Proposal - Option to embed a module reference instead of inlining the nested deployment

anthony-c-martin commented 1 year ago

Problem Statement

Registry modules in Bicep are very popular for code reuse, but with a complex deployment hierarchy, they can often cause the size of the template to grow quickly. This increases the likelihood of running into the dreaded maximum template size error, which has no workaround.

Possible Solution

Similar to the way Template Specs are handled, provide an option to embed a link to the registry module instead of the module itself.

For example, for the following:

module mcrModule 'br/public:samples/hello-world:1.0.1' = {
  ...
}

Instead of generating:

"template": {
  ...embedded registry content
}

We could generate:

"templateLink": {
  "ref": "mcr.microsoft.com/bicep/samples/hello-world:1.0.1"
}

This would require giving the Deployment engine the ability to pull down modules on behalf of the user.

Notes

The editor experience and validation for consuming a module should be no different to today's experience (other than possibly the ability to opt-in/out of the behavior).
OCI artifacts are technically mutable, even if generally users avoid re-publishing with the same tag. We may want to give users the ability to fail a deployment if that happens (for example, embedding a content hash and failing at runtime the hash doesn't match).

jeskew commented 1 year ago

[Using r]egistry modules ... increases the likelihood of running into the dreaded maximum template size error, which has no workaround.

Is template size calculated before linked templates are included?

This would require giving the Deployment engine the ability to pull down modules on behalf of the user.

Would users have an option to inline modules (maybe controlled through Bicep config)? I imagine that if I were writing a public module, I might want to inline everything, which would allow me to use private modules and not require that the consumers of my module have access to those repos. If I were writing a template to deploy, though, I imagine I would usually want to use templateLinks if that got me around the maximum size error.

cedricbraekevelt commented 4 months ago

@jeskew @anthony-c-martin I've looked this up because I've ran a lot in the past against the 4MB limit. Template spec uses the templatelink when built and Container Registry embeds the modules. So for us Template Spec is the only solution, however this has a big drawback that you need line of sight to your TS resource group. And it seems like you can't even use 2 contexts. (for example use Azure CLI to connect to TS repo and use AZ Pwsh to deploy your resources. It would be nice if we had an extra parameter in the module reference to define it as a templatelink.

PS: I'm using credentialprecedence in bicepconfig.json when trying to use multiple contexts.

Azure / bicep