvisioningState == ProvisioningState.Succeeded ? 0 : 1;

src/Bicep.Core.IntegrationTests/ScenarioTests.cs

@@ -7354,4 +7354,29 @@ param shouldDeploy bool
             ("BCP420", DiagnosticLevel.Error, "The scope could not be resolved at compile time because the supplied expression is ambiguous or too complex. Scoping expressions must be reducible to a specific kind of scope without knowledge of parameter values."),
         });
     }
+
+    [TestMethod]
+    public void Local_deploy_cannot_be_used_with_secure_outputs()
+    {
+        var result = CompilationHelper.Compile(Services.WithFeatureOverrides(new(LocalDeployEnabled: true)), ("main.bicep", """
+targetScope = 'local'
+
+module mod 'mod.bicep' = {
+  scope: resourceGroup('00000000-0000-0000-0000-000000000000', 'foo')
+  params: {
+    secret: 'blah'
+  }
+}
+"""), ("mod.bicep", """
+@secure()
+param secret string
+
+@secure()
+output secret string = secret
+"""));
+
+        result.ExcludingLinterDiagnostics().Should().HaveDiagnostics([
+            ("BCP421", DiagnosticLevel.Error, """Module "mod" contains one or more secure outputs, which are not supported with "targetScope" set to "local"."""),
+        ]);
+    }
 }

src/Bicep.Core/Diagnostics/DiagnosticBuilder.cs

@@ -1911,6 +1911,10 @@ public Diagnostic InvalidReservedImplicitExtensionNamespace(string name) => Core
             public Diagnostic ScopeKindUnresolvableAtCompileTime() => CoreError(
                 "BCP420",
                 "The scope could not be resolved at compile time because the supplied expression is ambiguous or too complex. Scoping expressions must be reducible to a specific kind of scope without knowledge of parameter values.");
+
+            public Diagnostic SecureOutputsNotSupportedWithLocalDeploy(string moduleName) => CoreError(
+                "BCP421",
+                $"""Module "{moduleName}" contains one or more secure outputs, which are not supported with "{LanguageConstants.TargetScopeKeyword}" set to "{LanguageConstants.TargetScopeTypeLocal}".""");
         }
 
         public static DiagnosticBuilderInternal ForPosition(TextSpan span)

src/Bicep.Core/Emit/EmitLimitationCalculator.cs

@@ -55,6 +55,7 @@ public static EmitLimitationInfo Calculate(SemanticModel model)
             BlockNamesDistinguishedOnlyByCase(model, diagnostics);
             BlockResourceDerivedTypesThatDoNotDereferenceProperties(model, diagnostics);
             BlockSpreadInUnsupportedLocations(model, diagnostics);
+            BlockSecureOutputsWithLocalDeploy(model, diagnostics);
             BlockExtendsWithoutFeatureFlagEnabled(model, diagnostics);
 
             var paramAssignments = CalculateParameterAssignments(model, diagnostics);
@@ -974,5 +975,22 @@ IEnumerable<ObjectSyntax> getObjectSyntaxesToBlock()
                 }
             }
         }
+
+        private static void BlockSecureOutputsWithLocalDeploy(SemanticModel model, IDiagnosticWriter diagnostics)
+        {
+            if (model.TargetScope != ResourceScope.Local)
+            {
+                return;
+            }
+
+            foreach (var module in model.Root.ModuleDeclarations)
+            {
+                if (module.TryGetSemanticModel().TryUnwrap() is { }  moduleModel &&
+                    moduleModel.Outputs.Any(output => output.IsSecure))
+                {
+                    diagnostics.Write(DiagnosticBuilder.ForPosition(module.NameSource).SecureOutputsNotSupportedWithLocalDeploy(module.Name));
+                }
+            }
+        }
     }
 }

src/Bicep.Core/Features/FeatureProvider.cs

@@ -36,9 +36,13 @@ public FeatureProvider(RootConfiguration configuration, IFileExplorer fileExplor
 
         public bool AssertsEnabled => configuration.ExperimentalFeaturesEnabled.Assertions;
 
-        public static bool TracingEnabled => ReadBooleanEnvVar("BICEP_TRACING_ENABLED", defaultValue: false);
+        public static readonly bool TracingEnabled = ReadBooleanEnvVar("BICEP_TRACING_ENABLED", defaultValue: false);
 
-        public static TraceVerbosity TracingVerbosity => ReadEnumEnvVar("BICEP_TRACING_VERBOSITY", TraceVerbosity.Basic);
+        public static readonly bool ExtensionTracingEnabled = ReadBooleanEnvVar("BICEP_EXTENSION_TRACING_ENABLED", defaultValue: false);
+
+        public static readonly TraceVerbosity TracingVerbosity = ReadEnumEnvVar("BICEP_TRACING_VERBOSITY", TraceVerbosity.Basic);
+
+        public static bool HasTracingVerbosity(TraceVerbosity verbosity) => TracingVerbosity >= verbosity;
 
         public bool WaitAndRetryEnabled => configuration.ExperimentalFeaturesEnabled.WaitAndRetry;
 

src/Bicep.Core/Features/TraceVerbosity.cs

@@ -3,9 +3,13 @@
 
 namespace Bicep.Core.Features
 {
+    /// <remarks>
+    /// The enum values must be in order of increasing verbosity, as they're used to determine the level of detail in tracing output.
+    /// See <see cref="FeatureProvider.HasTracingVerbosity"/> for more details on how this is used.
+    /// </remarks>
     public enum TraceVerbosity
     {
-        Basic,
-        Full
+        Basic = 0,
+        Full = 1,
     }
 }