Bicep Parsing Error: union() in resource deployment

[svwie]

When using union() function to join objects in a resource deployment, it will cause parsing error.

Using the function in a variable will work just fine, e.g.:

var unionObject = union( { property1: value }, { property2: value} )

The function will cause a parsing error when used inside a resource deployment. Example from Azure CARML:

resource applicationGateway 'Microsoft.Network/applicationGateways@2023-04-01' = {
  name: name
  location: location
  tags: tags
  identity: identity
  properties: union({
      authenticationCertificates: authenticationCertificates
      autoscaleConfiguration: autoscaleMaxCapacity > 0 && autoscaleMinCapacity >= 0 ? {
        maxCapacity: autoscaleMaxCapacity
        minCapacity: autoscaleMinCapacity
      } : null
      backendAddressPools: backendAddressPools
      backendHttpSettingsCollection: backendHttpSettingsCollection
      backendSettingsCollection: backendSettingsCollection
      customErrorConfigurations: customErrorConfigurations
      enableHttp2: enableHttp2
      firewallPolicy: !empty(firewallPolicyId) ? {
        id: firewallPolicyId
      } : null
      forceFirewallPolicyAssociation: !empty(firewallPolicyId)
      frontendIPConfigurations: frontendIPConfigurations
      frontendPorts: frontendPorts
      gatewayIPConfigurations: gatewayIPConfigurations
      globalConfiguration: endsWith(sku, 'v2') ? {
        enableRequestBuffering: enableRequestBuffering
        enableResponseBuffering: enableResponseBuffering
      } : null
      httpListeners: httpListeners
      loadDistributionPolicies: loadDistributionPolicies
      listeners: listeners
      privateLinkConfigurations: privateLinkConfigurations
      probes: probes
      redirectConfigurations: redirectConfigurations
      requestRoutingRules: requestRoutingRules
      routingRules: routingRules
      rewriteRuleSets: rewriteRuleSets
      sku: {
        name: sku
        tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_'))
        capacity: autoscaleMaxCapacity > 0 && autoscaleMinCapacity >= 0 ? null : capacity
      }
      sslCertificates: sslCertificates
      sslPolicy: sslPolicyType != 'Predefined' ? {
        cipherSuites: sslPolicyCipherSuites
        minProtocolVersion: sslPolicyMinProtocolVersion
        policyName: empty(sslPolicyName) ? null : sslPolicyName
        policyType: sslPolicyType
      } : {
        policyName: empty(sslPolicyName) ? null : sslPolicyName
        policyType: sslPolicyType
      }
      sslProfiles: sslProfiles
      trustedClientCertificates: trustedClientCertificates
      trustedRootCertificates: trustedRootCertificates
      urlPathMaps: urlPathMaps
    }, (enableFips ? {
      enableFips: enableFips
    } : {}),
    (!empty(webApplicationFirewallConfiguration) ? { webApplicationFirewallConfiguration: webApplicationFirewallConfiguration } : {})
  )
  zones: zones
}

When union() is removed, it will not cause any parsing errors.

Union needs to be used on applicationGateways deployments due to an issue with "enableFips". This property can only be provided if the selected SKU is supporting FIPS. The property needs to be evaluated at runtime and provided if enabled and omitted completely when disabled.

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!