Scope function in resource declaration with loop #6598
-
|
Background: We are preparing some modules for an elite project. We would like to know an approach to deploy multiple resources within its corresponding resource group while looping in the resource module. We want to declare the resource group along with the other resource parameters in a Json file. How the module works: ASG Bicep file has a loop that iterates 2 times for creating 2 ASGs. This gets called in the main.bicep and with the given input parameter of 2 ASGs, its deploying 2 ASGs. But the issue is, its getting deployed to the same RG1 from the Resource deployment command that we executed. Command: New-AzResourceGroupDeployment -ResourceGroupName "RG1" -TemplateFile "main.bicep" -TemplateParameterFile "mainparam.json" Requirement: ASG1 and ASG2 must be deployed to 2 different RGs - RG11 and RG22. How can we achieve this WITHOUT MODIFYING MY ASG.BICEP file? Would really appreciate your support on this as we have many modules and modifying them would be tedious task. Modules: sharing below a ASG bicep, main bicep and a parameter file. ASG Bicep file resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2021-05-01' = [for asgName in asgNames: { Main Bicep file module asgloop 'az-asg/ASG.bicep' = { Param json file |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 8 replies
-
|
You can create your base Modules for any Resource kind. Most of the time this will be a Resource Group scoped deployment. Then you can layer another module on top of that which can start as a Subscription Scoped deployment. However when you call the first module, you scope it to the specific resource group that you want to target. Here is an example of a Subscription scoped deployment. https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RBAC.bicep#L54 module UAI 'sub-RBAC-ALL.bicep' = [for (uai, index) in uaiinfo: if (bool(Stage.UAI) && contains(uai,'RBAC')) {
name: 'dp-rbac-uai-${Prefix}-${uai.name}'
params: {
Deployment: deployment
Prefix: Prefix
rgName: rg
Enviro: enviro
Global: Global
roleInfo: uai
providerPath: 'Microsoft.ManagedIdentity/userAssignedIdentities'
namePrefix: '-uai'
providerAPI: '2018-11-30'
principalType: 'ServicePrincipal'
}
}]This loops through the above and calls the following Module, which then redirects to a specific Resource Group https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RBAC-ALL.bicep#L83 module RBACRARG 'sub-RBAC-ALL-RA-RG.bicep' = [for (rbac, index) in roleAssignment: if (Enviro != 'G0' && Enviro != 'M0') {
name: replace('dp-rbac-all-ra-${roleInfo.name}-${index}','@','_')
scope: resourceGroup(rbac.DestSubscriptionID,'${rbac.DestPrefix}-${Global.OrgName}-${rbac.DestApp}-RG-${rbac.DestRG}')
params:{
description: roleInfo.name
name: rbac.GUID
roledescription: rbac.RoleName
roleDefinitionId: '${rbac.DestSubscription}/providers/Microsoft.Authorization/roleDefinitions/${rbac.RoleID}'
principalType: rbac.principalType
principalId: providerPath == 'guid' ? roleInfo.name : length(providerPath) == 0 ? objectIdLookup[roleInfo.name] : /*
*/ reference('${rbac.DestSubscription}/resourceGroups/${rbac.SourceRG}/providers/${providerPath}/${Deployment}${namePrefix}${roleInfo.Name}',providerAPI).principalId
}
}]Here is another similar example. https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RG.bicep#L62 module UAI 'sub-RG-UAI.bicep' = [for (uai, index) in identity: if (uai.match && bool(Stage.UAI)) {
name: 'dp-uai-${uai.name}'
scope: RG
params: {
uai: uai
deployment: deployment
}
}]You you can switch from sub scope to rg scope. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @brwilkinson . Thanks for the quick updates. I wanted to know if we can have scope function in the child resource like the below one we have for existing resource. resource ASG 'Microsoft.Network/applicationSecurityGroups@2021-08-01' existing = { Right now this is only available for Module and Existing resource but not for Resource creation. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, you should use the module to select the correct scope to create your resources. Then create resources in the module itself.
You can just deploy directly into the correct scope, that is my personal preference. Create 1 pipeline per resource group. Deploy into that RG and create resources. A different pipeline is for a different environment aka a different resource group. You can then run each pipeline on its own, as required. Obviously some things are better suited to a management group or subscription deployment, however you have control via Modules to change scope. Or iterate over a range of scope to perform the same tasks over multiple scopes. E.g. In multiple rg's or multiple subscriptions. |
Beta Was this translation helpful? Give feedback.
-
|
Example of a VNET and VNET Peering Module below. https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VNET.bicep#L170 resource VNETHub 'Microsoft.Network/virtualNetworks@2020-11-01' existing = {
name: hubVNetName
scope: resourceGroup(hubVNetSubscriptionID, hubVNetResourceGroupName)
}
resource VNETPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2017-10-01' = if (bool(Stage.VNetPeering)) {
parent: VNET
name: '${Deployment}-vn--${hubVNetName}'
properties: {
allowVirtualNetworkAccess: true
allowForwardedTraffic: true
allowGatewayTransit: false
useRemoteGateways: false
remoteVirtualNetwork: {
id: VNETHub.id
}
}
}
module VNETPeeringHUB 'VNET-Peering.bicep' = if (bool(Stage.VNetPeering)) {
name: 'dpVNET-${hubVNetName}--${Deployment}-vn'
scope: resourceGroup(hubVNetResourceGroupName)
params: {
subscriptionID: subscriptionId
resourceGroupName: resourceGroupName
vNetName: VNET.name
vNetNameHub: hubVNetName
peeringName: '${hubVNetName}--${Deployment}-vn'
}
}The VNET Peering Module https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VNET-Peering.bicep By doing this I can setup the VNET Peering in 2 directions between the 2 VNETS. Hub to Spoke and from Spoke to Hub. Looking at this code again today, I really should have used the Module in both places, rather than even having the first resource there, I could just have achieved code re-use by calling the Module twice. I will likely update this, now that I have spotted it. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @brwilkinson. Any idea if this feature will be added anytime soon with resource block? By the way, I have gone ahead and changed all my child modules to have scope over this past month. So now i call scope in the main module. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @sandeepkumarv232 which feature were you referring to with the resource block, can you provide some more context? |
Beta Was this translation helpful? Give feedback.
You can create your base Modules for any Resource kind. Most of the time this will be a Resource Group scoped deployment.
Then you can layer another module on top of that which can start as a Subscription Scoped deployment.
However when you call the first module, you scope it to the specific resource group that you want to target.
Here is an example of a Subscription scoped deployment.
https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RBAC.bicep#L54