Cast exception when expanding the union of an array and an AccessPolicyEntry[]

Question

Cast exception when expanding the union of an array and an AccessPolicyEntry[]

Werewolfkiss opened this issue 7 months ago · comments

Description of the issue

Get a cast exception when trying to union a keyvault access policy.

To Reproduce

Have bicep template trying to add an access policy to a keyvault while preserving existing policies.
In the below bicep if you replace the accessPolicies param with either existingAccessPolicies or newAccessPolicies the expansion works fine.

var newAccessPolicies = [
  {
    tenantId: azurefunction.outputs.identity.tenantId
    objectId: azurefunction.outputs.identity.principalId
    permissions: {
      keys: [
        'Get'
        'List'
      ]
      secrets: [
        'Get'
        'List'
      ]
      certificates: []
    }
  }
]

resource keyvault 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
  scope: resourcegroup
  name: vaultName
}

var existingAccessPolicies = keyvault.properties.accessPolicies
var accessPolicies = union(existingAccessPolicies, newAccessPolicies)

@description('Sets the access policies for the OnBoard keyvault')
module ap '../../../features/Security/Key Vault/v1.2/templates/keyvault.accesspolicies.bicep' = {
  scope: resourcegroup
  name: format(uniqueDeployName, 'keyvaultpolicies')
  params: {
    accessPolicies: accessPolicies
    keyVaultName: vaultName
  }
}

Expected behaviour

No issues expanding template

Error output

An error occurred evaluating expression '[parameters('accessPolicies')]' line 1167. Cannot cast Newtonsoft.Json.Linq.JObject to Newtonsoft.Json.Linq.JToken.

Module in use and version:

Module: PSRule
Version: 2.9.0
Module: PSRule.Rules.Azure
Version: 1.31.0

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      5.1.19041.3570
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.3570
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

github-actions · Answer 1 · Wed Nov 15 2023 22:44:19 GMT+0800 (China Standard Time)

Thanks for raising your first issue, the team appreciates the time you have taken 😉

Bernie White · Answer 2 · Fri Nov 17 2023 14:00:58 GMT+0800 (China Standard Time)

Thanks for reporting the issue @Werewolfkiss.

Are you able to provide a sample implementation of ../../../vdl-ets-backoffice/features/Security/Key Vault/v1.2/templates/keyvault.accesspolicies.bicep that we can use to reproduce the issue?

Doesn't need to be your full internal implementation, just enough of it that fails similarly to the issue you've report. Thanks.

Werewolfkiss · Answer 3 · Thu Nov 23 2023 15:21:39 GMT+0800 (China Standard Time)

@BernieWhite
Yea no problem its just a module because of scope nothing else so

param keyVaultName string

param accessPolicies array

resource ap 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
  name: '${keyVaultName}/add'
  properties: {
    accessPolicies: accessPolicies
  }
}

Bernie White · Answer 4 · Tue Dec 19 2023 13:17:37 GMT+0800 (China Standard Time)

Hi @Werewolfkiss. This should be fixed in PSRule for Azure v1.32.1.