2

I'm trying to create a resource group and add a key vault to it.

However, I'm not able to set the new resource group as a target resource group for the key vault.

How can I have the key vault assigned to the newly created resource group without creating a second Bicep module for it?

var loc = 'westus'

// outputs the newly created resource group
module rgCreate 'test.rg.bicep' = {
  scope: subscription()
  name: 'rgCreate'
  params: {
    rgLocation: loc
  }
}

resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: 'Test'
  location: loc
  properties: {
    enabledForTemplateDeployment: true
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: tenant().tenantId
  }
}

This is the workflow I'm aiming at:

Adding Resources to newly created ResourceGroup

Thomas
  • 24,234
  • 6
  • 81
  • 125
AxD
  • 2,714
  • 3
  • 31
  • 53
  • 1
    You have different scope here, to create a resource group you need subscription scope and to create the key vault you need resourcegroup scope so you will have to create a new module – Thomas Aug 03 '22 at 20:23
  • Then the first time you resource group is not created so you can't have your main.bicep file with scope resourcegroup unless you're starting the dpeloyment from another RG – Thomas Aug 05 '22 at 00:14
  • HI @Thomas, I received an [answer from the Bizep team](https://github.com/Azure/bicep/issues/7819#issuecomment-1205242644). They suggest to start off with a `Subscription` Bicep file which then ist launching a `ResourceGroup` file. Unfortunately, the [New-AzSubscriptionDeployment](https://learn.microsoft.com/de-de/powershell/module/az.resources/new-azdeployment) Cmdlet is [lacking a `Mode` parameter](https://github.com/Azure/azure-powershell/issues/19147) at this time. – AxD Aug 05 '22 at 07:32
  • I dont see how the `Mode` parameter would help in this case ? – Thomas Aug 05 '22 at 08:46
  • Bicep/ARM template files are supposed to be idempotent. So, they can be run on an empty system as well as on a pre-populated system. Using the `Mode` parameter you can decide whether to retain obsolete resources or not. – AxD Aug 05 '22 at 12:30

1 Answers1

2

First, if the resource group does not exist, you can't have targetScope = 'resourceGroup' in the main.bicep file. The command az deployment group create will fail:

{"code": "ResourceGroupNotFound", "message": "Resource group '' could not be found."}

You could always trigger the deployment form another resource that already exists (Not sure if it s a good idea tho).

An approach could be to have you main.bicep invoking two modules: one for resource group creation, one for resource creation:

// =========== rg.bicep ===========

// Setting target scope
targetScope = 'subscription'

param name string
param location string

// Creating resource group
resource rg 'Microsoft.Resources/resourceGroups@2021-01-01' = {
  name: name
  location: location
}

// =========== resources.bicep ===========

param location string = resourceGroup().location
param keyVaultName string
...

//Deploying key vault
resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: keyVaultName
  location: location
  properties: {
    enabledForTemplateDeployment: true
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: tenant().tenantId
  }
}

// Deploying other resources
...

// =========== main.bicep ===========

// Setting target scope
targetScope = 'subscription'

// Parameters
param rgName string = 'test-rg'
param rgLocation string = 'westus'
param keyVaultName string
...

// Creating resource group
module rgModule 'rg.bicep' = {
  scope: subscription()
  name: '${rgName}-create'  
  params:{
    name: rgName
    location: rgLocation
  }  
}

// Deploying resources in the newly created resource
module resources 'resources.bicep' = {
  name: '${rgName}-resources-deployment'
  scope: resourceGroup(rgName)
  dependsOn: [ rgModule ]
  params: {
    location: rgLocation
    keyVaultName: keyVaultName
    ...
  }
}

To be honest, you could just run az group create command before deploying your template it will make things simpler.

Thomas
  • 24,234
  • 6
  • 81
  • 125
  • Actually, I'm aiming at creating recources during CI/CD for end-to-end testing. That's why I want to put it all into a single, atomic Bicep call. – AxD Aug 05 '22 at 07:33
  • Using CI/Cd it could be 2 steps: create RG then deploy. The solution I post sounds complicated for nothing – Thomas Aug 05 '22 at 08:45
  • I don't see it as being complicated at all. – AxD Aug 05 '22 at 12:29