2

Suppose I have two files/modules in Azure Bicep, both are called in a 'main.bicep'. One is called 'storage.bicep' and contains, among others, the following code to create a storageAccount:

resource storageAccountTemp 'Microsoft.Storage/storageAccounts@2021-08-01' = {
  name: 'tmpst4dnbnlp'
  location: location
  sku: {
    name: storageAccountSku
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    accessTier: 'Hot'
  }
}

Another file contains some LogicApp definitions and is called 'orchestration.bicep'. Now in this file, there is a part where I want to reference the 'storageAccountTemp' resource in module 'storage.bicep', as to provide the LogicApp system managed identity access the contributor role for the:

resource logicAppStorageAccountRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  scope: 'xxx'
  name: guid('ra-logicapp-${roleDefinitionId}')
  properties: {
    principalType: 'ServicePrincipal'
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
    principalId: logicAppTest.identity.principalId
  }
}

Where I need to specify the scope (that now says 'xxx'). I can't say resourceGroup() since the storage is in a different resource group. Instead, I want to reference the storageAccountTemp object. This seems impossible to do when the object is in a different module (I tried outputting the name and id and using these but this was not accepted by Bicep.

Is there any way I can actually reference the original storageAccountTemp object from 'storage.bicep' in the 'orchestration.bicep' file?

Tim
  • 147
  • 8

1 Answers1

3

You need to use an existing resource declaration. So you'll have something like:

resource storageAccountTemp 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
  scope: resourceGroup('blah')
  name: 'tmpst4dnbnlp
}

And then you can use that for the scope property on the roleAssignment. How you get blah (the resourceGroup name) and the storageAccount name to the roleAssignment module depends... if the two modules are peers in the orchestrator, then usually those params are known and can be passed to both modules. Failing that you can use outputs from the storage module and pass those in as params to the roleAssignment.

That help?

bmoore-msft
  • 8,376
  • 20
  • 22
  • 1
    Yes, tremendous. Works like a charm! This existing method is great. I could also use it to pass a secret from one module to another without outputting it by using this. Never thought of this – Tim Sep 16 '22 at 14:19