How to avoid what-if-short-circuting with system assigned managed identity?

[o-l-a-v]

The linter rule what-if-short-circuting complains about waiting for the output of a resource to get the ID of the system assigned managed identity which I then use for RBAC.

• Linter rule: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/linter-rule-what-if-short-circuiting

I prefer using system assigned managed identity where possible. What options to we have to avoid What-If short circuting in this scenario? 🤔

Warning

Runtime value 'aa.outputs.msiId' will reduce the precision of what-if analysis for module 'subrbac'

Code snippet on the relevant resources:

module rg 'modules/rg.bicep' = {
  scope: subscription(subcore)
  name: rgname
  params: {
    location: location
    rgname: rgname
    tags: tags
  }
}
module aa 'modules/automationAccount.bicep' = {
  name: '${deployment().name}-automation-account'
  params: {
    name: aaName
    location: location
    tags: tags
    workspaceId: workspaceId
  }
  scope: resourceGroup(subcore, rgname)
  dependsOn: [
    rg
  ]
}
module subrbac 'modules/rbac.bicep' = [
  for (item, i) in subs: {
    name: '${deployment().name}-rbac-${i}'
    scope: subscription(item)
    params: {
      automation_accountspid: aa.outputs.msiId
      roleid: 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor
      sub: item
    }
  }
]

[anthony-c-martin]

@o-l-a-v is it possible to show an example of your modules/rbac.bicep file?

Often where I've seen this come up is a pattern like the following:

1. Create a managed identity
2. Access a runtime value from the managed identity (for example the principalId)
3. Use the runtime value to generate the name of another resource (a role assignment is very common)

The problem this creates is that because Bicep isn't able to predict the "principalId" at the start of the deployment, it isn't able to predict the name of the role assignment resource, which means it's not able to give you any accurate predictions about the role assignment.

To explain what I mean by "runtime", we often use the following terminology:

• Deploy-time constant: A value which is known or can be calculated before deploying or accessing any resources.
• Runtime value: The opposite - a value which can only be calculated after executing one or more resource operations. Note that "runtime" is infectious - if a value is being calculated from a variable that has a runtime value, then it also must be a runtime value.

The linter rule is flagging any places where the use of a runtime value makes it impossible to predict the resourceId of a resource that is going to be deployed. The reason this is problematic is that WhatIf relies on being able to fetch the current state of the resource to diff against. If we can't accurately obtain the resourceId without starting the deployment, then we can't do this, and the whole resource is skipped in WhatIf.

[o-l-a-v]

Thanks for the insight. Seems we're hit by principalId being used for generating the name of the Microsoft.Authorization/roleAssignments.

Here's the RBAC module:

// Parameters
param principalId string
param roleId string

// Resource - Existing
@description('Find existing role based on input role ID.')
resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  scope: resourceGroup()
  name: roleId
}

// Resource - New
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroup().id, principalId, roleDefinition.id)
  properties: {
    roleDefinitionId: roleDefinition.id
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}

The name of the role assignments probably does not matter, as long as it's unique and reproducable?

Edit: Must be a globally unique GUID.

• https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments#roleassignments

Edit: AVM uses principalId in the name too: https://github.com/Azure/bicep-registry-modules/blob/main/avm/ptn/authorization/role-assignment/modules/resource-group.bicep