Reputation: 591
Wrong bicep scope in module
I've got two bicep files, main.bicep and webAppRoleAssignment.bicep
main.bicep
....
module webAppRoleAssignment 'webAppRoleAssignment.bicep' = {
name: 'webAppRoleAssignment'
scope: az.resourceGroup('123', 'rg-name')
params: {
containerRegistryName: containerRegistryName
webAppIdentityId: webAppIdentity.id
webAppIdentityPrincipalId: webAppIdentity.properties.principalId
}
}
webAppRoleAssignment.bicep
@description('Role definition ID for the role ACRPull that is assigned to the
UserAssignedIdentity')
resource acrPullRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01- preview' existing = {
scope: subscription()
name: 'role_name'
}
@description('Existing Container Registry in the same Resource Group')
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
scope: az.resourceGroup('123', 'rg-name')
name: containerRegistryName
}
@description('ACRPull role assignment to the Container App User Assigned Identity. Needed to pull images from the Container Registry')
resource webAppRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerRegistry
name: guid(containerRegistry.id, webAppIdentityId)
properties: {
principalId: webAppIdentityPrincipalId
roleDefinitionId: acrPullRoleDefinition.id
principalType: 'ServicePrincipal'
}
}
When I try to run this command az bicep build --file .\main.bicep with the code above I get this error:
A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.
The error points to the scope (containerRegistry) of the "webAppRoleAssignment" resource (webAppRoleAssignment.bicep).
BUT if I change the container registry resource (webAppRoleAssignment.bicep) like this:
@description('Existing Container Registry in the same Resource Group')
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
scope: az.resourceGroup() //removed resource group id and sub name
name: containerRegistryName
}
everything works!! And I do not understand why, because the scope pointed by az.resourceGroup() or az.resourceGroup('123', 'rg-name') should be the same.
Any suggestions?
Upvotes: 0
Views: 180
Answers (1)
Reputation: 2401
Wrong bicep scope in module is due to scope differences.
When we use as scope: az.resourceGroup(subID, RG name) in main.bicep for webAppRoleAssignment module then the scope was defined to all the resources inside the module was scoped to the same RG.
If the scope: az.resourceGroup(subID, RG name) defined inside webAppRoleAssignment.bicep where you define container registry then the scope explicitly within that same resource group. Whereas of you use scope: az.resourceGroup() inside the webAppRoleAssignment.bicep, Bicep implicitly understands it to be the same resource group defined in the module scope. This unique scope works because it defaults to the scope to module level.
Based on the requirement if the scope matches for both the resources as we declared based
main.bicep:
param containerRegistryName string
param webAppIdentity object
module webAppRoleAssignment 'webAppRoleAssignment.bicep' = {
name: 'webAppRoleAssignment'
scope: resourceGroup('158b8345-xxxx-xxxx-xxxx-f21815dd048f', 'vkk-resources')
params: {
containerRegistryName: containerRegistryName
webAppIdentityId: webAppIdentity.id
webAppIdentityPrincipalId: webAppIdentity.properties.principalId
}
}
webAppRoleAssignment.bicep:
param containerRegistryName string
param webAppIdentityId string
param webAppIdentityPrincipalId string
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
scope: resourceGroup()
name: containerRegistryName
}
resource webAppRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerRegistry
name: guid(containerRegistry.id, webAppIdentityId)
properties: {
principalId: webAppIdentityPrincipalId
roleDefinitionId: '/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d'
principalType: 'ServicePrincipal'
}
}
Deployment succeeded:
Reference:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-scope
Upvotes: 0
Related Questions
- How to assign Azure AD PIM to a custom RBAC role using BICEP
- Azure Bicep roleAssignments not found
- azure bicep to create a container app with an image from secure registry
- When referencing a Managed Identity from a bicep module the identity cannot be found (resource group is passed as <null>)
- Bicep role assignment to storage account in different resource group
- How to assign custom role to the application in Bicep
- Azure Release Pipeline does not have enough permissions to deploy Bicep/ARM template
- Create and Delete Resource Group in Azure using Bicep
- Azure: get user email by principal id