Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure.Provisioning.{Resource}.CreateRoleAssignment(Role, ManagedIdentity) creates invalid bicep when managed identity in same deployment #47265

Open
davidfowl opened this issue Nov 20, 2024 · 1 comment
Open

Azure.Provisioning.{Resource}.CreateRoleAssignment(Role, ManagedIdentity) creates invalid bicep when managed identity in same deployment #47265

davidfowl opened this issue Nov 20, 2024 · 1 comment
Assignees
@tg-msft
Labels
Client This issue points to a problem in the data-plane of the library. Provisioning

Comments

@davidfowl
Copy link
Member

davidfowl commented Nov 20, 2024
edited
Loading 

var infra = new Infrastructure();
var identity = new UserAssignedIdentity("managedIdentity")
{
};

infra.Add(identity);

var account = new StorageAccount("sa2")
{
    Sku = new() { Name = StorageSkuName.StandardLrs },
    Kind = StorageKind.StorageV2
};

infra.Add(account);
infra.Add(account.CreateRoleAssignment(StorageBuiltInRole.StorageBlobDataContributor, identity));

var plan = infra.Build();
var compiledBicep = plan.Compile().First();
File.WriteAllText($"{infrastructure.BicepName}.bicep", compiledBicep.Value);

This creates invalid bicep:

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: take('managedIdentity-${uniqueString(resourceGroup().id)}', 128)
  location: location
  tags: tags
}

resource sa2 'Microsoft.Storage/storageAccounts@2024-01-01' = {
  name: take('sa2${uniqueString(resourceGroup().id)}', 24)
  kind: 'StorageV2'
  location: location
  sku: {
    name: 'Standard_LRS'
  }
}

resource sa2_managedIdentity_StorageBlobDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(sa2.id, managedIdentity.properties.principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'))
  properties: {
    principalId: managedIdentity.properties.principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
    principalType: 'ServicePrincipal'
  }
  scope: sa2
}

Which results in the following error:

This expression is being used in an assignment to the "name" property of the "Microsoft.Authorization/roleAssignments" type, which requires a value that can be calculated at the start of the deployment. Properties of managedIdentity which can be calculated at the start include "apiVersion", "id", "name", "type".bicep[BCP120](https://aka.ms/bicep/core-diagnostics#BCP120)
@github-actions github-actions bot added Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Storage Storage Service (Queues, Blobs, Files) labels Nov 20, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@jsquire jsquire assigned tg-msft and unassigned ArthurMa1978 Nov 20, 2024
@jsquire jsquire added Client This issue points to a problem in the data-plane of the library. Provisioning and removed Storage Storage Service (Queues, Blobs, Files) Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tg-msft tg-msft

Labels
Client This issue points to a problem in the data-plane of the library. Provisioning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidfowl @jsquire @tg-msft @ArthurMa1978