search

Azure / bicep

Bicep is a declarative language for describing and deploying Azure resources
MIT License
3.2k stars 742 forks source link

Error when referencing a Managed Identity in the identity block of a storage account #11958

Closed subesokun closed 10 months ago

subesokun commented 11 months ago

Bicep version Bicep CLI version 0.21.1 (d4acbd2a9f)

Describe the bug Deployment fails when directly referencing an UAI in the identity block of a storage account.

Exception Details:      (DeploymentFailed) At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
        Code: DeploymentFailed
        Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
        Exception Details:      (InvalidTemplate) Deployment template validation failed: 'The template resource 'demodatastore' at line '1' and column '3176' is not valid: The template function 'reference' is not expected at this location. Please see https://aka.ms/arm-functions for usage details.. Please see https://aka.ms/arm-functions for usage details.'.
                Code: InvalidTemplate
                Message: Deployment template validation failed: 'The template resource 'demodatastore' at line '1' and column '3176' is not valid: The template function 'reference' is not expected at this location. Please see https://aka.ms/arm-functions for usage details.. Please see https://aka.ms/arm-functions for usage details.'.

To Reproduce Steps to reproduce the behavior:

resource DemoDataStorageUserIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: 'demodatastore'
  location: storageLocation
}

resource DemoMLStorage 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: 'demodatastore'
  kind: 'StorageV2'
  location: storageLocation
  sku: {
    name: 'Standard_LRS'
  }
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: DemoDataStorageUserIdentity // throws "The template function 'reference' is not expected at this location"
    // userAssignedIdentities: { 
    //   '${DemoDataStorageUserIdentity.id}': {} // This works!
    // }
  }
  properties: {
    accessTier: 'Hot'
  }
}

Additional context

Deployment works when indirectly referencing the resource ID of the UAI.

ahelland commented 11 months ago

Seems to be in line with the docs and as expected: "Gets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here."

https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-bicep

Most resources use the pattern of supplying the identifiers for the identities, and not the identity object itself.

subesokun commented 11 months ago

I see, but then maybe it's an issue with the Bicep linter? It didn't show me any error and suggested me to directly reference the UAI. The mentioned error gets first thrown when trying to deploy it.

anthony-c-martin commented 11 months ago

This definitely looks like a gap in Bicep's type analysis to me.

ahelland commented 11 months ago

@anthony-c-martin This behavior seems to be the same for all resources that has an identity block so I take it that's not RP specific and on a more generic level.