[BUG] - An error occurred evaluating expression
pczar1 opened this issue · comments
Description of the issue
I have following bicep template to assert (permissions.bicep):
param eventHubSender array = []
param eventHubReceiver array = []
param storageOwner array = []
var roleIds = loadJsonContent('../roleids.json')
var ehReceiverRoleDefinition = resourceId('Microsoft.Authorization/roleDefinitions', roleIds.EventHubReceiver)
var ehSenderRoleDefinition = resourceId('Microsoft.Authorization/roleDefinitions', roleIds.EventHubSender)
var storageOwnerRoleDefinition = resourceId('Microsoft.Authorization/roleDefinitions', roleIds.StorageOwner)
var usedEventHubs = flatten(concat(map(eventHubReceiver, eh => eh.namespaces), map(eventHubSender, eh => eh.namespaces)))
var uniqueEventHubs = union(usedEventHubs, usedEventHubs)
resource eventHub 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = [for eh in uniqueEventHubs: {
name: eh
}]
var ehReadEventHubs = flatten(map(eventHubReceiver, eh => eh.namespaces))
var ehReadPrincipals = flatten(map(eventHubReceiver, eh => map(eh.namespaces, x => eh.principal)))
resource ehReceiverAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (p, i) in ehReadPrincipals: {
name: guid(eventHub[indexOf(uniqueEventHubs, ehReadEventHubs[i])].id, ehReceiverRoleDefinition, p)
scope: eventHub[indexOf(uniqueEventHubs, ehReadEventHubs[i])]
properties: {
roleDefinitionId: ehReceiverRoleDefinition
principalId: p
principalType: 'ServicePrincipal'
}
}]
var ehWriteEventHubs = flatten(map(eventHubSender, eh => eh.namespaces))
var ehWritePrincipals = flatten(map(eventHubSender, eh => map(eh.namespaces, x => eh.principal)))
resource ehSenderAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (p, i) in ehWritePrincipals: {
name: guid(eventHub[indexOf(uniqueEventHubs, ehWriteEventHubs[i])].id, ehSenderRoleDefinition, p)
scope: eventHub[indexOf(uniqueEventHubs, ehWriteEventHubs[i])]
properties: {
roleDefinitionId: ehSenderRoleDefinition
principalId: p
principalType: 'ServicePrincipal'
}
}]
var usedAccounts = flatten(map(storageOwner, acc => acc.accounts))
var uniqueAccounts = union(usedAccounts, usedAccounts)
var storageOwnerAccountNames = flatten(map(storageOwner, acc => acc.accounts))
var storageOwnerPrincipals = flatten(map(storageOwner, acc => map(acc.accounts, x => acc.principal)))
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = [for acc in uniqueAccounts: {
name: acc
}]
resource storageOwnerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (p, i) in storageOwnerPrincipals: {
name: guid(storageAccount[indexOf(uniqueAccounts, storageOwnerAccountNames[i])].id, storageOwnerRoleDefinition, p)
scope: storageAccount[indexOf(uniqueAccounts, storageOwnerAccountNames[i])]
properties: {
roleDefinitionId: storageOwnerRoleDefinition
principalId: p
principalType: 'ServicePrincipal'
}
}]
And I have following permissions.module.test.bicep for it (to resolve required parameters):
module test_permissions_module '../modules/permissions.bicep' = {
name: 'test_permissions_module'
params: {
eventHubReceiver: [
{
namespaces: [
'pjeventhub'
]
principal: 'jpapp'
}
{
namespaces: [
'rpjEventHub'
]
principal: 'rjpApp'
}
{
namespaces: [
'ptEventHub'
]
principal: 'consumerApp'
}
{
namespaces: [
'printJobEventHub'
'rpjEventHub'
'ptEventHub'
]
principal: 'metricsContainerApp'
}
{
namespaces: [
'ptEventHub'
]
principal: 'ptEventHub'
}
{
namespaces: [
'entityRenderEventHub'
]
principal: 'entityRenderEventHub'
}
{
namespaces: [
'rpjEventHub'
]
principal: 'rpjEventHub'
}
]
eventHubSender: [
{
namespaces: [
'ptEventHub'
'statusUpdateEventHubNamespace'
]
principal: 'jpApp'
}
{
namespaces: [
'ptEventHub'
'statusUpdateEventHubNamespace'
'rpjEventHub'
'entityRenderEventHub'
]
principal: 'rjpApp'
}
{
namespaces: [
'statusUpdateEventHubNamespace'
'ptEventHub'
]
principal: 'consumerApp'
}
{
namespaces: [
'ptEventHub'
]
principal: 'ptEventHub'
}
{
namespaces: [
'entityRenderEventHub'
]
principal: 'entityRenderEventHub'
}
{
namespaces: [
'rpjEventHub'
]
principal: 'rpjEventHub'
}
]
storageOwner: [
{
accounts: [
'storageOffsetAccount'
]
principal: 'jpApp'
}
{
accounts: [
'storageOffsetAccount'
]
principal: 'metricsContainerApp'
}
{
accounts: [
'storageOffsetAccount'
]
principal: 'rjpApp'
}
{
accounts: [
'storageOffsetAccount'
'outputStorageAccountName'
]
principal: 'consumerApp'
}
{
accounts: [
'storageOffsetAccount'
]
principal: 'ptEventHub'
}
{
accounts: [
'storageOffsetAccount'
]
principal: 'entityRenderEventHub'
}
{
accounts: [
'storageOffsetAccount'
]
principal: 'rpjEventHub'
}
]
}
}
Additionally there is roleIds.json file referenced in permissions.bicep:
{
"StorageOwner": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"EventHubOwner": "f526a384-b230-433a-b45c-95f59c4a2dec",
"EventHubReceiver": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"EventHubSender": "2b629674-e913-4c01-ae53-ef4638d8f975",
"AdminOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
}
ps-rule.yaml:
# YAML: Enable expansion for Bicep source files.
configuration:
AZURE_BICEP_FILE_EXPANSION: true
requires:
PSRule.Rules.Azure: '>=1.27.0'
include:
module:
- PSRule.Rules.Azure
To Reproduce
Steps to reproduce the issue:
Assert-PSRule -Format File -Path './.ps-rule/' -InputPath './permissions.module.test.bicep' -Outcome Pass, Fail, Error;
Expected behaviour
I expect to run evaluation without thrown exception.
Error output
Exception calling "GetBicepResources" with "2" argument(s): "Unable to expand resources because the source file 'C:\Repositories\forms-render\infra\tests2\permissions.module.tests.bicep' was not valid. An error occurred evaluating expression '[length(variables('ehReadPrincipals'))]' line 214. An error occurred evaluating expression '[flatten(map(parameters('eventHubReceiver'), lambda('eh', map(lambdaVariables('eh').namespaces, lambda('x', lambdaVariables('eh').principal)))))]' line 202. The language expression property 'principal' doesn't exist.
Module in use and version:
- Module: PSRule
- Version: 2.9.0
And:
- Module: PSRule.Rules.Azure
- Version: 1.29.0
Captured output from $PSVersionTable
:
Additional context
Thanks for raising your first issue, the team appreciates the time you have taken 😉
This should be fixed in PSRule for Azure v1.30.0.