In deployments runtime, do not check properties of resources with a false condition
#2371
Comments
ghost
added
the
|
Yes, this is the second example with if:s in the ARM docs https://docs.microsoft.com/sv-se/azure/azure-resource-manager/templates/template-functions-logical?tabs=json#if. The bicep tab in the documentation still states that conditions are not supported at all. And if I put this (working with an optional KV in my case) bicep build turns that initial [ into [[ in the json file, the rest of it is kept as is though... |
alex-frankel
added
bug
@ulfaxelssoncab - you shouldn't need to use ARM expressions. This is at least partially a bug in our ARM Template codegen, as we are not using the 'Full' argument on the reference call. In the meantime, does this work as a workaround? This should be the equivalent of the ARM-style expression you wrote: var falseThing = false
resource one 'Microsoft.Storage/storageAccounts@2019-06-01' = if(falseThing) {
kind: 'StorageV2'
name: 'majastrzfalse'
location: resourceGroup().location
sku: {
name: 'Standard_LRS'
}
}
resource two 'Microsoft.Storage/storageAccounts@2019-06-01' = {
kind: 'StorageV2'
name: 'majastrzfalse2'
location: resourceGroup().location
sku: {
name: 'Standard_LRS'
}
properties: {
accessTier: falseThing ? one.properties.accessTier : null
}
} |
alex-frankel
added
awaiting response
documentation
|
Yes, thank you, that works just like the ARM-style expression, without the double [ problem. Although it does yield a warning: Possibly null should be considered equivalent of all other types? Or at least in this case. Since all the examples for the ternary operator in the documentation/tutorial use a "static" bool I did not even consider trying to use an expression as the argument there... |
Right, this is a separate issue with our type system that we are looking to resolve. @majastrz do you know if we have a good issue tracking this? |
|
@alex-frankel - you can assign this one to me. |
|
Add the Bicep conditions example - https://github.com/MicrosoftDocs/azure-docs-pr/pull/157356 |
This part has been fixed with #2664. |
|
If I understand correctly, the PR fix returns a |
|
Could this fix please be prioritized? It's causing hard-to-detect bugs in our deployments. |
|
@aelij - can you clarify your expectations for a fix here? It sounds like you are looking for one of the proposals in #3750 to be implemented. Does that sound right? The "fix" is to make sure you are handling the potentially |
|
@alex-frankel I'm not sure #3750 is the right solution here. Even if the resource is conditionally deployed, we may still want to reference its properties (for deploy only once resources). I would expect Bicep to always emit the API version with |
|
Can you clarify more what a "deploy once" resource is? Is that due to some RP idempotency/API design issues? Some of that is discussed in #4023. Is that more of what you are talking about? The intention in Bicep/ARM is for you to say "deploy this resource or do not", which is slightly different than "deploy once". The expectation is all the APIs are idempotent and it shouldn't matter if you are deploying it once or one hundred times. If deploying a second time causes issues, then we need to fix the relevant API. |
|
There are 3 types of cases I can think (possibly more exist):
Unfortunately I think we are quite far from the ideal of ARM's intention, and it might take years to fix as it involves many RPs. Providing us with proper tooling to work around those issues in the interim is most valuable. |
|
I think scenarios 2 and 3 are more valid, though I still think those are the result of poor API design and/or implementation. Either way, I think at a certain point we may need to give up on fixing APIs and add some "escape-hatch" type features to deal with it, but we need to be really careful in designing those, so they are not abused. With #6163, we should no longer be emitting invalid reference calls, which means the bicep code should not fail during preflight validation. However, it is not going to fix #3750, for cases where we need the user to handle the null-ness. Those could still fail at runtime if the resource does not exist. |
This does not work. I get an error complaining about the deployment for the parent module is not defined if the condition is set to false & the parent module is not deployed
|
|
Does this mean that for-if statements do not work? I think it should be removed from the documentation then, until it is fixed - and this issue is already 3 years old? https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/loops#loop-with-condition |
|
Did anything change in that context recently? We had a Bicep template deploying correctly for a few months but it recently suddenly started throwing errors during validation saying that a resource cannot reference itself. Looks like the issue is that we use a resource definition with a condition which with a specific set of parameters evaluates to false, however validation engine ignores that and thinks we have self-referencing resources. |
|
@kamilzzz - can you share the repro of this problem in a separate issue? If it only started failing recently, it is a separate issue from this one. |
|
I experienced the same this morning using this in my BICEP file:
Resulting in:
While my parameter is set to:
|
|
I am having the same Issue in this Case: |
|
Facing the same issue, It's not happening with all the resources, only with few of the resources For example:- module primaryAppGateway 'create_application_gateway.bicep' = if (environmentConfig.enableVcurrent) {
scope: resourceGroup(environmentConfig.primaryResourceGroup.name)
name: 'create-${primaryAppGatewayName}'
params: {
name: primaryAppGatewayName
nsgName: environmentConfig.primaryResourceGroup.nsg
region: environmentConfig.primaryRegion
sizingConfig: sizingConfig.applicationGateway
tags: union(tags, defaultTags)
subnetName: '${environmentConfig.primaryResourceGroup.vnet}/${agwSubnet}'
}
}
module vnextAppGateway 'create_application_gateway.bicep' = if (environmentConfig.enableVnext) {
scope: resourceGroup(environmentConfig.vnextResourceGroup.name)
name: 'create-${vnextAppGatewayName}'
params: {
name: vnextAppGatewayName
nsgName: environmentConfig.vnextResourceGroup.nsg
region: environmentConfig.primaryRegion
sizingConfig: sizingConfig.applicationGateway
tags: union(tags, defaultTags)
subnetName: '${environmentConfig.vnextResourceGroup.vnet}/${agwSubnet}'
}
}In the above example |
|
@psinnathurai / @avivansh - can you try enabling symbolic names in We are moving closer to turning on symbolic names by default for all bicep users and that is where we expect to resolve this particular issue. We believe we have fixed this issue when symbolic names are enabled, but want to make sure we are not missing any use cases. |
|
@alex-frankel, thanks for sharing this. It worked for me. |
|
Thanks @alex-frankel the symbolic name feature also resolved my particular use case. |
Bicep version
v0.3.255Describe the bug
In certain cases, we generate invalid reference() calls in the JSON.
To Reproduce
Additional context
Compiled JSON:
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.3.255.40792", "templateHash": "13339784985949539225" } }, "functions": [], "resources": [ { "condition": "[false()]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2019-06-01", "name": "majastrzfalse", "kind": "StorageV2", "location": "[resourceGroup().location]", "sku": { "name": "Standard_LRS" } }, { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2019-06-01", "name": "majastrzfalse2", "kind": "StorageV2", "location": "[resourceGroup().location]", "sku": { "name": "Standard_LRS" }, "properties": { "accessTier": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'majastrzfalse')).accessTier]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', 'majastrzfalse')]" ] } ] }The text was updated successfully, but these errors were encountered: