Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft.EventGrid/eventSubscriptions resource requires more permissions for deployment in bicep v0.31.92 #15686

Closed
AleksandrKomarov opened this issue Nov 25, 2024 · 1 comment · Fixed by #15693
Closed

Microsoft.EventGrid/eventSubscriptions resource requires more permissions for deployment in bicep v0.31.92 #15686

AleksandrKomarov opened this issue Nov 25, 2024 · 1 comment · Fixed by #15693
Assignees
@jeskew
Milestone
v0.32

Comments

@AleksandrKomarov
Copy link

Bicep version
v0.31.92

Describe the bug
Newly compiled ARM templates now require additional permissions for deployment.

To Reproduce
Steps to reproduce the behavior:

We have bicep module, which is deployed by principal with EventGrid EventSubscription Contributor RBAC role:

param eventSubscriptionName string
param eventTypes string[]
param eventGridTopicName string
param backendAppId string
param functionAppName string
param functionName string

resource functionApp 'Microsoft.Web/sites@2023-01-01' existing = {
  name: functionAppName
}

resource eventGridTopic 'Microsoft.EventGrid/topics@2022-06-15' existing = {
  name: eventGridTopicName
}

resource eventSubscription 'Microsoft.EventGrid/eventSubscriptions@2022-06-15' = {
  name: eventSubscriptionName
  scope: eventGridTopic
  properties: {
    eventDeliverySchema: 'EventGridSchema'
    filter: {
      enableAdvancedFilteringOnArrays: true
      includedEventTypes: eventTypes
    }
    destination: {
      endpointType: 'WebHook'
      properties: {
        maxEventsPerBatch: 1
        azureActiveDirectoryApplicationIdOrUri: backendAppId
        azureActiveDirectoryTenantId: subscription().tenantId
        endpointUrl: 'https://${functionApp.properties.defaultHostName}/runtime/webhooks/EventGrid?functionName=${functionName}&code=${listkeys('${functionApp.id}/host/default', '2016-08-01').systemkeys.eventgrid_extension}'
      }
    }
    retryPolicy: {
      eventTimeToLiveInMinutes: 65
    }
  }
}

bicep v0.30.23 generated next ARM template:

"resources": [
  {
    "type": "Microsoft.EventGrid/eventSubscriptions",
    "apiVersion": "2022-06-15",
    "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('eventGridTopicName'))]",
    "name": "[parameters('eventSubscriptionName')]",
    "properties": {
      "eventDeliverySchema": "EventGridSchema",
      "filter": {
        "enableAdvancedFilteringOnArrays": true,
        "includedEventTypes": "[parameters('eventTypes')]",
        "advancedFilters": "[parameters('advancedFilters')]"
      },
      "destination": {
        "endpointType": "WebHook",
        "properties": {
          "maxEventsPerBatch": 1,
          "azureActiveDirectoryApplicationIdOrUri": "[parameters('backendAppId')]",
          "azureActiveDirectoryTenantId": "[subscription().tenantId]",
          "endpointUrl": "[format('https://{0}/runtime/webhooks/EventGrid?functionName={1}&code={2}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('functionAppSubscriptionId'), parameters('functionAppResourceGroupName')), 'Microsoft.Web/sites', parameters('functionAppName')), '2023-01-01').defaultHostName, parameters('functionName'), listkeys(format('{0}/host/default', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('functionAppSubscriptionId'), parameters('functionAppResourceGroupName')), 'Microsoft.Web/sites', parameters('functionAppName'))), '2016-08-01').systemkeys.eventgrid_extension)]"
        }
      },
      "retryPolicy": {
        "eventTimeToLiveInMinutes": 65
      }
    }
  }
]

and bicep v0.31.92 generates

"resources": {
  "functionApp": {
    "existing": true,
    "type": "Microsoft.Web/sites",
    "apiVersion": "2023-01-01",
    "subscriptionId": "[parameters('functionAppSubscriptionId')]",
    "resourceGroup": "[parameters('functionAppResourceGroupName')]",
    "name": "[parameters('functionAppName')]"
  },
  // this is a new reference
  "eventGridTopic": {
    "existing": true,
    "type": "Microsoft.EventGrid/topics",
    "apiVersion": "2022-06-15",
    "name": "[parameters('eventGridTopicName')]"
  },
  "eventSubscription": {
    "type": "Microsoft.EventGrid/eventSubscriptions",
    "apiVersion": "2022-06-15",
    "scope": "[format('Microsoft.EventGrid/topics/{0}', parameters('eventGridTopicName'))]",
    "name": "[parameters('eventSubscriptionName')]",
    "properties": {
      "eventDeliverySchema": "EventGridSchema",
      "filter": {
        "enableAdvancedFilteringOnArrays": true,
        "includedEventTypes": "[parameters('eventTypes')]",
        "advancedFilters": "[parameters('advancedFilters')]"
      },
      "destination": {
        "endpointType": "WebHook",
        "properties": {
          "maxEventsPerBatch": 1,
          "azureActiveDirectoryApplicationIdOrUri": "[parameters('backendAppId')]",
          "azureActiveDirectoryTenantId": "[subscription().tenantId]",
          "endpointUrl": "[format('https://{0}/runtime/webhooks/EventGrid?functionName={1}&code={2}', reference('functionApp').defaultHostName, parameters('functionName'), listkeys(format('{0}/host/default', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('functionAppSubscriptionId'), parameters('functionAppResourceGroupName')), 'Microsoft.Web/sites', parameters('functionAppName'))), '2016-08-01').systemkeys.eventgrid_extension)]"
        }
      },
      "retryPolicy": {
        "eventTimeToLiveInMinutes": 65
      }
    },
    // this is a new reference
    "dependsOn": [
      "eventGridTopic",
      "functionApp"
    ]
  }
}

Microsoft.EventGrid/topics existing resource requires Microsoft.EventGrid/topics/read permission during deployment, but
@github-project-automation github-project-automation bot moved this to Todo in Bicep Nov 25, 2024
@jeskew jeskew mentioned this issue Nov 25, 2024
Merged
@jeskew jeskew self-assigned this Nov 25, 2024
@jeskew
Copy link
Member

jeskew commented Nov 25, 2024
edited
Loading

This should be addressed by an enhancement we're aiming to ship with 0.32. Bicep infers a deployment's dependency graph based and emits this as dependsOn properties in the compiled JSON template, and this logic was never updated to account for a backend change made some time ago to reduce the behavioral differences between "classic" ARM JSON template and language version 2.0 that would be observable to Bicep users.

FYSA, the line param eventTypes string[] is what's causing your template to compile with existing resources in the JSON template -- user-defined types require language version 2.0, which also makes existing resources first-class citizens in the JSON template.

@jeskew jeskew mentioned this issue Nov 27, 2024
Merged
@stephaniezyen stephaniezyen added this to the v0.32 milestone Dec 4, 2024
@jeskew jeskew closed this as completed in b326faa Dec 5, 2024
@github-project-automation github-project-automation bot moved this from Todo to Done in Bicep Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeskew jeskew

Labels
None yet
Projects
Bicep
Archived in project
Milestone
v0.32
3 participants
@jeskew @AleksandrKomarov @stephaniezyen