why an explicit dependsOn is not supported on a resource Group?

[ranadeb-pramanick]

Scenario

I am trying to load an external json file that contains some inputs regarding storage accounts and resource group. The resource group section of my input contains an input called lookup that determines whether the RG is an existing one or needs to be created as a part of the bicep code dynamically. After creating/ looking up a RG, i have to deploy the storage accounts into that RG.

input.json

{
    "resourcegroup": {
        "lookup": false,
        "name": "bicepRG",
        "location": "eastus"
    },
    "storage": {
        "deployStorage": true,
        "storageInfo": [
            {
                "name": "testrana123",
                "sku": "Standard_LRS"
            },
            {
                "name": "testrana123456",
                "sku": "Standard_LRS"
            }
        ]
    }
}

main.bicep

targetScope= 'subscription'
param inputData object = json(loadTextContent('./input.json'))

var rgData= inputData.resourcegroup
var storageInfo= inputData.storage.storageInfo
var deployStorage= inputData.storage.deployStorage


resource rg 'Microsoft.Resources/resourceGroups@2021-04-01'= if (!rgData.lookup) {
  name: rgData.name
  location: rgData.location
}

resource rgexisting 'Microsoft.Resources/resourceGroups@2021-04-01' existing = {
  name: rgData.name  // do not wanna put rg.name and create a implicit dependency because if lookup is true , then won't rg be null or something?
  //dependsOn: [rg] // THIS DOES NOT WORK
 
}

module stg 'storage-account.bicep' = [for (item, index) in storageInfo: if (deployStorage) {
  name: 'deployment-${item.name}'
  params: {
    name: item.name
    sku: item.sku
  }
  scope: rgexisting

}]

Why am i not able to put a depensdsOn on a RG ? . I am coming from terraform background , and i am able to do the exact same thing in terraform where i can create an RG dynamically , and lookup an RG by using a data block in terraform, but i make it wait until the RG creation block of code executes by putting an explicit dependsOn in the data block that looks up an RG , and then all subsequent reference to the RG is used by using the data block.

[brwilkinson]

You will want to declare your template so that it's idempotent. You expect it to run the same the second time (and subsequent times) that it runs.

You don't need the condition for each scenario of it exists or not Existing. If you want it simply define what you want. If it already exists, it will simply validate it and then move on, if it doesn't exist, it will create it, then move on, Optionally have the if() condition if you want to maintain that list and it's helpful.

That way storage will always just depend on the scope of rg implicitly.

Redeploying over the top of a resource group can have some impact, in that it can remove tags, so you will want to have all necessary properties of the RG in your definition.

I would recommend to layer your deployments. Create a module that creates the resource groups and sets up RBAC and tags that you deploy into the subscription scope.

Then use a different combination of module/s to deploy storage and other resources in the specific resource group scope. That way you don't even need to specify any scope, it will deploy (and create resources) directly in the resource group that you deployed it into.

This format should scale better for code re-use.

Also based on least privilege you may use a different service principal (SP) with different RBAC for the Subscription deployment, with permissions to create the RG/RBAC, than the SP that deploys within a specific resource group.

[ranadeb-pramanick]

Hi @brwilkinson

I understand what you are saying . However i have made it to work by using the following code. Setup is that i already have a RG in azure with tags, and i just want to use it . Value of lookup is true in the below code. What i cant understand is that even though i am not deploying the resource group because of the lookup condition, i was expectiing rg.name to be null or something, but strangely this works and because of this i am able to establish an implicit dependency using rg.name and i am not requiring a depends on . Can you please explain me this behavior. Please have a look at the main.bicep

targetScope= 'subscription'
param inputData object = json(loadTextContent('./input.json'))

var rgData= inputData.resourcegroup
var storageInfo= inputData.storage.storageInfo
var deployStorage= inputData.storage.deployStorage


resource rg 'Microsoft.Resources/resourceGroups@2021-04-01'= if (!rgData.lookup) {
  name: rgData.name
  location: rgData.location  
}

resource rgexisting 'Microsoft.Resources/resourceGroups@2021-04-01' existing = {
  name: rg.name  // how come rg is not null even though i am not deploying the RG
}

module stg 'storage-account.bicep' = [for (item, index) in storageInfo: if (deployStorage) {
  name: 'deployment-${item.name}'
  params: {
    name: item.name
    sku: item.sku
  }
  scope: rgexisting

}]

input.json

{
    "resourcegroup": {
        "lookup": true,
        "name": "bicepRG",
        "location": "eastus"
    },
    "storage": {
        "deployStorage": true,
        "storageInfo": [
            {
                "name": "testrana123",
                "sku": "Standard_LRS"
            },
            {
                "name": "testrana123456",
                "sku": "Standard_LRS"
            }
        ]
    }
}

[brwilkinson]

You can see how this works under the covers via the following:

Bicep is an intermediate language, which 'builds' down to ARM templates.

So if you want to dig a little deeper and understand how things work:

I would become familiar with the Bicep Build command: bicep build mytemplate.bicep

• This will allow you to see the compiled intermediate language, which may assist in your understanding. It's not necessary to understand everything in here (unless you want to), however it may answer some question that come up in the future. This temporary file is created each time you deploy, that is send to the Azure Resource Manager.

So the compiled JSON has the following from your Bicep to JSON conversion.
i.e. explicitly depends on are built into the JSON from references in your Bicep.

      "dependsOn": [
        "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgData').name)]"
      ]

Also test removing the "existing resource" all together: when you review/compare the compiled bicep with and without the "existing resource", the compiled file should be identical. when you do remove it just update the scope e.g. scope: rg instead of scope: rgexisting

Also, just to add all templates go through a process of pre-flight validation in the Azure Resource Manager

Just prior to being deployed, this is after the Build once they are in the JSON format, as part of the deploy.

• If you enable the verbose output on the deployment, you will see when this stage completes.

VERBOSE: 10:21:35 AM - Template is valid.

During this stage, a graph is created of the following to ensure things are unique and that everything can be validated (in the region that it is being deployed):

• deployment names
• conditions
• resource names
• dependencies names
• other checks

So, for this reason, (the check for unique resource names) the rg.name 'must' be known to complete those checks, since it's part of the graph. If the resource group exists in one region (for example), then you attempt to reference it as a dependency in an different region, that will FAIL the pre-flight checks. The same if your storage account exists in an alternate RG.

--
a few other things..

• If you have a single template to create things, you will ensure you have consistent naming. E.g. public ip addresses, resource groups Etc..

• I recommend these Learn modules: https://aka.ms/learnbicep

  • These are amazing and easy to consume modules on Bicep, which will assist in your transition from TF/HCL to Bicep much faster.
  • If you are not familiar with the Microsoft Learn platform, it's small easy to consume module with explanations and examples and even spins up sandbox lab environments to work in, directly in Azure, in a temporary subscription.

• I would recommend passing your values in via a parameter file instead of loadTextContent(). (loadTextContext is a brand-new feature, however I would assume/guess at this point that it's best to) save the loadcontext for static variables. Or at least know/understand that when you do use loadTextContent on the parameter it is just setting defaults (may not be problematic), looking at the output from the bicep build will allow you to see that. However these can be overwritten at deployment time with any param file, So having the param file there in the first place may assist with others to consume your templates easier and scale them out via multiple parameter files.

Example of using the param file:
e.g. depending if you are using az cli or az powershell ?

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-cli#deployment-scope
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell#deployment-scope

e.g. PowerShell [edited]

New-AzSubscriptionDeployment -Location eastus2 -TemplateFile mytemplate.bicep -TemplateParameterFile mySub1.json

Hopefully that information is useful.

[brwilkinson]

https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-6.3.0#example-1--use-a-custom-template-and-parameter-file-to-create-a-deployment

https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-6.3.0#example-1--use-a-custom-template-and-parameter-file-to-create-a-deployment

just realized the samples above didn't have the parameter file examples, so adding the above link,... it's the same as with the ARM json that however with a template.bicep file.

[brwilkinson]

@ranadeb-pramanick how did you go with the Bicep Build? did you get all the answers that you were looking for?