Help: Conditionally deployment of array members

[WhitWaldo]

I have an array of endpoints I want to register in Application Gateway as follows:

var AppGwEndpoints = [
  {
    name: 'Alpha'
    port: 123
    domain: 'alpha.com'
  }
  {
    name: 'Bravo'
    port: 456
    domain: ''
  }
]

I need to register SSL certificates for each domain provided in the array based on the $_.domain value, so I do so:

module SslCerts './certificate-generation.bicep' = [for (endpoint, index) in AppGwEndpoints: if (length(endpoint.targetDomain) > 0) {
  //...
}]

First attempt

All well and good. As a final step, I need to bind each of these SSL certificates to my App Gateway instance:

resource AppGw 'Microsoft.Network/applicationGateways@2021-05-01' = {
  //...
  properties {
    sslCertificates: [for (endpoint, index) in Endpoints: if length(endpoint.targetDomain) > 0 {
      //...
    }]
  }
}

But wait, this doesn't actually work. I have an error on my if operator that suggests I use a ternary conditional instead. Ok.

Second attempt

resource AppGw 'Microsoft.Network/applicationGateways@2021-05-01' = {
  //...
  properties {
    sslCertificates: [for (endpoint, index) in Endpoints: length(endpoint.targetDomain) > 0 ? {
      //...
    } : (null)]
  }
}

Nope, now it's a warning that reads:

What I want is that if there's an SSL certificate that's been provisioned (based on the index offset through the original endpoint array), I can apply it here, otherwise, skip, but I can't figure out how I'd do this.

To compound issues, Application Gateway is much like Virtual Network - there are no child resources I can create and bind into after the fact, it's an all-or-nothing operation to create everything at once.

Third Attempt

Ok, since the conditional operators don't like to work with the properties of a resource, what if I pull all this out of that module and put it in the parent module?

module AppGwSslCertificates 'certificate-generation.bicep' = [for (endpoint, index) in Endpoints: if (length(endpoint.targetDomain) > 0) {
  name: 'dp-certissue-${toLower(endpoint.targetDomain)}'  
  params: {
    Domain: endpoint.targetDomain
    Location: Location
  }
}]

Excellent. Now, that should produce an array that is only populated with SSL certs. I don't need to necessarily match them to any endpoints just yet, just to create them, so we're set. Pass that into the App Gateway module:

module AppGw 'applicationGateway.bicep' = {
  name: 'abc123'
  params: {
    EndpointsSslCertificates: AppGwSslCertificates
  }
}

Nope, another error:

Unfortunately, I'm at a loss. Any suggestions about how to move forward? Thank you!

[brwilkinson]

@WhitWaldo

Wait do you have a typo ?

  {
    name: 'Bravo'
    port: 456
    domain: ''
  }

did you try if (endpoint.targetDomain != '')

or should I say ... did you try if (endpoint.domain != '') domain not targetDomain ?

[brwilkinson]

I usually process that loop in a variable, then just use that variable in the resource.

sslCertificates: alreadyprocessedArraywithfiltervariable

[brwilkinson]

Looking at this again today...

I think we have some issues on this... although I haven't found it as yet.

we have condition ? TrueValue : FalseValue

we don't have condition ? TrueValue

I'll see about coming up with a workaround, plus also update when I find the issue.

[brwilkinson]

Here is the issue for this.

#387

[brwilkinson]

I had a play around with some different options.

• In the end I decided I would create a filter via powershell, since that would be the most flexible and reliable.
• Until Set or skip an object property based on a condition #387 is complete, this may have to do.
• I did make some attempts with just calling Bicep Modules, however there was no way that I could get the flexibility of PowerShell filterScript for code re-use.

Sample input:

var HA = {
  D: false
  T: false
  U: false
  P: true
}

var isHA = HA[Environment]

var IFrameParts = [
  {
    position: {
      x: 16
      y: 1
      rowSpan: 2
      colSpan: 4
    }
  }
  {
    ha: 1
    position: {
      x: 16
      y: 4
      rowSpan: 2
      colSpan: 4
    }
  }
]

module filterPartsLogsDashboardParts 'x.arrayFilter.ps1.bicep' = {
  name: 'filterParts-portalDashboard-filterPartsLogsDashboardParts'
  params: {
    myArray: LogsDashboardParts
    filterScript: isHA ? '$_.ha -ne 0' : '$_.ha -ne 1'
    description: 'LogsDashboardParts'
  }
}

module dashboard 'x.portalDashboard.bicep' = {
  name: 'portalDashboard'
  params: {
    Global: Global
    DeploymentURI: DeploymentURI
    Environment: Environment
    DeploymentID: DeploymentID
    LogsDashboardParts: json(filterPartsLogsDashboardParts.outputs.Result)
    MonitorChartPart: json(filterPartsMonitorChartPart.outputs.Result)
    IFrameParts: json(filterPartsIFrameParts.outputs.Result)
    MarkdownParts: json(filterPartsMarkdownParts.outputs.Result)
  }
}

Module code: x.arrayFilter.ps1.bicep

param myArray array
param filterScript string
param now string = utcNow('F')
param description string

resource filterArray 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'filterArray-${description}'
  location: resourceGroup().location
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '7.5.0'
    scriptContent: loadTextContent('../bicep/loadTextContext/arrayFilter.ps1')
    forceUpdateTag: now
    cleanupPreference: 'OnSuccess'
    retentionInterval: 'P1D'
    timeout: 'PT5M'
    environmentVariables: [
      {
        name: 'myArray'
        value: string(myArray)
      }
      {
        name: 'filterScript'
        value: filterScript
      }
    ]
  }
}

output Array string = filterArray.properties.outputs.Array
output Result string = filterArray.properties.outputs.Result
output ArrayLength int = filterArray.properties.outputs.ArrayLength
output ResultLength int = filterArray.properties.outputs.ResultLength

PowerShell Code: arrayFilter.ps1

try
{
    Write-Warning -Message "`nUTC is: $(Get-Date)"

    $Array = $env:myArray | ConvertFrom-Json -Depth 15
    Write-Warning ($Array | Out-String)

    $filter = [Scriptblock]::Create($env:filterScript)
    $Result = $Array | Where-Object -FilterScript $filter
    $Result
    $DeploymentScriptOutputs = @{}
    $DeploymentScriptOutputs['Array'] = $Array | ConvertTo-Json -Depth 10
    $DeploymentScriptOutputs['Result'] = ConvertTo-Json -Depth 10 -InputObject @($Result)
    $DeploymentScriptOutputs['ArrayLength'] = $Array.length
    $DeploymentScriptOutputs['ResultLength'] = $Result.length
}
catch
{
    Write-Warning $_
    Write-Warning $_.exception
}

• I wanted to generate dashboards where if isHA I would include the 2 regions + traffic manager Etc. in the dashboard.
• Otherwise just the single region and no traffic manager Etc.

[WhitWaldo]

Sorry about the slow reply - been out sick for a few days.

Not a typo - if a domain isn't provided to an Application Gateway rule, it matches to all of them (according to support), so it's intended to be more of a catch-all fallback rule.

Implementation of my idea or any of the linked issues there would be really useful in accomplishing this without resorting to PowerShell scripts (especially since I've since found a bug in how ARM handles lists in those recently).

I ultimately solved this in a different way and was pleasantly surprised that it worked. From my resource group template:

//root.bicep

var certificateSubjects = [
  {
    subjectName: '*.abc.com'
    targetNodeTypes: [
      'web'
      'processing'
    ]
  }
  {
    subjectName: '*.def.com'
    targetNodeTypes: [
      'web'
    ]
  }
  {
  }
]

module Deployment 'resourceGroup.bicep' = [for dp in deployments: {
  //...
  params: {
    CertificateSubjects: certificateSubjects
  }
}]

// resourceGroup.bicep

//Deploy each of the wildcard certificates
@batchSize(1)
module SslCertificates './resources/certificate/certificate-generation.bicep' = [for (certificate, index) in CertificateSubjects: {
  name: take('${resourceMapping['deployment']}-${DeploymentPrefix}-${resourceMapping['certificateIssue']}-${replace(certificate.subjectName, '*', 'wild')}', 64)
  params: {
    Domain: certificate.subjectName
    Location: Location
  }
}]

module AppGw './appGw.bicep' {
  //...
  params: {
    CertificateSubjects: certificateSubjects
  }
}

//appGw.bicep

resource Certificate 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' existing = [for cert in CertificateSubjects: {
  name: replace(replace(cert.subjectName, '*', 'wild'), '.', '-')
}]

resource AppGw 'Microsoft.Network/applicationGateways@2021-05-01' = {
  name: 'abcdef'
  properties: {
    //...
    sslCertificates: [for (cert, index) in CertificateSubjects: {
      name: '${replace(replace(cert.subjectName, '.', '-'}, '*', 'wild')}-${UtcNow}'
      properties: {
        keyVaultSecretId: Certificate[index].properties.secretUri
      }
    }]
  }
}

This whole thing works simply because of the existing resource lookup there at the very end, but at least it works with a bit of a variable redesign.

Thanks for the ideas though!

[brwilkinson]

I was thinking over the scenario some more.

The reason we have 'bicep' if() on resources, is because they map to ARM template Condition.

Conditions are available on Resource or Outputs.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/syntax#resources
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/syntax#outputs

Ternary operator maps to the json if if(condition, trueValue, falseValue) <-- which always has a falseValue (not what we want).

Returns a value based on whether a condition is true or false.

I don't think we have implemented the Condition for Bicep Outputs?! The same the ARM functions are yet to be implemented.

I feel like the condition should be extended within the ARM Engine to support variables, then so they can also be used on Property Copies i.e. for loops on properties.

[brwilkinson]

I did some review on this.

It appears the json output condition does not support reference to the index or iteratator, so it's not equal to resource condition, which does provide a filter mechanism.

Since you have a workaround, I'll mark as answered there are several other threads to track requests for array filters.