Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependsOn indexing is broken if it skips over an existing resource with a different for loop or indexing expression #15513

Closed
slavizh opened this issue Nov 7, 2024 · 8 comments · Fixed by #15580
Closed

dependsOn indexing is broken if it skips over an existing resource with a different for loop or indexing expression #15513

slavizh opened this issue Nov 7, 2024 · 8 comments · Fixed by #15580
Assignees
@jeskew
Labels
bug Something isn't working
Milestone
v0.32

Comments

@slavizh
Copy link
Contributor

slavizh commented Nov 7, 2024

Bicep version
Bicep CLI version 0.31.34 (ec82b47)

Describe the bug
The change in #13674 broke existing syntax for language version 2 in critical way. The example is using Graph but it applies to all resource types with existing. Note that I am also using user assigned identities which is also Azure resource.

To Reproduce
This template:

extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview'  as microsoftGraphV1
extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/beta:0.1.8-preview'  as microsoftGraphBeta

param entraGroup object = {
  name: 'ExampleGroup2'
  type: 'Security'
  members: [
    {
      name: '{application name}'
      type: 'Application'
    }
  ]
  owners: [
    {
      name: '{user identity name}'
      resourceGroup: '{resource group name}'
      type: 'UserAssignedManagedIdentity'
    }
  ]
}

var defaultMember = {
  subscriptionId: subscription().subscriptionId
  resourceGroup: ''
  name: ''
  appId: ''
}

resource memberManagedIdentities 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'UserAssignedManagedIdentity') {
    //https://github.com/Azure/bicep/issues/13937
    name: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
    scope: resourceGroup(union(defaultMember, member).subscriptionId, union(defaultMember, member).resourceGroup)
  }
]

resource memberApplications 'Microsoft.Graph/[email protected]' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Application') {
    //https://github.com/Azure/bicep/issues/13937
    uniqueName: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
  }
]

resource memberServicePrincipals 'Microsoft.Graph/[email protected]' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Application') {
    appId: memberApplications[i].appId
  }
]

resource memberServicePrincipalsStandalone 'Microsoft.Graph/[email protected]' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'ServicePrincipal') {
    //https://github.com/Azure/bicep/issues/13937
    appId: empty(union(defaultMember, member).appId) ? 'dummy${i}' : member.appId
  }
]

resource memberGroups 'Microsoft.Graph/[email protected]' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Group') {
    //https://github.com/Azure/bicep/issues/13937
    uniqueName: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
  }
]

resource ownerManagedIdentities 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = [
  for (owner, i) in entraGroup.owners: if (owner.type =~ 'UserAssignedManagedIdentity') {
    //https://github.com/Azure/bicep/issues/13937
    name: empty(union(defaultMember, owner).name) ? 'dummy${i}' : owner.name
    scope: resourceGroup(union(defaultMember, owner).subscriptionId, union(defaultMember, owner).resourceGroup)
  }
]

resource ownerApplications 'Microsoft.Graph/[email protected]' existing = [
  for (owner, i) in entraGroup.owners: if (owner.type =~ 'Application') {
    //https://github.com/Azure/bicep/issues/13937
    uniqueName: empty(union(defaultMember, owner).name) ? 'dummy${i}' : owner.name
  }
]

resource ownerServicePrincipals 'Microsoft.Graph/[email protected]' existing = [
  for (owner, i) in entraGroup.owners: if (owner.type =~ 'Application') {
    appId: ownerApplications[i].appId
  }
]

resource ownerServicePrincipalsStandalone 'Microsoft.Graph/[email protected]' existing = [
  for (owner, i) in entraGroup.owners: if (owner.type =~ 'ServicePrincipal') {
    //https://github.com/Azure/bicep/issues/13937
    appId: empty(union(defaultMember, owner).appId) ? 'dummy${i}' : owner.appId
  }
]

resource entraGroupRes 'Microsoft.Graph/[email protected]' = {
  uniqueName: entraGroup.name
  displayName: entraGroup.name
  mailEnabled: false
  mailNickname: entraGroup.name
  securityEnabled: true
  members: [
    for (member, i) in entraGroup.members: member.type =~ 'UserAssignedManagedIdentity'
      ? memberManagedIdentities[i].properties.principalId
      : member.type =~ 'Application'
          ? memberServicePrincipals[i].id
          : member.type =~ 'ServicePrincipal'
              ? memberServicePrincipalsStandalone[i].id
              : member.type =~ 'Group' ? memberGroups[i].id : member.type =~ 'PrincipalId' ? member.principalId : ''
  ]
  owners: [
    for (owner, i) in entraGroup.owners: owner.type =~ 'UserAssignedManagedIdentity'
      ? ownerManagedIdentities[i].properties.principalId
      : owner.type =~ 'Application'
          ? ownerServicePrincipals[i].id
          : owner.type =~ 'ServicePrincipal' ? ownerServicePrincipalsStandalone[i].id : owner.type =~ 'PrincipalId' ? owner.principalId : ''
  ]
}

Works fine with 0.30.23 (ec3612e) but it fails with 0.31.34 (ec82b47).

Error:

  "properties": {
        "statusCode": "InternalServerError",
        "serviceRequestId": null,
        "statusMessage": "{\"error\":{\"code\":\"MultipleErrorsOccurred\",\"message\":\"Multiple error occurred: . Please see details.\",\"details\":[{\"code\":\"InternalServerError\",\"message\":\"Encountered internal server error. Diagnostic information: timestamp '20241107T093958Z', subscription id '{redacted}', tracking id '8290acda-6a98-4c58-834f-a6056ede609e', request correlation id '8290acda-6a98-4c58-834f-a6056ede609e'.\"},{\"code\":\"InternalServerError\",\"message\":\"Encountered internal server error. Diagnostic information: timestamp '20241107T093958Z', subscription id '{redacted}', tracking id '8290acda-6a98-4c58-834f-a6056ede609e', request correlation id '8290acda-6a98-4c58-834f-a6056ede609e'.\"},{\"code\":\"InternalServerError\",\"message\":\"Encountered internal server error. Diagnostic information: timestamp '20241107T093958Z', subscription id '{redacted}', tracking id '8290acda-6a98-4c58-834f-a6056ede609e', request correlation id '8290acda-6a98-4c58-834f-a6056ede609e'.\"},{\"code\":\"InternalServerError\",\"message\":\"Encountered internal server error. Diagnostic information: timestamp '20241107T093958Z', subscription id '{redacted}', tracking id '8290acda-6a98-4c58-834f-a6056ede609e', request correlation id '8290acda-6a98-4c58-834f-a6056ede609e'.\"}]}}",

Additional context
Add any other context about the problem here.
@github-project-automation github-project-automation bot moved this to Todo in Bicep Nov 7, 2024
@slavizh
Copy link
Contributor Author

slavizh commented Nov 7, 2024

@jeskew @alex-frankel no idea how many people write the code like me and use language version 2 but I think this is pretty critical thus opted to mention you.

This was referenced Nov 7, 2024
Open
Open
@slavizh
Copy link
Contributor Author

slavizh commented Nov 7, 2024

Actually managed to scope the issue to the error generated when only Graph resources are referenced as existing. If I comment all the code around existing for Microsoft.Graph/applications, Microsoft.Graph/servicePrincipals and Microsoft.Graph/groups and their references the template deploys successfully. This is good as it seems affects only the Graph resources which is still in preview.

@slavizh slavizh changed the title #13674 made thngs worse for existing syntax in language version 2 #13674 borke existing syntax when extensibility is enabled Nov 7, 2024
@jeskew
Copy link
Member

jeskew commented Nov 7, 2024

@slavizh It looks like this isn't related to extensibility but happens when a non-copy resource depends on an existing copy resource that in turn depends on a non-existing copy resource. In that case, Bicep may sometimes try to skip over the existing resource in the dependency graph. The following template reproduces the issue without extensibility resources:

resource vnets 'Microsoft.Network/virtualNetworks@2024-03-01' = [for i in range(0, 10): {
  name: 'vnet${i}'
}]

resource subnets 'Microsoft.Network/virtualNetworks/subnets@2024-03-01' existing = [for i in range(0, 10): {
  parent: vnets[i]
  name: 'subnet'
}]

resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'vault'
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'standard'
      family: 'A'
    }
    tenantId: subscription().tenantId
    networkAcls: {
      virtualNetworkRules: [for i in range(0, 10): {
        id: subnets[i].id
      }]
    }
  }
}

When compiled without symbolic name support (and therefore no existing resources in the compiled template), the generated template is invalid:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.30.23.60470",
      "templateHash": "1546815409293910064"
    }
  },
  "resources": [
    {
      "copy": {
        "name": "vnets",
        "count": "[length(range(0, 10))]"
      },
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2024-03-01",
      "name": "[format('vnet{0}', range(0, 10)[copyIndex()])]"
    },
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2023-07-01",
      "name": "vault",
      "location": "[resourceGroup().location]",
      "properties": {
        "sku": {
          "name": "standard",
          "family": "A"
        },
        "tenantId": "[subscription().tenantId]",
        "networkAcls": {
          "copy": [
            {
              "name": "virtualNetworkRules",
              "count": "[length(range(0, 10))]",
              "input": {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', format('vnet{0}', range(0, 10)[range(0, 10)[range(0, 10)[copyIndex('virtualNetworkRules')]]]), 'subnet')]"
              }
            }
          ]
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', format('vnet{0}', range(0, 10)[range(0, 10)[copyIndex()]]))]"
      ]
    }
  ]
}

(Note the copyIndex() expression within the vault resource's dependsOn property, even though vault is not a copy resource.)

This did not surface for symbolic name templates in v0.30 and below because vault would take a dependency on the existing resource:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "languageVersion": "2.0",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.30.23.60470",
      "templateHash": "13202434162406894311"
    }
  },
  "resources": {
    "vnets": {
      "copy": {
        "name": "vnets",
        "count": "[length(range(0, 10))]"
      },
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2024-03-01",
      "name": "[format('vnet{0}', range(0, 10)[copyIndex()])]"
    },
    "subnets": {
      "copy": {
        "name": "subnets",
        "count": "[length(range(0, 10))]"
      },
      "existing": true,
      "type": "Microsoft.Network/virtualNetworks/subnets",
      "apiVersion": "2024-03-01",
      "name": "[format('{0}/{1}', format('vnet{0}', range(0, 10)[range(0, 10)[copyIndex()]]), 'subnet')]",
      "dependsOn": [
        "[format('vnets[{0}]', range(0, 10)[copyIndex()])]"
      ]
    },
    "vault": {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2023-07-01",
      "name": "vault",
      "location": "[resourceGroup().location]",
      "properties": {
        "sku": {
          "name": "standard",
          "family": "A"
        },
        "tenantId": "[subscription().tenantId]",
        "networkAcls": {
          "copy": [
            {
              "name": "virtualNetworkRules",
              "count": "[length(range(0, 10))]",
              "input": {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', format('vnet{0}', range(0, 10)[range(0, 10)[range(0, 10)[copyIndex('virtualNetworkRules')]]]), 'subnet')]"
              }
            }
          ]
        }
      },
      "dependsOn": [
        "subnets"
      ]
    }
  }
}

The dependency graph builder recognizes that vault is not a copy resource and just takes a dependency on all of the subnet resources.

In v0.31, the graph builder tries to be a bit smarter and skip over the existing resource since vault is only using the subnets' ID, but this makes it run headfirst into the error that affects non-symbolic name templates:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "languageVersion": "2.0",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.31.34.60546",
      "templateHash": "1523914663347343621"
    }
  },
  "resources": {
    "vnets": {
      "copy": {
        "name": "vnets",
        "count": "[length(range(0, 10))]"
      },
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2024-03-01",
      "name": "[format('vnet{0}', range(0, 10)[copyIndex()])]"
    },
    "subnets": {
      "copy": {
        "name": "subnets",
        "count": "[length(range(0, 10))]"
      },
      "existing": true,
      "type": "Microsoft.Network/virtualNetworks/subnets",
      "apiVersion": "2024-03-01",
      "name": "[format('{0}/{1}', format('vnet{0}', range(0, 10)[range(0, 10)[copyIndex()]]), 'subnet')]",
      "dependsOn": [
        "[format('vnets[{0}]', range(0, 10)[copyIndex()])]"
      ]
    },
    "vault": {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2023-07-01",
      "name": "vault",
      "location": "[resourceGroup().location]",
      "properties": {
        "sku": {
          "name": "standard",
          "family": "A"
        },
        "tenantId": "[subscription().tenantId]",
        "networkAcls": {
          "copy": [
            {
              "name": "virtualNetworkRules",
              "count": "[length(range(0, 10))]",
              "input": {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', format('vnet{0}', range(0, 10)[range(0, 10)[range(0, 10)[copyIndex('virtualNetworkRules')]]]), 'subnet')]"
              }
            }
          ]
        }
      },
      "dependsOn": [
        "[format('vnets[{0}]', range(0, 10)[copyIndex()])]"
      ]
    }
  }
}

The graph builder needs to be aware of when it is skipping over a looped existing resource.

@anthony-c-martin
Copy link
Member

@slavizh we're working on a fix for this now - I think we'll need to do a new Bicep release for it.

@slavizh
Copy link
Contributor Author

slavizh commented Nov 8, 2024

@anthony-c-martin great! I am happy that the root cause was found so fast.

@jeskew jeskew mentioned this issue Nov 8, 2024
Merged
jeskew added a commit that referenced this issue Nov 11, 2024
@jeskew
Revert "Only add an explicit dependency on an existing resource when …
1435468 
…the deployments engine will use the GET response" (#15524)

Reverts #15447 to address #15513 

There is a subtle bug in the way `dependsOn` is generated when a
non-copy resource (_r_) depends on a copy resource (_parent_) which
depends on a copy resource (_grandparent_) when _parent_ is not included
in the calculated dependency graph. Note that even with this reversion,
this scenario is still broken for non-symbolic name templates, but this
is not unique to v0.31.
###### Microsoft Reviewers: [Open in
CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/15524)
@stephaniezyen stephaniezyen added this to the v0.32 milestone Nov 13, 2024
@stephaniezyen stephaniezyen added bug Something isn't working and removed Needs: Triage 🔍 labels Nov 13, 2024
@jeskew
Copy link
Member

jeskew commented Nov 14, 2024

@slavizh The change included in v0.31 was reverted in the latest version. Leaving this open while we work on fixing the underlying issue for 0.32

@jeskew jeskew mentioned this issue Nov 14, 2024
Merged
@jeskew jeskew changed the title #13674 borke existing syntax when extensibility is enabled #13674 broke existing syntax when extensibility is enabled Nov 14, 2024
@scrocquesel-ml150
Copy link

scrocquesel-ml150 commented Nov 18, 2024
edited
Loading

Hi, could be the same root cause. Azure Devops agent have recently been updated to 0.31.34 and we now have build issues. Note that when using version v0.31.92 locally, we have no issue.

Error BCP036: The property "scope" expected a value of type "resourceGroup" but the provided value is of type "{ }". [https://aka.ms/bicep/core-diagnostics#BCP036]

and the corresponding code is

resource serviceBusResource 'Microsoft.ServiceBus/namespaces@2024-01-01' existing = {
  name: '${env}-svcbus'
  scope: env == 'dev' ? resourceGroup('x-${env}') : resourceGroup('x-${env}-rg')
}

I changed to scope: resourceGroup(env == 'dev' ? 'x-${env}' : 'x-${env}-rg') but I have other build errors.

@jeskew
Copy link
Member

jeskew commented Nov 18, 2024

@scrocquesel-ml150 There's some discussion on that in #15517, and it should be fixed in 0.31.92

@jeskew jeskew changed the title #13674 broke existing syntax when extensibility is enabled dependsOn indexing is broken if it skips over an existing resource with a different for loop or indexing expression Nov 18, 2024
jeskew added a commit that referenced this issue Dec 3, 2024
@jeskew
Move all indexing expressions when calculating dependsOn expressions (
0602a35 
#15580)

Resolves #15513

###### Microsoft Reviewers: [Open in
CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/15580)

Bicep will normally generate an explicit dependency when one resource
refers to another. For example, if the body of `b` includes a symbolic
reference to `a`, then in the compiled JSON template, the declaration
for `b` will have a `dependsOn` property that includes `a`.

However, if `a` is an `existing` resource and the template is not being
compiled to language version 2.0, then the compiler will "skip over" `a`
and have `b` depend on whatever `a` depends on. For example, for the
following template:

```bicep
resource a 'type@version' existing = {
  name: 'a'
  dependsOn: [
    c
  ]
}

resource b 'type@version' = {
  name: 'b'
  properties: {
    foo: a.properties.bar
  }
}

resource c 'type@version' = {
  name: 'c'
}
```

the non-symbolic name output will have `b` depend on `c`.

#15447 added a couple of scenarios in which Bicep would skip over an
existing resource even if compiling with symbolic name support. This was
done because the ARM backend will perform a `GET` request on any
`existing` resource in the template _unless_ its body properties are
never read and no deployed resource explicitly depends on it. The extra
`GET` requests could sometimes cause template deployments to fail, for
example if the deploying principal had permission to use secrets from a
key vault as part of a deployment but did not have more generic /read
permissions on the vault.

#15447 reused some existing logic for skipping over an intermediate
existing dependency that unfortunately had an underlying bug that
manifested when the skipped over resource was looped and used its loop
iterator to index into the dependency once removed. For example, if we
modify the earlier example slightly:

```bicep
resource a 'type@version' existing = [for i in range(0, 10): {
  name: 'a${i}'
  dependsOn: [
    c[i]
  ]
}]

resource b 'type@version' = {
  name: 'b'
  properties: {
    foo: [for i in range(0, 10): a[i].properties.bar]
  }
}

resource c 'type@version' = [for i in range(0, 10): {
  name: 'c${i}'
}]
```

Then in the compiled output, `b` will have an explicit dependency on
`[resourceId('type', format('c[{0}]', copyIndex()))]`. Because `b` is
not looped, the deployment will fail. Related issues will occur if `b`
indexes into `a` with a more complex expression or if there is an
intervening variable.

This PR updates explicit dependency generation to take all steps between
a depending resource and its dependency into account when generating
index expressions. For example, in the following template:

```bicep
resource vnets 'Microsoft.Network/virtualNetworks@2024-03-01' = [for i in range(0, 2): {
  name: 'vnet${i}'
}]

resource subnets 'Microsoft.Network/virtualNetworks/subnets@2024-03-01' existing = [for j in range(0, 10): {
  parent: vnets[j % 2]
  name: 'subnet'
}]

resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = [for k in range(11, 10): {
  name: 'vault${k}'
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'standard'
      family: 'A'
    }
    tenantId: subscription().tenantId
    networkAcls: {
      virtualNetworkRules: [{
        id: subnetIds[k - 11]
      }]
    }
  }
}]

var subnetIds = [for l in range(20, 10): subnets[l - 20].id]
```

`vault` will depend on `vnets[(range(20, 10)[k - 11] - 20) % 2]`. Prior
to this PR, `vault` will instead depend on `vnets[k % 2]`, which is the
wrong vnet.

This PR does **not** reapply the change from #15447 but only addresses
the issue described above. #15447 is reapplied in #15693
@github-project-automation github-project-automation bot moved this from Todo to Done in Bicep Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeskew jeskew

Labels
bug Something isn't working
Projects
Bicep
Archived in project
Milestone
v0.32
Development

Successfully merging a pull request may close this issue.

Move all indexing expressions when calculating dependsOn expressions Azure/bicep
5 participants
@jeskew @slavizh @anthony-c-martin @stephaniezyen @scrocquesel-ml150