Open chgeuer opened 7 months ago
Bicep generates code which gets rejected by ARM-TTK; unclear how to work around that.
In a Bicep template, I'm using the getSecret function to fetch a secret from an existing KeyVault, to get KeyVault access, and pass it as parameter to a nested template:
getSecret
resource publisherKeyVaultWithBootstrapSecret 'Microsoft.KeyVault/vaults@2023-07-01' existing = { name: meteringConfiguration.publisherVault.vaultName scope: resourceGroup(meteringConfiguration.publisherVault.publisherSubscription, meteringConfiguration.publisherVault.vaultResourceGroupName) } module setupMeteredBillingConfigurationModule './nestedtemplates/meteredBillingDependencies.bicep' = { name: '...' params: { bootstrapSecretValue: publisherKeyVaultWithBootstrapSecret.getSecret(meteringConfiguration.publisherVault.bootstrapSecretName) } }
When Bicep compiles this, it results in the following ARM template, which uses the extensionResourceId function to reference the KeyVault:
extensionResourceId
"parameters": { "bootstrapSecretValue": { "reference": { "keyVault": { "id": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('meteringConfiguration').publisherVault.publisherSubscription, variables('meteringConfiguration').publisherVault.vaultResourceGroupName), 'Microsoft.KeyVault/vaults', variables('meteringConfiguration').publisherVault.vaultName)]" }, "secretName": "[variables('meteringConfiguration').publisherVault.bootstrapSecretName]" } }
Unfortunately, this Bicep-generated code is flagged by ARM-TTK validation tool as not OK, because it calls concat() or format() within extensionResourceId(). This regex in ARM TTK flags it as an error:
concat()
format()
extensionResourceId()
https://github.com/Azure/arm-ttk/blob/master/arm-ttk/testcases/deploymentTemplate/ResourceIds-should-not-contain.test.ps1#L31
As a workaround, I can replace
extensionResourceId( format('/subscriptions/{0}/resourceGroups/{1}', variables('meteringConfiguration').publisherVault.publisherSubscription, variables('meteringConfiguration').publisherVault.vaultResourceGroupName ), 'Microsoft.KeyVault/vaults', variables('meteringConfiguration').publisherVault.vaultName )
with
resourceId( variables('meteringConfiguration').publisherVault.publisherSubscription, variables('meteringConfiguration').publisherVault.vaultResourceGroupName, 'Microsoft.KeyVault/vaults', variables('meteringConfiguration').publisherVault.vaultName )
So in JSON:
{ "old": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('meteringConfiguration').publisherVault.publisherSubscription, parameters('meteringConfiguration').publisherVault.vaultResourceGroupName), 'Microsoft.KeyVault/vaults', parameters('meteringConfiguration').publisherVault.vaultName)]" "new": "[resourceId(variables('meteringConfiguration').publisherVault.publisherSubscription, variables('meteringConfiguration').publisherVault.vaultResourceGroupName, 'Microsoft.KeyVault/vaults', variables('meteringConfiguration').publisherVault.vaultName)]" }
In a Bicep template, I'm using the
getSecretfunction to fetch a secret from an existing KeyVault, to get KeyVault access, and pass it as parameter to a nested template:When Bicep compiles this, it results in the following ARM template, which uses the
extensionResourceIdfunction to reference the KeyVault:Unfortunately, this Bicep-generated code is flagged by ARM-TTK validation tool as not OK, because it calls
concat()orformat()withinextensionResourceId(). This regex in ARM TTK flags it as an error:https://github.com/Azure/arm-ttk/blob/master/arm-ttk/testcases/deploymentTemplate/ResourceIds-should-not-contain.test.ps1#L31
As a workaround, I can replace
with
So in JSON: