Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using existing along with a conditional if ignores the if #3737

Closed
jbiesta opened this issue Jul 23, 2021 · 6 comments
Closed

Using existing along with a conditional if ignores the if #3737

jbiesta opened this issue Jul 23, 2021 · 6 comments
Labels
Needs: Author Feedback Awaiting feedback from the author of the issue

Comments

@jbiesta
Copy link

jbiesta commented Jul 23, 2021
edited
Loading

Bicep version
0.4.63

Describe the bug
When using existing for getting an existing resource in a deployment template, if that resource has a condition on it it ignores the condition and still tries to retrieve the resource (which may not exist based on the condition)

To Reproduce
Try to deploy the following when the existing resource does not exist using the deploymentEnvironment value of test

@allowed([
  'test'
  'live'
])
param deploymentEnvironment string

resource storage 'Microsoft.Storage/storageAccounts@2021-04-01' existing = if (deploymentEnvironment == 'live') {
  name: '${deploymentEnvironment}store'
  scope: resourceGroup('rg-${deploymentEnvironment}-stores')
}

If the resourcegroup/resource does not exist an error is returned to say it doesn't exist even if the deploymentEnvironment is test.

I would expect this code to not be run based on the condition.
@ghost ghost added the Needs: Triage 🔍 label Jul 23, 2021
@alex-frankel
Copy link
Collaborator

How is this existing reference being consumed? The existing declaration doesn't itself make any calls, it only establishes a reference to be used somewhere in the bicep file, so the error is coming from wherever the storage symbol is being referenced.

@jbiesta
Copy link
Author

jbiesta commented Jul 26, 2021
edited
Loading

Hi Alex,

Apologies i should have included that in my original post.

The storage account for me was being used to get the connection string out to store in keyvault:

@allowed([
  'test'
  'live'
])
param deploymentEnvironment string

var environmentIsLive = deploymentEnvironment == 'live'
resource storage 'Microsoft.Storage/storageAccounts@2021-04-01' existing = if (environmentIsLive) {
  name: '${deploymentEnvironment}store'
  scope: resourceGroup('rg-${deploymentEnvironment}-stores')
}

resource storageKeyKeyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2021-04-01-preview' = if (environmentIsLive) {
  name: '${keyVaultName}/StorageConnectionString'
  dependsOn: [
    keyVaultModule
  ]
  properties: {
    value: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${listKeys(storage.id, storage.apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
  }
}

This setup initially told me the resourcegroup was not found and then told me (once i created the resource group to test whether it just needed that) that the storage account didn't exist.

I feel it may be worth mentioning that our condition comes from a variable although not sure why that would make a difference but I've updated the example code to show that.

Not sure if it's related or not but I'm also seeing an error of deployment not found when referencing outputs from a module that has a condition, even though everything that references the output has the same condition associated.

Thanks

@jbiesta
Copy link
Author

jbiesta commented Jul 26, 2021

Hi Alex,

I've managed to bypass both issues for now by making the reference conditional as follows:

@allowed([
  'test'
  'live'
])
param deploymentEnvironment string

var environmentIsLive = deploymentEnvironment == 'live'
resource storage 'Microsoft.Storage/storageAccounts@2021-04-01' existing = if (environmentIsLive) {
  name: '${deploymentEnvironment}store'
  scope: resourceGroup('rg-${deploymentEnvironment}-stores')
}

resource storageKeyKeyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2021-04-01-preview' = if (environmentIsLive) {
  name: '${keyVaultName}/StorageConnectionString'
  dependsOn: [
    keyVaultModule
  ]
  properties: {
    value: environmentIsLive ? 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${listKeys(storage.id, storage.apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}' : ''
  }
}

This allows the deployments to correctly continue. But does feel like it shouldn't be required.

Thanks

@anthony-c-martin
Copy link
Member

Note that this is technically not unique to the existing syntax - the same problem exists with conditional references to regular resources. It's just more noticeable with existing as it'll more likely result in the deployment failing. I've written up a potential solution under #3750.

@alex-frankel
Copy link
Collaborator

Thanks for writing that up Anthony. Would the first code sample above validate per your proposal? The condition is on the entire vaults/secrets resource in the first sample. In the second sample, it's on the resource and the relevant property.

This is also related to (but separate from) the greedy conditional evaluation problem right?

@alex-frankel
Copy link
Collaborator

I'm going to close this in the meantime and we can track with #3750

@ghost ghost locked as resolved and limited conversation to collaborators May 27, 2023
@StephenWeatherford StephenWeatherford added Needs: Author Feedback Awaiting feedback from the author of the issue and removed awaiting response labels Oct 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Needs: Author Feedback Awaiting feedback from the author of the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@StephenWeatherford @alex-frankel @jbiesta @anthony-c-martin