Description
Bicep version
0.35.1
Describe the bug
If the scope property on a role assignment resource in bicep is set using a ternary the scope property is left off the resulting ARM template
To Reproduce
param resourceName string = 'example'
param serverFarmId string
param someIdentityObjectId string
param shouldDeploy bool
resource deployAppService 'Microsoft.Web/sites@2022-03-01' = if (shouldDeploy) {
name: resourceName
location: resourceGroup().location
properties: {
serverFarmId: serverFarmId
}
}
resource existingAppService 'Microsoft.Web/sites@2022-03-01' existing = {
name: resourceName
}
resource contributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
name: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
}
var appServiceId = shouldDeploy ? deployAppService.id : existingAppService.id
resource contributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (shouldDeploy) {
name: guid(appServiceId, someIdentityObjectId, 'contributor')
scope: shouldDeploy ? deployAppService : existingAppService
properties: {
roleDefinitionId: contributorRoleDefinition.id
principalId: someIdentityObjectId
principalType: 'ServicePrincipal'
}
}
Results in:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.35.1.17967",
"templateHash": "11552019507935731435"
}
},
"parameters": {
"resourceName": {
"type": "string",
"defaultValue": "example"
},
"serverFarmId": {
"type": "string"
},
"someIdentityObjectId": {
"type": "string"
},
"shouldDeploy": {
"type": "bool"
}
},
"variables": {
"appServiceId": "[if(parameters('shouldDeploy'), resourceId('Microsoft.Web/sites', parameters('resourceName')), resourceId('Microsoft.Web/sites', parameters('resourceName')))]"
},
"resources": [
{
"condition": "[parameters('shouldDeploy')]",
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "[parameters('resourceName')]",
"location": "[resourceGroup().location]",
"properties": {
"serverFarmId": "[parameters('serverFarmId')]"
}
},
{
"condition": "[parameters('shouldDeploy')]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(variables('appServiceId'), parameters('someIdentityObjectId'), 'contributor')]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "[parameters('someIdentityObjectId')]",
"principalType": "ServicePrincipal"
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('resourceName'))]"
]
}
]
}Additional context
Add any other context about the problem here.
I would expect the scope to be set to "[if(parameters('shouldDeploy'), format('Microsoft.Web/sites/{0}', parameters('resourceName')), format('Microsoft.Web/sites/{0}', parameters('resourceName')))]" along the lines of the appServiceId variable above.
The workaround is to reference either the explicit or existing resource directly which produces "[format('Microsoft.Web/sites/{0}', parameters('resourceName'))]" which is valid in either case.
This might be a breaking change as role assignments will have been made to the resource group / subscription so a fix would result in a failed deployment due to the change of scope. Indeed this was discovered in the reverse scenario where the ternary was introduced and the deployment failed due to the scope changing from the intended resource to the resource group.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status