search

microsoftgraph / msgraph-bicep-types

Repo contains Microsoft Graph resource types to integrate with bicep templates.
MIT License
45 stars 7 forks source link

Can't find existing resource in template (containerApp) #178

Closed DavidMrLane closed 1 month ago

DavidMrLane commented 1 month ago

Bicep version Bicep CLI version 0.30.23

Describe the bug When validating this template I get the error below:

extension microsoftGraph

resource adminServiceApp 'Microsoft.App/containerApps@2023-05-01' existing = {
    name: 'ca-adminsvc'
}

var adminServiceAppRoleIds = [
    '09850681-111b-4a89-9bed-3f2cae46d706'
    '06b708a9-e830-4db3-a914-8e69da51d44f'
]

// Get the Resource Id of the Graph resource in the tenant
resource graphSpn 'Microsoft.Graph/servicePrincipals@v1.0' existing = {
    appId: '00000003-0000-0000-c000-000000000000'
}

// Looping through the App Roles and assigning them to the Managed Identity
resource assignAdminServiceAppRole 'Microsoft.Graph/appRoleAssignedTo@v1.0' = [for appRole in adminServiceAppRoleIds: {
    appRoleId: appRole
    principalId: adminServiceApp.identity.principalId
    resourceId: graphSpn.id
    }
]

{"code": "InvalidTemplate", "message": "Deployment template validation failed: 'The resource 'Microsoft.App/containerApps/ca-adminsvc' is not defined in the template. Please see https://aka.ms/arm-syntax for usage details.'.", "additionalInfo": [{"type": "TemplateViolation", "info": {"lineNumber": 0, "linePosition": 0, "path": ""}}]}

Additional context Instead of adding the container app so I could I reference it's system assigned managed identity, I tried the role assignment to a resource userManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { and resource miSpn 'Microsoft.Graph/servicePrincipals@v1.0' existing = {, and that validated fine.

dkershaw10 commented 1 month ago

@DavidMrLane thanks for raising this issue. Just to make sure I understand - are you saying that this line principalId: adminServiceApp.identity.principalId is failing to resolve to the system assigned identity?

If you add an output statement like output sysAssignedMI string = adminServiceApp.identity.principalId does that resolve and output the SP's ID?

I'm trying to understand where the issue is.

DavidMrLane commented 1 month ago

I don't understand why, but adding the output allowed it to validate and then the template deployed successfully.

dkershaw10 commented 1 month ago

Does it fail if you remove the output statement, or continue to work? It's definitely weird behaviour. I might have said it was some replication delay issue across distributed systems, but then I wouldn't expect the failure during validation.

DavidMrLane commented 1 month ago

Does it fail if you remove the output statement, or continue to work? It's definitely weird behaviour. I might have said it was some replication delay issue across distributed systems, but then I wouldn't expect the failure during validation.

Yes after successfully applying, removing the output statement causes the template validation to fail again.

dkershaw10 commented 1 month ago

Closing this as a duplicate of #183. We'll track the investigation and fix there.