-
Notifications
You must be signed in to change notification settings - Fork 728
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block nested deployment resources with inner scoped evaluation and symbolic references to outer scope #11884
Block nested deployment resources with inner scoped evaluation and symbolic references to outer scope #11884
Conversation
…mbolic references to outer scope
Test this change out locally with the following install scripts (Action run 6278976773) VSCode
Azure CLI
|
…oping and fix failing tests
…or-inner-evaluated-nested-deployment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nit] Shouldn't this be a linter rule rather than part of the emit limitation calculations? |
I thought this fit better conceptually with other emit limitations, but moving this to a linter instead would give users who are impacted by the breaking change a way to disable the check if they want to. |
…or-inner-evaluated-nested-deployment
Just realized I didn't explain my thinking, so wanted to note it down: It's a bit of a grey area - my opinion is generally that the core compiler logic should not be resource-aware - that's more the job of the linter. We have chosen to not fully block Microsoft.Resources/deployments, but we also haven't special-cased it in any way, so although it is technically "our" resource type, I feel like we don't and shouldn't treat it as such in Bicep. In general, I suspect that people are utilizing this functionality accidentally without realizing they should be instead using modules. I feel like we should strongly discourage unless we can see a compelling reason to use it instead of modules; it's full of footguns like this one. |
FYI a use case of nested deployment template referencing outer scope is a native bicep implementation of #5805 (reply in thread). This is essentially a way of implementing role assignment extension deployments for generic parent resource types. Instead of loading an ARM JSON as in the linked comment, I define a |
@maskati - I believe there's a simpler solution to this today, as we now allow direct referencing of |
Nice! I didn't know you could do that. |
@anthony-c-martin cc @puicchan I'll be doing a round of rule fixes/additions in the next few months. Do you think we should have a linter rule warning against Microsoft.Resources.deployments usage period? |
@StephenWeatherford we have one that was recently added: #11848 |
Resolves #11846
This PR updates EmitLimitationCalculator to emit an error when a resource of type
Microsoft.Resources/deployments
uses inner scoped expression evaluation but refers to symbols defined in the outer scope from within thetemplate
property.This PR may be a breaking change for some templates, as the added check may catch scenarios that would not result in a runtime deployment failure, e.g., when a template has a symbol with the same name and type defined in both contexts:
In that case, the user may be using a Bicep symbolic reference to save a few characters, but what the template will do (dereference the inner-scoped symbol) does not line up with the communicated intent of the syntax (i.e., to dereference the outer-scoped symbol), so I chose to flag that as an error, too, as this usage would almost certainly represent a logical error even if the compiled nested deployment would not raise a runtime error.
Microsoft Reviewers: Open in CodeFlow