[BUG] - An error occurred evaluating expression

Question

[BUG] - An error occurred evaluating expression

pczar1 opened this issue 9 months ago · comments

Description of the issue

I have following bicep template to assert (permissions.bicep):

param eventHubSender array = []
param eventHubReceiver array = []
param storageOwner array = []

var roleIds = loadJsonContent('../roleids.json')
var ehReceiverRoleDefinition = resourceId('Microsoft.Authorization/roleDefinitions', roleIds.EventHubReceiver)
var ehSenderRoleDefinition = resourceId('Microsoft.Authorization/roleDefinitions', roleIds.EventHubSender)
var storageOwnerRoleDefinition = resourceId('Microsoft.Authorization/roleDefinitions', roleIds.StorageOwner)

var usedEventHubs = flatten(concat(map(eventHubReceiver, eh => eh.namespaces), map(eventHubSender, eh => eh.namespaces)))
var uniqueEventHubs = union(usedEventHubs, usedEventHubs)

resource eventHub 'Microsoft.EventHub/namespaces@2022-10-01-preview' existing = [for eh in uniqueEventHubs: {
  name: eh
}]

var ehReadEventHubs = flatten(map(eventHubReceiver, eh => eh.namespaces))
var ehReadPrincipals = flatten(map(eventHubReceiver, eh => map(eh.namespaces, x => eh.principal)))

resource ehReceiverAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (p, i) in ehReadPrincipals: {
  name: guid(eventHub[indexOf(uniqueEventHubs, ehReadEventHubs[i])].id, ehReceiverRoleDefinition, p)
  scope: eventHub[indexOf(uniqueEventHubs, ehReadEventHubs[i])]
  properties: {
    roleDefinitionId: ehReceiverRoleDefinition
    principalId: p
    principalType: 'ServicePrincipal'
  }
}]

var ehWriteEventHubs = flatten(map(eventHubSender, eh => eh.namespaces))
var ehWritePrincipals = flatten(map(eventHubSender, eh => map(eh.namespaces, x => eh.principal)))

resource ehSenderAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (p, i) in ehWritePrincipals: {
  name: guid(eventHub[indexOf(uniqueEventHubs, ehWriteEventHubs[i])].id, ehSenderRoleDefinition, p)
  scope: eventHub[indexOf(uniqueEventHubs, ehWriteEventHubs[i])]
  properties: {
    roleDefinitionId: ehSenderRoleDefinition
    principalId: p
    principalType: 'ServicePrincipal'
  }
}]

var usedAccounts = flatten(map(storageOwner, acc => acc.accounts))
var uniqueAccounts = union(usedAccounts, usedAccounts)

var storageOwnerAccountNames = flatten(map(storageOwner, acc => acc.accounts))
var storageOwnerPrincipals = flatten(map(storageOwner, acc => map(acc.accounts, x => acc.principal)))

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = [for acc in uniqueAccounts: {
  name: acc
}]

resource storageOwnerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (p, i) in storageOwnerPrincipals: {
  name: guid(storageAccount[indexOf(uniqueAccounts, storageOwnerAccountNames[i])].id, storageOwnerRoleDefinition, p)
  scope: storageAccount[indexOf(uniqueAccounts, storageOwnerAccountNames[i])]
  properties: {
    roleDefinitionId: storageOwnerRoleDefinition
    principalId: p
    principalType: 'ServicePrincipal'
  }
}]

And I have following permissions.module.test.bicep for it (to resolve required parameters):

module test_permissions_module '../modules/permissions.bicep' = {
  name: 'test_permissions_module'
  params: {
    eventHubReceiver: [
      {
        namespaces: [
          'pjeventhub'
        ]
        principal: 'jpapp'
      }
      {
        namespaces: [
          'rpjEventHub'
        ]
        principal: 'rjpApp'
      }
      {
        namespaces: [
          'ptEventHub'
        ]
        principal: 'consumerApp'
      }
      {
        namespaces: [
          'printJobEventHub'
          'rpjEventHub'
          'ptEventHub'
        ]
        principal: 'metricsContainerApp'
      }
      {
        namespaces: [
          'ptEventHub'
        ]
        principal: 'ptEventHub'
      }
      {
        namespaces: [
          'entityRenderEventHub'
        ]
        principal: 'entityRenderEventHub'
      }
      {
        namespaces: [
          'rpjEventHub'
        ]
        principal: 'rpjEventHub'
      }
    ]
    eventHubSender: [
      {
        namespaces: [
          'ptEventHub'
          'statusUpdateEventHubNamespace'
        ]
        principal: 'jpApp'
      }
      {
        namespaces: [
          'ptEventHub'
          'statusUpdateEventHubNamespace'
          'rpjEventHub'
          'entityRenderEventHub'
        ]
        principal: 'rjpApp'
      }
      {
        namespaces: [
          'statusUpdateEventHubNamespace'
          'ptEventHub'
        ]
        principal: 'consumerApp'
      }
      {
        namespaces: [
          'ptEventHub'
        ]
        principal: 'ptEventHub'
      }
      {
        namespaces: [
          'entityRenderEventHub'
        ]
        principal: 'entityRenderEventHub'
      }
      {
        namespaces: [
          'rpjEventHub'
        ]
        principal: 'rpjEventHub'
      }
    ]
    storageOwner: [
      {
        accounts: [
          'storageOffsetAccount'
        ]
        principal: 'jpApp'
      }
      {
        accounts: [
          'storageOffsetAccount'
        ]
        principal: 'metricsContainerApp'
      }
      {
        accounts: [
          'storageOffsetAccount'
        ]
        principal: 'rjpApp'
      }
      {
        accounts: [
          'storageOffsetAccount'
          'outputStorageAccountName'
        ]
        principal: 'consumerApp'
      }
      {
        accounts: [
          'storageOffsetAccount'
        ]
        principal: 'ptEventHub'
      }
      {
        accounts: [
          'storageOffsetAccount'
        ]
        principal: 'entityRenderEventHub'
      }
      {
        accounts: [
          'storageOffsetAccount'
        ]
        principal: 'rpjEventHub'
      }
    ]
  }
}

Additionally there is roleIds.json file referenced in permissions.bicep:

{
    "StorageOwner": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
    "EventHubOwner": "f526a384-b230-433a-b45c-95f59c4a2dec",
    "EventHubReceiver": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
    "EventHubSender": "2b629674-e913-4c01-ae53-ef4638d8f975",
    "AdminOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
}

ps-rule.yaml:

# YAML: Enable expansion for Bicep source files.
configuration:
  AZURE_BICEP_FILE_EXPANSION: true
  
requires:
  PSRule.Rules.Azure: '>=1.27.0'
  
include:
  module:
  - PSRule.Rules.Azure

To Reproduce

Steps to reproduce the issue:

Assert-PSRule -Format File -Path './.ps-rule/' -InputPath './permissions.module.test.bicep' -Outcome Pass, Fail, Error;

Expected behaviour

I expect to run evaluation without thrown exception.

Error output

Exception calling "GetBicepResources" with "2" argument(s): "Unable to expand resources because the source file 'C:\Repositories\forms-render\infra\tests2\permissions.module.tests.bicep' was not valid. An error occurred evaluating expression '[length(variables('ehReadPrincipals'))]' line 214. An error occurred evaluating expression '[flatten(map(parameters('eventHubReceiver'), lambda('eh', map(lambdaVariables('eh').namespaces, lambda('x', lambdaVariables('eh').principal)))))]' line 202. The language expression property 'principal' doesn't exist.

Module in use and version:

Module: PSRule
Version: 2.9.0

And:

Module: PSRule.Rules.Azure
Version: 1.29.0

Captured output from $PSVersionTable:

Additional context

github-actions · Answer 1 · Mon Aug 28 2023 16:25:31 GMT+0800 (China Standard Time)

Thanks for raising your first issue, the team appreciates the time you have taken 😉

Bernie White · Answer 2 · Sat Oct 07 2023 11:44:12 GMT+0800 (China Standard Time)

This should be fixed in PSRule for Azure v1.30.0.