Language version 2 requires permissions on existing resources

[slavizh]

Bicep version Bicep CLI version 0.26.170 (e9abaf16a5)

Describe the bug I have logged this as a bug but could be a feature that is needed. It seems that when using language version 2 permissions are required on the resources. Most likely for 99% of the cases that is fine but I have stumbled on the following scenario:

• We have bicep template for creating subscription aliases for EA subscriptions
• Subscription alias requires reference enrollment account. The enrollment account is child resource of billing account.
• In order to deploy Bicep template with language version 2 you need permissions on both enrollment account and the billing account.
• When using API you only need permissions on the enrollment account but not on the billing account.
• It is best practice to use existing syntax for both the billing and enrollment account
• When you do not have access to the billing account the template will fail not having permissions on it.
• It is also unclear what kind of EA role you need to have in order to have access to the billing account https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals#permissions-that-can-be-assigned-to-the-service-principal but overall it should not be needed as the API does not require it.

Overall I think that is good that access is checked for existing resources but I believe that for some cases you need to have some capability where you do not want to do that but still to use the existing syntax which is the standard. Below I think is the minimum template to reproduce it although I think the description is clear.

I think that this issue could be related to this https://github.com/Azure/bicep/issues/13555 as there we have discussed having additional capabilities for existing syntax in certain scenarios.

It is possible to have some underneath implementation where the language v2 syntax for existing resources when compiled is used only for the child resource and not for the parent that is of course if the parent is only referenced in the child and not other place in the code. Of course that is currently only my thinking of one possible way.

To Reproduce

targetScope = 'managementGroup'

type stringType = string

param billingAccountName stringType 
param enrollmentAccountName stringType 

resource billingAccount 'Microsoft.Billing/billingAccounts@2020-05-01' existing = {
  name: billingAccountName
  scope: tenant()
}

resource enrollmentAccount 'Microsoft.Billing/billingAccounts/enrollmentAccounts@2019-10-01-preview' existing = {
  name: enrollmentAccountName
  parent: billingAccount
}

resource subscriptionAlias 'Microsoft.Subscription/aliases@2021-10-01' = {
  name: 'alias'
  scope: tenant()
  properties: {
    displayName: 'subA'
    workload: 'Production'
    billingScope: enrollmentAccount.id
  }
}

Additional context Add any other context about the problem here.

[stephaniezyen]

This will be solved by #13674