RBAC Bicep module InvalidDeployment: The 'location' property must be specified for #4330

elmerguevara · 2021-09-07T21:36:54Z

elmerguevara
Sep 7, 2021

Hi, we are currently trying to move our RBAC assignments into source control and running into the following issue when deploying with Azure Devops using the built in ARM deployment task. InvalidDeployment: The 'location' property must be specified for 'rbacMgTest'

There is 3 files: a mgTest.bicep which has role assignments scoped at the MG level. This is a snippet, there a many assignments in this file.

resource Elevated_AzureMG_Test_Admin_null_Security_Admin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid('Elevated_AzureMG_Test_Admin (null) : Security Admin')
  properties: {
    roleDefinitionId: '${roleDefPrefix}${string('fb1c8493-542b-48eb-b624-b4c8fea62acd')}'
    principalId: 'xxxx-xxxx-xxxx'
  }
}

subTest.bicep which has role assignments scoped at the sub level. This is a snippet, there a many assignments in this file.

resource Azure_Test__Admin_Contributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid('Azure_Test__Admin : Contributor')
  properties: {
    roleDefinitionId: '${roleDefPrefix}${string('b24988ac-6180-42a0-ab88-20f7382dd24c')}'
    principalId: 'xx-xxxxx-xxxxx'
  }
}

and mainTest.bicep

module mgTest 'mgTest.bicep' = {
  name: 'rbacMgTest'
}

module subTest 'subTest.bicep' = {
  name: 'rbacSubTest'
}

I was hoping to use a main bicep file and deploy that with the below task in order to avoid having to create a task for each bicep module we will have for rbac assignments (mg, sub and resource group level). The templates work fine when deploying locally and when deploying individually. The problem arises when I try to call them and deploy them to a single main bicep file.

steps:
- script: az bicep build -f ./mgTest/mainTest.bicep
  displayName: 'Building the Azure Bicep File'


- task: AzureResourceManagerTemplateDeployment@3
  inputs:
    deploymentScope: 'Management Group'
    azureResourceManagerConnection: 'ADO-Pipeline'
    subscriptionId: ''
    location: ''
    templateLocation: 'Linked artifact'
    csmFile: './mgTest/mainTest.json'
    deploymentMode: 'Validation'

The ADO error

2021-09-07T20:50:36.1748954Z There were errors in your deployment. Error code: MultipleErrorsOccurred.
2021-09-07T20:50:36.1794340Z ##[error]Multiple error occurred: BadRequest,BadRequest. Please see details.
2021-09-07T20:50:36.1806838Z ##[error]Details:
2021-09-07T20:50:36.1808666Z ##[error]InvalidDeployment: The 'location' property must be specified for 'mgTest'. Please see https://aka.ms/deploy-to-subscription for usage details.
2021-09-07T20:50:36.1810236Z ##[error]InvalidDeployment: The 'location' property must be specified for 'subTest'. Please see https://aka.ms/deploy-to-subscription for usage details.
2021-09-07T20:50:36.1811940Z ##[error]Check out the troubleshooting guide to see if your issue is addressed: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
2021-09-07T20:50:36.1813898Z ##[error]Task failed while creating or updating the template deployment.
2021-09-07T20:50:36.1923421Z ##[section]Finishing: AzureResourceManagerTemplateDeployment

Thank you for the help and please let me know if you need any clarification on what we are trying to achieve.

Answered by anthony-c-martin

Sep 7, 2021

Without the targetScope being specified, Bicep is assuming you're trying to deploy to the resourceGroup scope, so doesn't do any validation for location. The deployments engine allows your file to be deployed at a higher scope, regardless of the missing location. The solution is to use targetScope - e.g.:

mgTest.bicep

targetScope = 'managementGroup'

resource Elevated_AzureMG_Test_Admin_null_Security_Admin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid('Elevated_AzureMG_Test_Admin (null) : Security Admin')
  properties: {
    roleDefinitionId: '${roleDefPrefix}${string('fb1c8493-542b-48eb-b624-b4c8fea62acd')}'
    principalId: 'xxxx-xxxx-xxxx'
  }
}

sub…

View full answer

anthony-c-martin · 2021-09-07T21:43:55Z

anthony-c-martin
Sep 7, 2021
Maintainer

Without the targetScope being specified, Bicep is assuming you're trying to deploy to the resourceGroup scope, so doesn't do any validation for location. The deployments engine allows your file to be deployed at a higher scope, regardless of the missing location. The solution is to use targetScope - e.g.:

mgTest.bicep

targetScope = 'managementGroup'

resource Elevated_AzureMG_Test_Admin_null_Security_Admin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid('Elevated_AzureMG_Test_Admin (null) : Security Admin')
  properties: {
    roleDefinitionId: '${roleDefPrefix}${string('fb1c8493-542b-48eb-b624-b4c8fea62acd')}'
    principalId: 'xxxx-xxxx-xxxx'
  }
}

subTest.bicep

targetScope = 'managementGroup'

resource Azure_Test__Admin_Contributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid('Azure_Test__Admin : Contributor')
  properties: {
    roleDefinitionId: '${roleDefPrefix}${string('b24988ac-6180-42a0-ab88-20f7382dd24c')}'
    principalId: 'xx-xxxxx-xxxxx'
  }
}

mainTest.bicep

targetScope = 'managementGroup'

module mgTest 'mgTest.bicep' = {
  name: 'rbacMgTest'
  location: deployment().location
}

module subTest 'subTest.bicep' = {
  name: 'rbacSubTest'
  location: deployment().location
}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RBAC Bicep module InvalidDeployment: The 'location' property must be specified for #4330

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

RBAC Bicep module InvalidDeployment: The 'location' property must be specified for #4330

elmerguevara Sep 7, 2021

Replies: 1 comment

anthony-c-martin Sep 7, 2021 Maintainer

elmerguevara
Sep 7, 2021

anthony-c-martin
Sep 7, 2021
Maintainer