Conditionally define module scope not working.

[cloudyjobin]

Bicep version
Bicep CLI version 0.30.3 (2f0e78d)

Describe the bug
I want to define the scope for a module conditionally based on the subscriptionId and rgName parameters. If both subscriptionId and rgName are defined, the scope should be resourceGroup(subscriptionId, rgName). If only rgName is defined, the scope should be resourceGroup(rgName). If neither parameter is defined, use the current scope, which is resourceGroup().
The below code should work but for some reason it is not. I returns the deployment scope resource group instead of provided subscriptionId and rgName parameters. I noticed a similar issue #7367 and a workaround is provided there but that is with only one paramater. Is ther a way to pass both subscriptionID and rgName as parameters, when the scope is in a different subscription.

To Reproduce
param subscription string = 'xxx-xxx-xxx-xx-x-xx'
param rgname string = 'test-rg'

resource vmexists 'Microsoft.ScVmm/virtualMachines@2023-04-01-preview' existing = {
name: 'test-vm'
scope: empty(subscription) && empty(rgname) ? resourceGroup() : empty(subscription) ? resourceGroup(rgname) : resourceGroup(subscription,rgname)
}

output resourceId string = vmexists.id

[GABRIELNGBTUC]

Scopes must be constant at compile time so what is happening is that the first clause of your conditional is used at compile time.

Since what you want is "Use the current subscription/resource group if they are not specified", you can simply use the last clause of your condition for the scope.

param subscriptionId string = subscription().subscriptionId
param resourceGroupName string = resourceGroup().name

module mod 'nsg.bicep' = {
  name: guidId
  scope: resourceGroup(subscriptionId, resourceGroupName)
  params: {
    Location: resourceGroup().location
    NsgName: ''
    SecurityRules: [
      
    ] 
  }
}

• If you do not specify any parameters => The current subscription and resource group is used
• If you specify the subscription => The subscription is used targeting a resource group with the same name as the one used by the parent deployment
• If you specify the resource group name => The current subscription is used with the provided resource group name
• If you specify both => The specified resource group and subscription are used.

This does not safe guard against providing only the subscription like the empty(subscription) ? resourceGroup(rgname) : resourceGroup(subscription,rgname). But in the worse case, all it will do is cause a runtime error because the resource group doesn't exist.

If you can guarantee that there is no resource group name overlaps between subscriptions, you could also write the following to safe guard against that case:

param subscriptionId string = subscription().subscriptionId
param resourceGroupName string = resourceGroup().name

var subscriptionScope = resourceGroupName == resourceGroup().name &&  subscriptionId != subscription().subscriptionId ? subscription().subscriptionId : subscriptionId

module mod 'nsg.bicep' = {
  name: guidId
  scope: resourceGroup(subscriptionScope, resourceGroupName)
  params: {
    Location: resourceGroup().location
    NsgName: ''
    SecurityRules: [
      
    ] 
  }
}

There is also already an open issue for this if you could upvote it #1876 so that the bicep team is more likely to look into a fix.

[shenglol]

Thanks @GABRIELNGBTUC for providing the workarounds! Closing this as a duplicate of #1876.