0

I've got two bicep files, main.bicep and webAppRoleAssignment.bicep

main.bicep

....
module webAppRoleAssignment 'webAppRoleAssignment.bicep' = {
  name: 'webAppRoleAssignment'
  scope: az.resourceGroup('123', 'rg-name')
  params: {
    containerRegistryName: containerRegistryName
    webAppIdentityId: webAppIdentity.id
    webAppIdentityPrincipalId: webAppIdentity.properties.principalId
  }
}

webAppRoleAssignment.bicep

@description('Role definition ID for the role ACRPull that is assigned to the 
UserAssignedIdentity')
resource acrPullRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01- preview' existing = {
  scope: subscription()
   name: 'role_name'
  }


@description('Existing Container Registry in the same Resource Group')
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
   scope: az.resourceGroup('123', 'rg-name')
   name: containerRegistryName
 }


 @description('ACRPull role assignment to the Container App User Assigned Identity. Needed to pull images from the Container Registry')
 resource webAppRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   scope: containerRegistry
   name: guid(containerRegistry.id, webAppIdentityId)
   properties: {
      principalId: webAppIdentityPrincipalId
      roleDefinitionId: acrPullRoleDefinition.id
      principalType: 'ServicePrincipal'
     }
  }

When I try to run this command az bicep build --file .\main.bicep with the code above I get this error:

A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.

The error points to the scope (containerRegistry) of the "webAppRoleAssignment" resource (webAppRoleAssignment.bicep).
BUT if I change the container registry resource (webAppRoleAssignment.bicep) like this:

@description('Existing Container Registry in the same Resource Group')
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
   scope: az.resourceGroup() //removed resource group id and sub name
   name: containerRegistryName
}

everything works!! And I do not understand why, because the scope pointed by az.resourceGroup() or az.resourceGroup('123', 'rg-name') should be the same.

Any suggestions?

Improve this question
1
  • Both az.resourceGroup() and az.resourceGroup('123', 'rg-name') might represent the same resource group, their usage context within Bicep files differs. Using az.resourceGroup() within module files ensures that the resources correctly inherit the scope from the parent module, preventing scoping conflicts and deployment errors. refer: learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/… @S-Wing Commented Jun 24, 2024 at 11:51

1 Answer 1

Reset to default
0

Wrong bicep scope in module is due to scope differences.

When we use as scope: az.resourceGroup(subID, RG name) in main.bicep for webAppRoleAssignment module then the scope was defined to all the resources inside the module was scoped to the same RG.

If the scope: az.resourceGroup(subID, RG name) defined inside webAppRoleAssignment.bicep where you define container registry then the scope explicitly within that same resource group. Whereas of you use scope: az.resourceGroup() inside the webAppRoleAssignment.bicep, Bicep implicitly understands it to be the same resource group defined in the module scope. This unique scope works because it defaults to the scope to module level.

Based on the requirement if the scope matches for both the resources as we declared based

main.bicep:

param containerRegistryName string
param webAppIdentity object

module webAppRoleAssignment 'webAppRoleAssignment.bicep' = {
  name: 'webAppRoleAssignment'
  scope: resourceGroup('158b8345-xxxx-xxxx-xxxx-f21815dd048f', 'vkk-resources')
  params: {
    containerRegistryName: containerRegistryName
    webAppIdentityId: webAppIdentity.id
    webAppIdentityPrincipalId: webAppIdentity.properties.principalId
  }
}

webAppRoleAssignment.bicep:

param containerRegistryName string
param webAppIdentityId string
param webAppIdentityPrincipalId string


resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
  scope: resourceGroup()
  name: containerRegistryName
}


resource webAppRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: containerRegistry
  name: guid(containerRegistry.id, webAppIdentityId)
  properties: {
    principalId: webAppIdentityPrincipalId
    roleDefinitionId: '/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d'
    principalType: 'ServicePrincipal'
  }
}

Deployment succeeded:

enter image description here

enter image description here

Reference:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-scope

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.