Invalid generated ARM for referenced module scope

[stan-sz]

Bicep version
Bicep CLI version 0.2.328 (a13b032)

Describe the bug
Creating a variable of resourceGroups scope with a name coming from a resoruce-group creation module output, generates an invalid ARM.

To Reproduce

• main.bicep

targetScope = 'subscription'
param name string = 'name'
param location string = 'westus'
param subscriptionId string = newGuid()

module rg './resourcegroup.template.bicep' = {
    name: '${uniqueString(deployment().name)}-1'
    scope: subscription(subscriptionId)
    params: {
        name: name
        location: location
    }
}

var appResGrp = resourceGroup(rg.outputs.resourceGroupName)

module redis './redis.template.bicep' = {
    name: '${uniqueString(deployment().name)}-2'
    scope: appResGrp
}

• resourcegroup.template.bicep

targetScope = 'subscription'
param name string
param location string

resource rg 'Microsoft.Resources/resourceGroups@2018-05-01' = {
    name: name
    location: location
    tags: {
        'owner': 'me'
    }
}

output resourceGroupName string = rg.name

• redis.template.bicep

param redis_name string = 'redis'
param redis_location string = 'westus'

resource redis 'Microsoft.Cache/Redis@2019-07-01' = {
    name: redis_name
    location: redis_location
    properties: {
        sku: {
            name: 'Standard'
            family: 'C'
            capacity: 2
        }
    }
}

Running bicep build main.bicep will generate ARM with this line for the redis nested deployment:

"resourceGroup": "[reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-1', uniqueString(deployment().name))), '2019-10-01').outputs.resourceGroupName.value]",

Invoking az deployment sub validate --location westus --template-file main.json yields

{
  "error": {
    "code": "InvalidTemplate",
    "message": "Deployment template validation failed: 'The template resource 'axf2ibtm6bikm-2' at line '71' and column '5' is not valid: The template function 'reference' is not expected at this location. Please see https://aka.ms/arm-template-expressions for usage details.. Please see https://aka.ms/arm-template-expressions for usage details.'.",
    "additionalInfo": [
      {
        "type": "TemplateViolation",
        "info": {
          "lineNumber": 71,
          "linePosition": 5,
          "path": "properties.template.resources[1]"
        }
      }
    ]
  }
}

[bbabcock1990]

I can also confirm this is an issue:

Bicep CLI version 0.2.328 (a13b032)

• main bicep file

// Scope
targetScope = 'subscription'

// Paramaters
param location string = 'centralus'
param subscriptionId string = '8688fca6-f9ff-4c38-b2cb-xxxxxxxx'
param resourcePrefix string = 'baa-dev-cus'
param tags object = {
  environment:'hello'
  costcenter: 'development'
  workload: 'wvd'
}

// Resources
module hostpool_rg '../resources/az_resource_group/resource/az_resource_group.bicep' = {
  name: 'hostpool_rg'
  scope: subscription(subscriptionId)
  params: {
    location:location
    rgName:'${resourcePrefix}-hostpool-rg'
    tags: tags
  }
}

module wvd_diag_sa '../resources/az_storage_account/resource/az_storage_account.bicep' = {
  name: 'wvd_diag_sa'
  scope: resourceGroup(hostpool_rg.name)
  params: {
    globalRedundancy: false
    storageAccountName: concat(replace('${resourcePrefix}','-',''),'diagsa01')
    tags: tags
  }
}

• resource group bicep template

// Scope
targetScope = 'subscription'

// Paramaters
param rgName string = 'baa'
param location string = 'centralus'
param tags object = {
  environment:'prd'
}

// Resource
resource resourceGroup 'Microsoft.Resources/resourceGroups@2020-06-01' = {
  name: rgName
  location: location
  tags: tags
}

// Outputs
output resourceGroupId string = resourceGroup.id // output resourceId of storage account
output resourceGroupName string = resourceGroup.name // output name of storage account

• storage account bicep template

//Paramaters
param globalRedundancy bool = true
param storageAccountName string = 'baaprddiagsa01'
param tags object = {
  environment:'prd'
}

//Resource
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: storageAccountName
  location: resourceGroup().location
  kind: 'Storage'
  sku: {
    name: globalRedundancy ? 'Standard_GRS' : 'Standard_LRS' // if true --> GRS, else --> LRS
  }
  tags: tags
}

//Outputs
output storageId string = storageAccount.id // output resourceId of storage account
output storageName string = storageAccount.name // output name of storage account

Bicep will build the JSON file with no error.

Running "New-AzSubscriptionDeployment -Name testdeployment -Location centralus -TemplateFile .\main.json -WhatIf" fails with the below error:

[anthony-c-martin]

I think the fix for this is unfortunately to block 'runtime' expressions on the scope property, similar to what we do for the name property. This is because the ARM deployment engine needs to be able to determine the full resourceId of every resource at the very start of the deployment in order to calculate an accurate deployment graph.

[anthony-c-martin]

I've submitted #1467 for this, but will make sure we discuss as a team before merging to ensure it's the correct approach.