search

Azure / bicep

Bicep is a declarative language for describing and deploying Azure resources
MIT License
3.21k stars 745 forks source link

Custom decorators #2922

Open tsujp opened 3 years ago

tsujp commented 3 years ago

Is your feature request related to a problem? Please describe.

Current decorators provide basic restriction over parameters but more advanced decorators are required to prevent separation of concerns over resource requirements. Example:

adminPassword on Microsoft.Compute/VirtualMachines has the following requirements:

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"

The only thing you can currently do in a Bicep template is verify the minimum and maximum length with @minLength() and @maxLength().

If more default decorators existed to verify regex or custom decorators were possible then checks could be made pre-deployment on the requirements of the password in this case.

Describe the solution you'd like

User defined functions accessible as decorators might be the sole solution, relevant issues:

tsujp commented 3 years ago

@alex-frankel I really, really like that the milestone is called Not as fast as you would like I'm definitely yoinking that :laughing:

michael-crawford commented 2 years ago

Coming from the perspective of a longtime AWS CloudFormation and Terraform author now starting to use bicep - this type of password complexity validation can be achieved with a regular expression, as I've seen it done in these other tools.

So, what I think is really missing - like a SERIOUS design omission - is to have a regular expression based validation for parameters. This should have full support for all regex features, including backwards and forward references. It should support the PCRE2 standard as can be validated here: https://regex101.com

I noticed another another open issue to validate IP addresses and CIDRs, while looking to see if regex validation was an existing open issue. This is also something that can be done easily using regular expressions.

Given that this feature has been in CloudFormation templates, first JSON, then YAML, for at least 5 years that I'm personally aware of, it's sort of incredible - a glaring omission which surprised me - that this basic feature is not yet in bicep and arm. Please consider adding it, as it's incredibly useful in both preventing use of incorrect values, but also in precisely describing what values are allowed in a way beyond what's often possible to easily describe in words.

For example, I want to have a startDate parameter with the value entered as 'YYYY-MM-DD' - the fact I can't validate this simple pattern with a message to the user if they don't enter it correctly, is really surprising for a mature IaC template tool.