Microsoft.DevCenter/devcenters encryption does not allow reference

slavizh commented 5 days ago

Bicep version Bicep CLI version 0.30.23 (ec3612efc7)

Describe the bug For some reason Microsoft.DevCenter/devcenters does not allow referencing key URIs of existing resources. It fails even before the deployment is started with error: Validation failed for 'Microsoft.DevCenter/devcenters'.

To Reproduce This template works:

param devCenter object

resource encryptionKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = if (!empty(devCenter.encryption.keyVault.name)) {
  name: devCenter.encryption.keyVault.name
  scope: resourceGroup(devCenter.encryption.keyVault.subscriptionId, devCenter.encryption.keyVault.resourceGroup)
}

resource encryptionKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2024-04-01-preview' existing = if (!empty(devCenter.encryption.keyVault.keyName)) {
  name: devCenter.encryption.keyVault.keyName
  parent: encryptionKeyVault
}

resource encryptionKeyVaultKeyVersion 'Microsoft.KeyVault/vaults/keys/versions@2024-04-01-preview' existing = if (!empty(devCenter.encryption.keyVault.keyVersion)) {
  name: devCenter.encryption.keyVault.keyVersion
  parent: encryptionKeyVaultKey
}

resource encryptionIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = if (!empty(devCenter.encryption.identity.name)) {
  name: devCenter.encryption.identity.name
  scope: resourceGroup(devCenter.encryption.identity.subscriptionId, devCenter.encryption.identity.resourceGroup)
}

resource devCenterRes 'Microsoft.DevCenter/devcenters@2024-08-01-preview' = {
  name: devCenter.name
  location: resourceGroup().location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${encryptionIdentity.id}': {}
    }
  }
  properties: {
    encryption: {
      customerManagedKeyEncryption: {
        keyEncryptionKeyIdentity: {
          userAssignedIdentityResourceId: encryptionIdentity.id
          identityType: 'userAssignedIdentity'
        }
        keyEncryptionKeyUrl: !empty(devCenter.encryption.keyVault.keyVersion)
          ? 'https://${encryptionKeyVault.name}${environment().suffixes.keyvaultDns}/keys/${encryptionKeyVaultKey.name}/${encryptionKeyVaultKeyVersion.name}'
          : 'https://${encryptionKeyVault.name}${environment().suffixes.keyvaultDns}/keys/${encryptionKeyVaultKey.name}'
      }
    }
  }
}

but if I try to use reference I get error as described:

param devCenter object

resource encryptionKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = if (!empty(devCenter.encryption.keyVault.name)) {
  name: devCenter.encryption.keyVault.name
  scope: resourceGroup(devCenter.encryption.keyVault.subscriptionId, devCenter.encryption.keyVault.resourceGroup)
}

resource encryptionKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2024-04-01-preview' existing = if (!empty(devCenter.encryption.keyVault.keyName)) {
  name: devCenter.encryption.keyVault.keyName
  parent: encryptionKeyVault
}

resource encryptionKeyVaultKeyVersion 'Microsoft.KeyVault/vaults/keys/versions@2024-04-01-preview' existing = if (!empty(devCenter.encryption.keyVault.keyVersion)) {
  name: devCenter.encryption.keyVault.keyVersion
  parent: encryptionKeyVaultKey
}

resource encryptionIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = if (!empty(devCenter.encryption.identity.name)) {
  name: devCenter.encryption.identity.name
  scope: resourceGroup(devCenter.encryption.identity.subscriptionId, devCenter.encryption.identity.resourceGroup)
}

resource devCenterRes 'Microsoft.DevCenter/devcenters@2024-08-01-preview' = {
  name: devCenter.name
  location: resourceGroup().location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${encryptionIdentity.id}': {}
    }
  }
  properties: {
    encryption: {
      customerManagedKeyEncryption: {
        keyEncryptionKeyIdentity: {
          userAssignedIdentityResourceId: encryptionIdentity.id
          identityType: 'userAssignedIdentity'
        }
        keyEncryptionKeyUrl: !empty(devCenter.encryption.keyVault.keyVersion)
          ? encryptionKeyVaultKeyVersion.properties.keyUri
          : encryptionKeyVaultKey.properties.keyUri
      }
    }
  }
}

Additional context Add any other context about the problem here.

slavizh commented 4 days ago

Same issue with the child Microsoft.DevCenter/devcenters/catalogs@2024-08-01-preview and secretIdentifier property there.

slavizh commented 4 days ago

I wonder could this be some ARM issue that recently appear or some issue in latest Bicep CLI that we have not noticed so far?

alex-frankel commented 3 days ago

This seems like an incorrect preflight implementation that is improperly validating Template Language Expressions. @stephaniezyen can we route this to the Dev Center team?

Azure / bicep

Microsoft.DevCenter/devcenters encryption does not allow reference #15328