search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
389 stars 84 forks source link

The referenced declaration with name "keyVaultFirewallRules" is not valid. #1902

Closed maxricketts closed 1 year ago

maxricketts commented 1 year ago

Description of the issue

I am using a var array to input IP addresses and names for use in network restrictions in resources (example 1).

Then remap some of it to use in Key vaults that only take a CIDR input (example 2)

This is passed to a module as an array, and the deployed Key Vault has the correct IP's listed in the network restrictions.

I am getting the following error after running invoke-PSRule -Module 'PSRule.Rules.Azure' -Format File -f .

Invoke-PSRule: Bicep (0.4.1124) compilation of 'C:\Git\Data-Platform-IAC\core\bicep\main.bicep' failed with: C:\Git\Data-Platform-IAC\core\bicep\main.bicep(326,63) : Error BCP018: Expected the "," character at this location.
C:\Git\Data-Platform-IAC\core\bicep\main.bicep(368,14) : Error BCP062: The referenced declaration with name "keyVaultFirewallRules" is not valid.
C:\Git\Data-Platform-IAC\core\bicep\main.bicep(384,14) : Error BCP062: The referenced declaration with name "keyVaultFirewallRules" is not valid.

example1

var KVFirewallRules = [
  {
    RuleName: 'Rule 1'
    StartingIP: '192.168.1.1'
    EndingIP: '192.168.1.1'
    CIDR: '192.168.1.1'
  }
  {
    RuleName: 'Rule 2'
    StartingIP: '192.168.1.2'
    EndingIP: '192.168.1.2'
    CIDR: '192.168.1.2'
  }
]
var keyVaultFirewallRules = map(KVFirewallRules, FirewallRule => FirewallRule.CIDR)

Module in use and version:

2.5.3 PSRule
1.21.2 PSRule.Rules.Azure

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.3.0
PSEdition                      Core
GitCommitId                    7.3.0
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0
BernieWhite commented 1 year ago

@maxricketts Error BCP062 is a Bicep compile error. I would suggest that the reason is your Bicep version (0.4.1124) to too old for the syntax you are using. Map was introduced around 0.10.x.

If you are using a self-hosted agent be sure to update to a newer version of Bicep for this to work.

Also a side note, PSRule for Azure doesn't support lambda syntax for Bicep yet, we plan to but you'll run into this after you upgrade the Bicep CLI version so calling it out.

See #1536

maxricketts commented 1 year ago

@BernieWhite - I have updated bicep and still getting the same error. But I take it that is because of the Lambda syntax for the map function?

BernieWhite commented 1 year ago

@maxricketts PSRule for Azure will report an expansion error for the Lambda syntax.

If you are still getting a Bicep compile error then there is maybe something wrong with your Bicep code.

Invoke-PSRule: Bicep (0.4.1124) compilation of 'C:\Git\Data-Platform-IAC\core\bicep\main.bicep' failed with: C:\Git\Data-Platform-IAC\core\bicep\main.bicep(326,63) : Error BCP018: Expected the "," character at this location.
C:\Git\Data-Platform-IAC\core\bicep\main.bicep(368,14) : Error BCP062: The referenced declaration with name "keyVaultFirewallRules" is not valid.
C:\Git\Data-Platform-IAC\core\bicep\main.bicep(384,14) : Error BCP062: The referenced declaration with name "keyVaultFirewallRules" is not valid.

These error messages point to line 326, 368, and 384. I'd have a look there.

maxricketts commented 1 year ago

326 is var keyVaultFirewallRules = map(KVFirewallRules, FirewallRule => FirewallRule.CIDR) which takes info from the array that I posted earlier

368 is keyVaultFirewallRules being passed to the module for keyvault specifically this part ipRules

networkAcls: {
      defaultAction: networkAclsDefaultAction
      bypass: networkAclsBypass
      ipRules: [for rule in ipRules: {
        value: rule
      }]
      virtualNetworkRules: virtualNetworkRules
    }

I can't see how the code is wrong, as the file is deploying a key vault with the ips from the variable that i have made. Its been working for months, and I thought I would run PSRule against it to see how it compared, and PSRule is failing. Not the build.

BernieWhite commented 1 year ago

@maxricketts Thanks for the additional context. If the code is only failing through PSRule then there must be something going on.

Is the same version of Bicep still reported in the error message Invoke-PSRule: Bicep (0.4.1124) compilation. Or has it updated to the latest version?

maxricketts commented 1 year ago

@BernieWhite - Invoke-PSRule: Bicep (0.4.1124) compilation of is still there after the update.

BernieWhite commented 1 year ago

@maxricketts The error message is created by the Bicep CLI so the problem is occurring because an old version is still being used. If you have updated the CLI then there must be two versions installed and PSRule is using the old version.

See Setup Bicep for details on how to set the required environment variables if the default path variable is not working for your configuration.

maxricketts commented 1 year ago

@BernieWhite - Looks like I had two versions of Bicep installed, and i have now removed the old one.

Invoke-PSRule: Failed to expand bicep source 'C:\Git\Data-Platform-IAC\customerEngagement\bicep\main.bicep'. Exception calling "GetBicepResources" with "3" argument(s): "Unable to expand resources because the source file 'C:\Git\Data-Platform-IAC\customerEngagement\bicep\main.bicep' was not valid. An error occurred evaluating expression '[variables('keyVaultFirewallRules')]' line 772. An error occurred evaluating expression '[map(variables('KVFirewallRules'), lambda('FirewallRule', lambdaVariables('FirewallRule').CIDR))]' line 190. The function "map" was not found."

I am also getting the below. But not sure if this is related

Invoke-PSRule: Failed to expand bicep source 'C:\Git\Data-Platform-IAC\sqlDataStores\bicep\main.bicep'. Exception calling "GetBicepResources" with "3" argument(s): "Unable to expand resources because the source file 'C:\Git\Data-Platform-IAC\sqlDataStores\bicep\main.bicep' was not valid. An error occurred evaluating expression '[reference(resourceId('Microsoft.Resources/deployments', format('azureStorageSqlVADeployment-{0}', parameters('utcDateTime'))), '2020-10-01').outputs.StorageAccountEndpoints.value.blob]' line 726. Cannot access child value on Newtonsoft.Json.Linq.JValue."

Also in some of our deployments we use multiple parameter.json files in the same root as the bicep file used to deploy. We have multi param files for different environments and use the pipelines to use the right one for the deployment. We pass them is an object in the main bicep file, but PSRule is complaining that object has nothing in it. Is there a way in the invoke-psrule command to specify the parameters.josn file to use?

BernieWhite commented 1 year ago

@maxricketts By default PSRule assumes no parameter files are required for Bicep code.

If you are using parameter files you can use metadata to link one or many parameter files to your Bicep module. Then typically you would exclude the Bicep files so they are not evaluated directly.

See using parameter files for details on how to set this up.

In terms of Invoke-PSRule: Failed to expand bicep source 'C:\Git\Data-Platform-IAC\sqlDataStores\bicep\main.bicep'. Exception calling "GetBicepResources" with "3" argument(s): "Unable to expand resources because the source file 'C:\Git\Data-Platform-IAC\sqlDataStores\bicep\main.bicep' was not valid. An error occurred evaluating expression '[reference(resourceId('Microsoft.Resources/deployments', format('azureStorageSqlVADeployment-{0}', parameters('utcDateTime'))), '2020-10-01').outputs.StorageAccountEndpoints.value.blob]' line 726. Cannot access child value on Newtonsoft.Json.Linq.JValue." I don't think this would be caused by this, but double check and let me know.

If Cannot access child value on Newtonsoft.Json.Linq.JValue. is a new issue, if you can log this separately that would be great to allow others to find this issue in the future.

Outside of that I think we have resolved the original problem. Are you ok for me to close this issue?

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue was closed because it has not had any recent activity.