Question about how PSRule handles Bicep expansion #3223
-
|
Consider the following (example) Bicep: targetScope = 'subscription'
param subscriptionId string
param resourceGroupName string
param logAnalyticsWorkspaceName string
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
name: logAnalyticsWorkspaceName
scope: resourceGroup(subscriptionId, resourceGroupName)
}
output logAnalyticsWorkspaceId string = logAnalyticsWorkspace.idWhen evaluating this Bicep using PSRule, it fails at the expansion step: This is to be expected; the output cannot be set when the targetScope = 'subscription'
param subscriptionId string
param resourceGroupName string
param logAnalyticsWorkspaceName string
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
name: logAnalyticsWorkspaceName
scope: resourceGroup(subscriptionId, resourceGroupName)
}
// output logAnalyticsWorkspaceId string = logAnalyticsWorkspace.idAside from removing the output, there are 3 options for resolving the expansion problem (source):
However, I cannot help but wonder... is it in some way possible to ensure that the ouput is removed, null, or an empty string (or otherwise) such that PSRule expansion succeeds without applying 1 of the 3 steps mentioned above? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
@ThijmenDam Removing the output to make the expand work is unusual, that doesn't normally work because PSRule requires these parameters to expand just like Azure would if you deployed the code to Azure. So, the 1/2/3 is it depending on your specific case. For your specific example, the behaviour is a bug. You're getting this only because the module without the output effectively does nothing. An The PSRule expansion process does support nullable/ optional parameters and conditional resources, so that would be an option for module development. param optional string?https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/conditional-resource-deployment Something like this would work for your example case: targetScope = 'subscription'
param subscriptionId string?
param resourceGroupName string?
param logAnalyticsWorkspaceName string?
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = if (!empty(logAnalyticsWorkspaceName)) {
name: logAnalyticsWorkspaceName!
scope: resourceGroup(subscriptionId!, resourceGroupName!)
}
output logAnalyticsWorkspaceId string? = !empty(logAnalyticsWorkspaceName) ? logAnalyticsWorkspace.id : nullDoes that help? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, that makes sense. One of the 3 options mentioned above is probably a better solution, but I understand the expansion process a bit better now. Thank you. |
Beta Was this translation helpful? Give feedback.
-
|
Also see https://azure.github.io/PSRule.Rules.Azure/faq/#what-is-expansion and https://azure.github.io/PSRule.Rules.Azure/expanding-source-files/ for some additional context. |
Beta Was this translation helpful? Give feedback.
@ThijmenDam Removing the output to make the expand work is unusual, that doesn't normally work because PSRule requires these parameters to expand just like Azure would if you deployed the code to Azure. So, the 1/2/3 is it depending on your specific case.
For your specific example, the behaviour is a bug. You're getting this only because the module without the output effectively does nothing. An
existingresource block is just a reference and if the reference is not used there is no reason to perform any action. As soon as you attempt to use theexistingresource (or perform any other deployment in that module) the parameters would be expected to have a value.The PSRule expansion process…