How to access/cast the module output to specific object in bicep? - McMap

About

How to access/cast the module output to specific object in bicep?

Asked 15/10, 2021 at 12:18 Answered 17/10, 2021 at 22:23

azure azure-devops azure-resource-manager infrastructure-as-code azure-bicep

M

1

6

I am having below bicep which is returning keyvault. I like to access the properties/functions in keyvault in parent bicep. But not sure how to achieve when using it as a module.

I have keyvault.bicep

    resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
         name: kvName
         scope: resourceGroup(subscriptionId, kvResourceGroup )
       }
       output kv1 object=kv

I have parent.bicep (where keyvault.bicep is included as module)

   module kv './keyvault.bicep' = {
     name: 'get Secrets'
     params: {
       subscriptionId: subscriptionId
       kvResourceGroup: resourceGroupName
       kvName: keyVaultName
     }
   }
   var pwd= kv.outputs.kv1.getSecret('key')

but getSecret method is unknown in parent bicep

Kindly suggest how to proceed?

Manometer answered 15/10, 2021 at 12:18 Comment(5)

do you really need the key vault bicep file ? you could just reference key vault directly in the parent bicep file ? – Affettuoso 15/10, 2021 at 20:40

How are you going to use this pwd variable in the rest of the template? The thing is that getSecret function has some special requirements on how it can be used. – Guinevere 15/10, 2021 at 23:50

@Affettuoso Here Keyvault is just an example.. It can be storage account or resource group.. – Manometer 17/10, 2021 at 20:28

@Guinevere I agree with you, that it cannot be assigned to the variable. It can only be assigned to a secure parameter to the module. As I was saying, the key vault is an example. I understood from the below answer that this feature is currently unsupported in the bicep. – Manometer 19/10, 2021 at 21:11

I am not sure why it is downvoted. Please comment why it is downvoted? – Manometer 19/10, 2021 at 21:13

A

4

The short answer is that is not supported.

In your parent.bicep file, kv is a module reference, not a resource. In order to correctly understand the parent-child resource hierarchy, Bicep requires a resource reference of the correct parent type in the parent property value.

Tho there is a proposal to simplify resource referencing:

https://github.com/Azure/bicep/issues/2246

Let say you have keyvault.bicep module that creates a key vault

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: kvName
  ...
}

output name string = kv.name

In the parent.bicep, you could get a reference to key vault like that:

module kvModule './keyvault.bicep' = {
  name: 'key-vault-${keyVaultName}'
  params: {
    kvName: keyVaultName
    ...
  }
}

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: kvModule.outputs.name
}

In you example, there are few things:

The key vault module just gets a reference to key vault so you don't really need a module, you could just reference the key vault directly in the parent.bicep file.
The getSecret function is a really specific function, you can only use it to pass secure parameter to another module:

Returns a secret from an Azure Key Vault. The getSecret function can only be called on a Microsoft.KeyVault/vaults resource. Use this function to pass a secret to a secure string parameter of a Bicep module. The function can be used only with a parameter that has the @secure() decorator.

Affettuoso answered 17/10, 2021 at 22:23 Comment(4)

Thank you... So means getSecret function cannot be used if the resource is present in parent bicep... it can only be passed as a secure param to the module. Please correct me if my understanding is wrong. – Manometer 18/10, 2021 at 10:22

This will not work: resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = { name: kvModule..outputs.name } This expression is being used in an assignment to the "name" property of the "Microsoft.KeyVault/vaults" type, which requires a value that can be calculated at the start of the deployment. Properties of keyVaultModule which can be calculated at the start include "name".bicep(BCP120) – Acie 5/1, 2022 at 7:56

@MarkusMeyer could you please elaborate ? not sure if it is related – Affettuoso 19/4, 2022 at 8:56

@sub, the secret must exist before the deployment starts. You could wrap it in it s own module to make it work – Affettuoso 19/4, 2022 at 8:57

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.