Bicep Exemptions /\ Scopes (Exemption needs to be set on Resource, not ResourceGroup)

[BartDecker]

Bicep version
Bicep CLI version 0.6.18 (46dd19e)

Describe the bug

Trying to describe the bug (or feature request) the best I can. imho it's a limitation.

We are setting up a CI/CD pipeline in which our solutions exist out parent modules (solutions) which create resources with child modules (resources etc). So we try to stick to a modular approach as much as possible.

In our environment we have exemptions on resources, resourcegroups and subscriptions. These exemptions need to be deployed by the CI/CD pipeline.

The current scope options for exemptions are quite limiting in it's use because:

1. In a parent -> child module setup

   • in which exemptions are created by a child module

   • in which the resources on which the exemption need to exist are created by other module calls from the parent module

   • where the exemption child module also needs to be able to create exemptions for asubscription.

   • Where the exemption child module also needs to be able to create exemptions for Resourcegroups.

     --> one cannot do this as the scope for the exemption child module is either fixed to subscription or 1 Resourcegroup.
     One cannot call the module from different deployment scopes and actually set a scope on the exemption itself.
     One also cannot set an exemption for a resource anymore when the parent module has several resources in
     different resourcegroups. The second exemption would be forced to use the resourcegroup scope.

2. In having all exemptions (for resources, resourcegroups, subscriptions) in 1 bicep file:

   --> one cannot do this as the scope cannot be changed per exemption. One runs into A resource's scope must match the scope of the Bicep file for it to be deployable. Also the same as above, one would not be able to set exemptions for multiple resources if they are in different resourcegroups. The second exemption will always be on the resourcegroup and not on the actual resources.

To Reproduce

• create 1 bicep template and try to set 2 exemptions on 2 existing resources in different resourcegroups.
• create 1 parent module which deploys several resource which needs exemptions and a child module which creates exemptions for that parent
• Try to use the earlier created child module for creating the exemptions with a new parent module that calls that child module to create an exemption for a subscription.

Additional context

The reason for wanting this setup is because all our resource creation child modules are generic and not particular. If 10 solutions (parent modules) consume the storage child module, it can be that only 1 of these storage account needs an exemption.

The underlying problem is that the targetscope for exemption is fixed for the template and/or module. It's not possible to deploy exemptions for resourcegroups, resources and subscriptions from 1 exemption child module. Also in only 1 template one cannot mix exe,ptions for resourcegroups, resource & subscriptions.

[BartDecker]

close because opened a feature request: #7621