Open anthony-c-martin opened 3 years ago
alex-frankel
commented
3 years ago Will we accept a literal resource ID string for foo.params.res here?
foo.bicep
param res resourcemain.bicep
module foo './foo.bicep' = {
name: ...
params: {
res: '/subscriptions/.../resourceGroups/.../microsoft.rp/type/...'
}
}
majastrz
commented
3 years ago My expectation would be for the string to be rejected because it's not a symbolic name. However, I think we do need some sort of interop gesture to bridge templates passing resource ID strings around with this way of passing parameters.
majastrz
commented
3 years ago @anthony-c-martin During our last discussion, we realized that API version match/mismatch semantics differ on inputs and outputs. I think it'd be worthwhile to explain more about for the community at large to offer feedback (if any).
In the generic resource case (note number 1), would we allow name and type property access as well? Just wondering... we can start small and add more later, of course.
Regarding code gen, we should consider moving some of the type safety down to the runtime so all tempaltes can leverage it. We could still compile down to a fully qualified resource ID but we could introduce a new parameter type in the JSON with some additional settings.
alex-frankel
commented
3 years ago My expectation would be for the string to be rejected because it's not a symbolic name.
Right, but then this would have to work I guess? So if you need to pass in a resource ID from an external source, you would expose that as a param of type resource.
params.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"foo": {
"value": "/subscriptions/.../resourceGroups/.../microsoft.rp/type/..."
}
}
}main.bicep
param foo resource
module foo './foo.bicep' = {
name: ...
params: {
res: foo
}
}az deployment group create -f ./main.bicep -p params.json
miqm
commented
3 years ago My expectation would be for the string to be rejected because it's not a symbolic name.
Right, but then this would have to work I guess? So if you need to pass in a resource ID from an external source, you would expose that as a
paramof typeresource.params.json
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "foo": { "value": "/subscriptions/.../resourceGroups/.../microsoft.rp/type/..." } } }main.bicep
param foo resource module foo './foo.bicep' = { name: ... params: { res: foo } }az deployment group create -f ./main.bicep -p params.json
in some other issue I've suggested using as keyword that could be used to cast string that we expect to be a resourceid to a biceps resource. perhaps worth revisiting that?
majastrz
commented
3 years ago @alex-frankel Yeah passing it through parameters would have to work. We do have to answer the question whether we need the ability to turn a string ID into a symbolic name within a Bicep file without the use of parameters. One scenario I can think of comes up with referencing a JSON file as a module (when we have the feature) when the template outputs a string resource ID.
@miqm Yeah as could be an option although we have so far resisted adding type casting so far. All the type conversions currently are done through converter functions like any() or string(). Another option would be a separate function or a resource() overload that accepts a string ID
anthony-c-martin
commented
3 years ago My expectation would be for the string to be rejected because it's not a symbolic name.
Right, but then this would have to work I guess? So if you need to pass in a resource ID from an external source, you would expose that as a
paramof typeresource.
This is definitely a scenario we'll need to handle, and I think we have the options of either (with some rough examples):
"parameters": {
"vmResource": {
"type": "string"
}
}"parameters": {
"vmResource": {
"type": "resource"
}
}"parameters": {
"vmResource": {
"type": "string",
"metadata": {
"_typeinfo": {
"resourceType": "Microsoft.Compute/virtualMachines"
}
}
}
}@alex-frankel Yeah passing it through parameters would have to work. We do have to answer the question whether we need the ability to turn a string ID into a symbolic name within a Bicep file without the use of parameters. One scenario I can think of comes up with referencing a JSON file as a module (when we have the feature) when the template outputs a string resource ID.
It makes sense to think about this, but for the purposes of this specific proposal, I'd like to treat turning a resourceId in a string into a symbolic reference out-of-scope. Would you be OK with me creating another issue specifically for that, and adding a note to this proposal to mention as such?
majastrz
commented
3 years ago Should be ok to include it in part 3.
miqm
commented
3 years ago I like Passing type in metadata rather than introducing new type. In addition we could do object or array typing in similar way.
anthony-c-martin
commented
3 years ago Will we accept a literal resource ID string for
foo.params.reshere?
@alex-frankel, @majastrz - FYI, I added a note to explicitly mention this scenario is not covered by this proposal.
jamesongithub
commented
3 years ago Will this proposal cover passing a resource directly as a parameter of another resource or just for module input/outputs
something like
resource disk 'disks' {
...
}
resource vm 'vms' {
osDisk: disk
}Will this proposal cover passing a resource directly as a parameter of another resource or just for module input/outputs
This proposal is just covering module inputs/outputs.
stan-sz
commented
3 years ago As in #2163 the output of a module can contain secrets (e.g. output of a list*) function to store it's value in a KV. Is it planed to introduce secureString or secureObject (or other way to hide secrets) from module output?
rynowak
commented
3 years ago @anthony-c-martin - any ideas about how this would work for a resource with a discriminator field? (likely kind) property?
SeidChr
commented
2 years ago Just another suggestion:
I can access my module outputs by
<modulename>.outputs.<outputname>
I would love to access my module resources (fully type-safe of cause) by
<modulename>.resources.<outputname>
The Idea brings up a question: Should all top level module elements be accessible in this way?
Wouldn't it be nice to access <modulename>.modules.<modulename>.resources.<resourcename>.properties.<propertyname>?
ptemmer
commented
2 years ago Apologies as this is not the most appropriate place to ask, however this proposal would be a possible solution to my question, nonetheless as this feature hasn't been released yet, I'm wondering what the current most appropriate way is to achieve the following:
Say: main.bicep:
module rAppservice 'appService.bicep' = {
name: appServiceName
params: {
appServiceName: appServiceName
}
resource vnetintegration 'Microsoft.Web/sites/networkConfig@2021-02-01' = {
name: 'vnetintegration'
parent: XXXXXXX
}I cannot specify the module symbolic name as a parent as that is not a resource. Currently what I am doing is the following, however this feels wrong.
module rAppservice 'appService.bicep' = {
name: appServiceName
params: {
appServiceName: appServiceName
}
}
resource existingAppService 'Microsoft.Web/sites@2021-02-01' existing = {
name: appServiceName
}
resource vnetintegration 'Microsoft.Web/sites/networkConfig@2021-02-01' = {
name: 'vnetintegration'
parent: existingAppService
}@ptemmer your workaround looks like the best option that's currently available. The only thing to be careful with is to order the dependencies so that the networkConfig resource gets deployed after the module:
module rAppservice 'appService.bicep' = {
name: appServiceName
params: {
appServiceName: appServiceName
}
}
resource existingAppService 'Microsoft.Web/sites@2021-02-01' existing = {
name: appServiceName
}
resource vnetintegration 'Microsoft.Web/sites/networkConfig@2021-02-01' = {
name: 'vnetintegration'
parent: existingAppService
dependsOn: [
rAppservice
]
}Thanks @anthony-c-martin for the super quick reply. Good to know that workaround is ok, as I honestly had the feeling I wasn't using Bicep as it should be. I guess the current proposal will solve this altogether.
Off-topic: I'm starting out with Bicep so I due regularly run into these kind of issues/doubts. What is the best place to ask questions? This repo? Or is there a Slack bicep community? (wasn't able to find one).
Thanks again.
anthony-c-martin
commented
2 years ago @ptemmer - this repo is the best place to go. https://github.com/Azure/bicep/discussions is a good place to ask questions such as "What's the best way to do XYZ?" or for help with specific scenarios.
thealanagrace
commented
2 years ago Is there an ETA on this functionality? It would really help me make my deployment scripts so much sleeker!
alex-frankel
commented
2 years ago We are trying to get an initial implementation done in the next few months.
rouke-broersma
commented
2 years ago @alex-frankel
Parameter resources cannot be used with the .parent or .scope properties because it would allow you to bypass scope validation easily. The set of cases that we could actually provide validation for these use cases are really limited.
This is one of the use cases we would very much want to use this for, especially scope because of Authorization on resources. Is there a different issue for this use case or is this never going to be solved? I personally wouldn't consider this fixed until we can at least use resource params for scope.
rynowak
commented
2 years ago The first step of this (all the disruptive changes) are in but hidden behind an experimental flag. I plan to continue making progress on all of the scenarios described here and will keep this issue open until we're totally unblocked.
johndowns
commented
2 years ago @rynowak Awesome - is it possible to give some instructions on how to enable the experimental flag if we want to try some of this out now?
rynowak
commented
2 years ago Set the environment variable BICEP_RESOURCE_TYPED_PARAMS_AND_OUTPUTS_EXPERIMENTAL=true
I'd recommend also reading the PR description before trying this out https://github.com/Azure/bicep/pull/4971
Some of the scenarios described in this issue are explicitly blocked by the compiler at this stage. We've also run into limitations enforced by the deployment engine using resources as module outputs. That will require changes in Azure to unblock.
bgawale
commented
2 years ago Very much looking forward for this feature to be available, deployments would be much more simpler.
xavierjohn
commented
2 years ago If I had a module named west2 and it had two resources name myStorage and myEventHubNamespace, would using a . format be more natural? As a programmer in several languages, the natural format for me would be to use west2.mtStorage and west2.myEventHubNamespace without having to deal with module output.
ds-evo
commented
2 years ago Hello,
i just tried to set the resource param to null.
But this didn't work.
To reduce duplicate code i tried this:
param app_res resource 'Microsoft.Web/sites@2021-03-01' = any(null)
param app_slot_res resource 'Microsoft.Web/sites/slots@2021-03-01' = any(null)
param appIsSlot bool = app_res == null
var _res = (!appIsSlot) ? app_res : app_slot_res
@secure()
param cfg_conn object
@secure()
param cfg_app object
resource appConnStrs 'Microsoft.Web/sites/config@2021-01-15' = {
parent: _res
name: 'connectionstrings'
properties: cfg_conn
}
resource appSettings 'Microsoft.Web/sites/config@2021-01-15' = {
parent: _res
name: 'appsettings'
properties: cfg_app
}But then i get this error:
Error BCP036: The property "parent" expected a value of type "Microsoft.Web/sites" but the provided value is of type "Microsoft.Web/sites/slots@2021-03-01 | Microsoft.Web/sites@2021-03-01"
There are so many cases, where i think i need to use a template language to auto-generate bicep files, only to get a generic solution.
And, i start to think, that the Rest-Api with a good ORM is more flexible and easier then bicep or ARM
ds-evo
commented
2 years ago UPDATE:
The above code has logic error - so rewrite it to this.
param app_res resource 'Microsoft.Web/sites@2021-03-01' = any(null)
param app_slot_res resource 'Microsoft.Web/sites/slots@2021-03-01' = any(null)
param appIsSlot bool = app_res != null
@secure()
param cfg_conn object
@secure()
param cfg_app object
resource appSlotConnStrs 'Microsoft.Web/sites/slots/config@2021-01-15' = if (appIsSlot) {
parent: app_slot_res
name: 'connectionstrings'
properties: cfg_conn
}
resource appSlotSettings 'Microsoft.Web/sites/slots/config@2021-01-15' = if (appIsSlot) {
parent: app_slot_res
name: 'appsettings'
properties: cfg_app
}
resource appConnStrs 'Microsoft.Web/sites/config@2021-01-15' = if (!appIsSlot) {
parent: app_res
name: 'connectionstrings'
properties: cfg_conn
}
resource appSettings 'Microsoft.Web/sites/config@2021-01-15' = if (!appIsSlot) {
parent: app_res
name: 'appsettings'
properties: cfg_app
}Now i get: Error BCP229: The parameter "app_slot_res" cannot be used as a resource scope or parent. Resources passed as parameters cannot be used as a scope or parent of a resource.
This is my Solution for this problem. I ended with two modules, with same parameters and nearly same code....
module appCfgReal '../../../app/app_cfg_sets.real.bicep' = if (!dryRun && !appIsSlot) {
name: '${appName}-appCfg-real-mod'
params: {
app: app
cfg_conn: cfg_conn
cfg_app: cfg_app
}
}
module appCfgSlotReal '../../../app/app_cfg_sets.real.slots.bicep' = if (!dryRun && appIsSlot) {
name: '${appName}-appCfg-real-slot-mod'
params: {
app: app
cfg_conn: cfg_conn
cfg_app: cfg_app
}
}PS: And it would be nice, if string interpolation in resource types would work.
Devvox93
commented
2 years ago We've also run into limitations enforced by the deployment engine using resources as module outputs. That will require changes in Azure to unblock.
Is there any update or roadmap on when passing resources as module outputs would be supported by Azure? Or is this something that will remain unsupported?
Very eager to use this as, like others have mentioned, it would greatly simplify authoring modules :)
stan-sz
commented
2 years ago How about (re)using the existing syntax for params:
param resource storageAcc 'Microsoft.Storage/storageAccounts@2021-01-01' existingor
param storageAcc resource 'Microsoft.Storage/storageAccounts@2021-01-01' existingIn the first snippet, the resource and storageAcc are flipped to preserve the resource syntax. The second snippet follows the param <symbol name> <type>.
Semantically this would behave the same as resource reference, because a resource passed into a module needs to exist, so param would just be an indicator that it's a parameter.
dazinator
commented
1 year ago Just tried the experimental feature.
It wasn't useful for my case, as it doesn't support declaring resource paramaters of any type, and setting the scope property for a resource e.g this won't work
param scope resource // can't pass an untyped resurce which is what `scope` needs below.
var roleAssignmentName = 'some-name'
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: roleAssignmentName
scope: resource // can't set this
properties: {
roleDefinitionId: roleDefinitionResourceId
principalId: userAssignedIdentity.properties.principalId
principalType: 'ServicePrincipal'
description: empty(roleAssignmentDescription) ? null : ''
}
}
as such I am unable to modularise this code, however role assignments are quite common accross our deployments, and there is value in ensuring things like the unique name of the assignment uses a guid based on principal id, scope id, and role definition id etc.
jangelfdez
commented
1 year ago I just hit the same situation that @dazinator mentions in his reply. Trying to modularize roleassignments into an independent module to be reused with different type of assignment levels.
Being able to pass a generic resource would be needed in this case to cover all the different scenarios.
asdkant-bf
commented
1 year ago After reading all the comments here, there's something I'm still not clear on:
Assuming I have a module that creates one or more resources, will I be able to pass those resources as outputs?
alex-frankel
commented
1 year ago After reading all the comments here, there's something I'm still not clear on:
Assuming I have a module that creates one or more resources, will I be able to pass those resources as outputs?
Yes, you will be able to write
resource foo '...' = { ... }
output myResource resource = foo
housten
commented
1 year ago I am also really wanting to be able to have a generic role assignment module. I want to be able to pass multiple roles so I was trying to put the creation of the roles in a module and while breaking it out it makes sense to let it fulfill multiple purposes so I can lower the published module maintenance overhead.
For my part, this need could be met by being able to set the scope of a module to the resource it should attach to. I am not so interested in being able to receive these as outputs.
@description('Name of the queue')
param QueueName string
@description('A list of rbac settings to create')
param Rbac array
resource queue 'Microsoft.ServiceBus/namespaces/queues@2021-06-01-preview' = {
name: QueueName
properties: {
deadLetteringOnMessageExpiration: false
enableBatchedOperations: true
enablePartitioning: false
}
}
module roleAssignment 'br:mybicepregistry.azurecr.io/role:1.0' = [for rbac in Rbac: {
scope: queue
name: rbac.principleId
params: {
roles: rbac.roles
principalId: rbac.principalId
principalType: rbac.principalType
targetRoleId: queue.id // for naming
}
} ]This was the first thing I tried when I broke the role out to a module but got the error that scope for a module has to be a resource group or a subscription. Syntactically I like this because it matches the syntax for creating the resource at this level (ie without a module).
The ARM json work around #5805 was a nice idea, but then each repo would have to have its own json as I am using a bicep registry for all the modules, which I assume can't hold a json template file. It presents a nightmare maintenance-wise having lots of json templates to have to fix and a technical understanding of the file that I am trying encapsulate away for the users (or blind acceptance that a file has to be in their repo and shouldn't be fiddled with).
BartDecker
commented
1 year ago @housten scanning your post quickly I think you might want to look at the examples given in: https://github.com/Azure/bicep/issues/7621
housten
commented
1 year ago @housten scanning your post quickly I think you might want to look at the examples given in: #7621
Thanks @BartDecker. In my last paragraph I mention the ARM template work around and why I didn't think it was a good fit. To avoid having to have arm templates in every repository, I would rather have specific modules for each type of role target. Unless there is a way to put arm templates into the bicep registry?
cloudlene
commented
4 months ago I was trying to build a generic role assignment module.
I don't understand why we need provider & the API Version when the resource passed must be a symbolic name in parent modules.
param principalId string
param principalType string
param roleNames string[]
param targetResourceId string
// Runs a shell script that creates a query from the roleNames passed: az role definition list --query "roleName == 'Key Vault Reader' || roleName == 'Key Vault Secrets Officer'"
module lookupRoles 'lookup-roles.bicep' = {
name: 'lookupRoles'
params: {
location: location
roleNames: roleNames
nameSuffixShort: nameSuffixShort
}
}
var roleIds = lookupRoles.outputs.roleIds
resource roleDefinitions 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = [for roleId in roleIds : {
scope: resource(targetResourceId) // Or Make reference(targetResourceId) return a resource type instead of object
name: roleId
}]
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for i in range(0, length(roleIds)):{
name: guid(string(i), roleDefinitions[i].id)
properties: {
principalId: principalId
roleDefinitionId: roleDefinitions[i].id
principalType: principalType
}
}]// Option 2: role-assignments.bicep
param principalId string
param principalType string
param roleNames string[]
// Notice no need for type or version
param targetResource resource
// Runs a shell script that creates a query from the roleNames passed: az role definition list --query "roleName == 'Key Vault Reader' || roleName == 'Key Vault Secrets Officer'"
module lookupRoles 'lookup-roles.bicep' = {
name: 'lookupRoles'
params: {
location: location
roleNames: roleNames
nameSuffixShort: nameSuffixShort
}
}
var roleIds = lookupRoles.outputs.roleIds
resource roleDefinitions 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = [for roleId in roleIds : {
scope: targetResource
name: roleId
}]
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for i in range(0, length(roleIds)):{
name: guid(string(i), roleDefinitions[i].id)
properties: {
principalId: principalId
roleDefinitionId: roleDefinitions[i].id
principalType: principalType
}
}]When it's already allowed that any resource can be passed to the scope property of the roleDefinitions, it's only logical to expect a parameter that can accept ANY resource not just ones that are statically typed to a specific provider & version.
Proposal - simplifying
resourcereferencing (part 2)Part 1 / Part 2
Problem statement
Passing around / obtaining references to resources in a type-safe manner is overly complex. Rather than inventing non-type-safe mechanisms to refer to resources or resource properties, we should provide a first-class syntax for doing so, with full type-safety and editor support.
Resources as params and outputs
A new type of
resourcewill be accepted inparamandoutputdeclarations to permit passing a reference to a resource as an input or output for a module. Supplying the type string for the resource would be optional, but functionality would be greatly reduced without it.At compile-time, Bicep will type check for reference equality - it will ensure a valid resource reference is passed to a generic resource param, and it will ensure that a valid resource reference matching the expected type string is passed to a typed resource param.
Examples
Generic
Input/Output
Property access
Notes
idproperty. We want to encourage module authors to be specific about the type they accept to provide optimal type safety.Out of scope
Codegen
The most straightforward option for JSON codegen is to generate a string parameter or output in the template JSON, with some associated metadata.