Comments (5)
There is something strange with the way the Storage RP is handling virtualNetworkRules
. Assume we have in Bicep resource vnet 'Microsoft.Network/virtualNetworks@2022-01-01' existing
, then the following succeeds:
Bicep:
virtualNetworkRules: map([vnet.properties.subnets[0].id], subnetId => {id: subnetId})
Corresponding ARM:
"virtualNetworkRules": "[map(createArray(reference(resourceId('Microsoft.Network/virtualNetworks', 'vnet'), '2022-01-01').subnets[0].id), lambda('subnetId', createObject('id', lambdaVariables('subnetId'))))]"
And the following fails with Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id:
Bicep:
virtualNetworkRules: [{id: vnet.properties.subnets[0].id}]
Corresponding ARM:
"virtualNetworkRules": [{"id":"[reference(resourceId('Microsoft.Network/virtualNetworks', 'vnet'), '2022-01-01').subnets[0].id]"}]
These expressions resolve to the same array containing a single (first) subnet of vnet
. The difference is only that the succeeding version is wrapped in a map
function with createObject
. It seems the Storage RP validation is broken.
from bicep-types-az.
Just wasted half a day on this to issue before finding this GitHub issue. Any estimate on when this issue will be resolved?
@maskati thanks for sharing the workaround using the map function! I just needed to ensure I retrieved the existing vnet resource within the same bicep module. I couldn't get it to work when I used the map function with output from another bicep module.
from bicep-types-az.
It does look like something is wrong on the Storage Accounts Resource Provider side - especially with the InternalServerError. Are you able to open a support ticket for this so this can be routed to the storage team?
from bicep-types-az.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage. Please see https://aka.ms/biceptypesinfo for troubleshooting help.
Issue Details
Bicep version
Bicep CLI version 0.16.2 (de7fdd2b33)
Describe the bug
When creating resource Microsoft.Storage/storageAccounts
the parameter id
is rejecting a valid virtual network subnet identifier, same parameter and approach works for keyvault resources but fails for storageaccount resources.
To Reproduce
create a vnet with a single subnet in its own resource group, reference the existing subnet from another bicep template as follows, the names used here are not relevant to the issue and can be substituted:
resource myVnetExample 'Microsoft.Network/virtualNetworks@2022-07-01' existing = {
scope: resourceGroup('rg-example')
name: 'vnet-example'
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
// other parameters omitted for brevity, considered irrelevant
name: 'saexample'
kind: 'StorageV2'
properties: {
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
virtualNetworkRules: [
{
action: 'Allow'
id: myVnetExample.properties.subnets[0].id
}
]
}
}
}
upon attempting deployment, observe error:
Inner Errors: {"code": "InvalidValuesForRequestParameters", "target": "saexample", "message": "Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id. For more information, see - https://aka.ms/storagenetworkruleset"}
Additional context
-
this experience is counter to the documentation and observed bicep functionality of other resources, for example the same approach works for keyvault resources.
-
leveraging
resourceId(...)
results in the same error. -
passing in a 'hardcoded' id using a parameter causes an
InternalServerError
status for the deployment when viewed in Portal, parameter was in the format:'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{snetName}'
The error logged for the deployment in this scenario was:
{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"target": "/subscriptions/123/resourceGroups/rg-example/providers/Microsoft.Storage/storageAccounts/saexample",
"message": "The response for resource had empty or invalid content."
}
}
it would seem Microsoft.Storage/storageAccounts
creation improperly implements this parameter?
Please advise.
Author: | wilson0x4d |
---|---|
Assignees: | - |
Labels: |
|
Milestone: | - |
from bicep-types-az.
Just to add more context if someone reads this while patching the service provider, it's the action: 'Allow'
in the ACL definition that causes a 500 error on deployment of a new resource. Removing it allows for an initial deploy, but if the deploy is rerun, this is when preflight validation fails with the message:
{
"code": "InvalidValuesForRequestParameters",
"target": "mystorage",
"message": "Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id. For more information, see - https://aka.ms/storagenetworkruleset"
}
from bicep-types-az.
Related Issues (20)
- Microsoft.Web/sites: Does not recognize property 'autoGeneratedDomainNameLabelScope'
- Unable to rerun code for Microsoft.Network/networkVirtualAppliances and a firewall is connected HOT 1
- Notification Hub Namespace update failed with BadArgument Exception HOT 3
- AKS Spot Nodepool error HOT 5
- Resource type "Microsoft.VirtualMachineImages/imageTemplates@2024-02-01" does not have types available
- Apim Api Revision fails when parent Api has no Description HOT 1
- Microsoft.Portal/dashboards: The property "type" expected a value of type "'Extension/HubsExtension/PartType/MarkdownPart'" but the provided value is of type "'Extension/HubsExtension/PartType/MonitorChartPart'"
- [Microsoft.KeyVault/vaults/accessPolicies]: does not have types available
- [Microsoft.App/containerApps]: ContainerResources example uses unsupported units for Memory property; Mb instead of Gi.
- [Microsoft.Web/sites]: missing functionAppConfig
- Microsoft.DataProtection/backupVaults not able to set SystemAssigned Identity HOT 1
- Error while deploying Azure Container App with bicep: ContainerAppInvalidResourceTotal HOT 1
- add tags to new subscription bicep not allowed
- MySQL Flexible deployment fails when properties.maintenanceWindow is set HOT 2
- Microsoft.Web/connections@2018-07-01-preview and Microsoft.Web/connections/accessPolicies@2018-07-01-preview
- Azure Container Apps - KEDA scale (managed identity) HOT 5
- Microsoft.Web/sites@2021-03-01 ipSecurityRestrictionsDefaultAction
- deployment ignores condition and is validating module
- [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers]: compositeIndexes type issue
- [Microsoft.PowerPlatform/enterprisePolicies]: Virtual Networks Object structure is incorrect
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bicep-types-az.