search

Azure / bicep

Bicep is a declarative language for describing and deploying Azure resources
MIT License
3.26k stars 753 forks source link

Help user figure out what BCP165 really means #10745

Open jongio opened 1 year ago

jongio commented 1 year ago

I got this error message:

A resource's computed scope must match that of the Bicep file for it to be deployable. This resource's scope is computed from the "scope" property value assigned to ancestor resource "keyVault". You must use modules to deploy resources to a different scope.bicep(BCP165)

I couldn't wrap my head around it.

I had this:

param name string = 'add'

param keyVaultName string
param keyVaultResourceGroupName string = resourceGroup().name
param permissions object = { secrets: [ 'get', 'list' ] }
param principalId string

resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
  parent: keyVault
  name: name
  properties: {
    accessPolicies: [ {
        objectId: principalId
        tenantId: subscription().tenantId
        permissions: permissions
      } ]
  }
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyVaultName
  scope: resourceGroup(keyVaultResourceGroupName)
}

But it turns out I didn't need to pass in the RG for scope, I can just set scope of the module when it is called like this:

module webKeyVaultAccess '../core/security/keyvault-access.bicep' = {
  name: 'web-keyvault-access'
  scope: resourceGroup(keyVaultResourceGroupName)
  params: {
    principalId: webIdentity.properties.principalId
    keyVaultName: keyVault.name
  }
  dependsOn: [keyVault]
}

It would be nice if the error message was updated with a sample on how to fix it.

stephaniezyen commented 1 year ago

Can you please explain which part(s) of the message is confusing and how you would like it to be worded? Otherwise, we can add an aka.ms link for further information.

ipetko96 commented 1 year ago

I also find the error BCP165 confusing. If user wants to reference the existing resource, he has the two properties that can fill: name and scope. Scope is needed if the resource is in a different scope, but if the user fills the scope property with the same scope as the new resources will be created, instantly gets the mentioned error. In my opinion this is misleading and no error should be raised, only if the scope of the existing and new resources will be different.

jongio commented 1 year ago

Maybe include a sample on how to fix it or a link to help to fix it?

anthony-c-martin commented 1 year ago

If someone wants to suggest a reworded error, I'm happy to make the change! Leaving this open to collect suggestions.

jongio commented 1 year ago

I think something that says what you need to do would be good, like "add scope property to module instance" with an example....