-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use any() in scope #3542
Comments
Would the proposal under #2246 give you the flexibility you need here, specifically the example under heading "Generic"? This would allow passing a dynamic resource reference as a module parameter, and allow it to be used as an extension resource scope. |
@anthony-c-martin as far as I could understand probably not unfortunately. I would like end users to be able to specify resourceType and resourceName as parameters without having to specify versions. At the end scope is just a string that is not even resourceId of the resource. I want to be able to specify scope as string without having to be a resource. Think of Microsoft.Insights/diagnosticSettings resource. The scope can be any resource provider + resource name that supports diagnostic settings. Every time Azure has a new service that supports diagnostic settings I do not want to change my code for deploying that, the end user can just provide the correct input and should be able to configure that. I gave the dataCollectionRuleAssociations example as that resource along with dataCollectionRules are suppose to replace diagnosticSettings in the future. |
Here's how I'd imagine your scenario with proposals #2245 & #2246 if you're consuming in another module:
If consuming directly, I'd expect more flexibility to do things dynamically. I haven't got around to model what the ARM JSON equivalent of az group deployment create ... dataCollection.bicep --parameters dataCollectionScopeResource={"type": "Microsoft.Compute/virtualMachines", "name": "vm0001"} Would either of those options satisfy your requirements? |
@anthony-c-martin If I can specify different input type and name (without API version) would be sufficient. Currently that specific API has support for Microsoft.Compute/virtualMachines, Microsoft.HybridCompute/machines and Microsoft.Compute/virtualMachineScaleSets. More probably will come over time. If specify one of those types and different name every time the same code should work. If they for example add Microsoft.Sql/servers in the future I should not change the code to work just will need to specify different input type and name. |
@anthony-c-martin additionally allow setting empty string ('') value for scope. This allows for better flexibility if you want the scope to be for specific resource or for the resource group. Often used with roleAssignments resource. By having such flexibility you can reduce your code instead of creating two paths where the resource does not have scope property and where the resource has it. |
This would help me immensely in my current project as I need to set Role Based assignments on a resource level. |
In the meantime, since JSON arm templates are now supported as modules, I've created one that was enough to meet my needs instead of having to create 1 bicep file/module per scope: {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"targetResourceId": {
"type": "string"
},
"roleDefinitionName": {
"type": "string",
"allowedValues": [
"Contributor",
"Private DNS Zone Contributor",
"Network Contributor",
"AcrPull",
"Managed Identity Operator",
"Virtual Machine Contributor",
"Reader",
"Key Vault Administrator"
]
},
"targetType": {
"type": "string",
"allowedValues": [
"Resource",
"Group"
]
},
"principalId": {
"type": "string"
}
},
"variables": {
"Roles": {
"Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]",
"Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]",
"AcrPull": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]",
"Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]",
"Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]",
"Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"Key Vault Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]"
},
"scope": {
"Resource": "[skip(parameters('targetResourceId'), add(lastIndexOf(parameters('targetResourceId'), '/providers/'), 11))]",
"Group": ""
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(parameters('targetResourceId'), parameters('roleDefinitionName'), parameters('principalId'))]",
"scope": "[variables('scope')[parameters('targetType')]]",
"condition":"[equals(parameters('targetType'), 'Resource')]",
"properties": {
"principalId": "[parameters('principalId')]",
"principalType": "ServicePrincipal",
"roleDefinitionId": "[variables('Roles')[parameters('roleDefinitionName')]]"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(resourceGroup().name, parameters('roleDefinitionName'), parameters('principalId'))]",
"condition":"[equals(parameters('targetType'), 'Group')]",
"properties": {
"principalId": "[parameters('principalId')]",
"principalType": "ServicePrincipal",
"roleDefinitionId": "[variables('Roles')[parameters('roleDefinitionName')]]"
}
}
]
} |
Yes, I am aware that there is a workaround with arm templates as the possibility to be able to do that in Bicep already exists in ARM template :) . Of course this could be only temporary workaround due to wanting to get rid of ARM template code on 100%. |
Is your feature request related to a problem? Please describe.
When we have extension resources can we use the any() function to provide the scope.
Describe the solution you'd like
For example
This will make it easier to have flexible and dynamic code where people can have input such as resourceType (Microsoft.Compute/virtualMachines) and resourceName (vm0001). The idea is that once a new resource supports dataCollectionRuleAssociations resource extension I do not have to update the code to provide support for that resource. If I have to use the current method once new resource supports the extension I have to do two things:
The text was updated successfully, but these errors were encountered: