Cannot easily reference policyDefinition from policySetDefinition

[elygre]

Bicep version
Bicep CLI version 0.2.212 (a19d66c)

Describe the bug
I cannot find a way to easily reference a policyDefinition from a policySetDefinition. In the policySet, I need to reference a policyDefinition, Here, I have not succeeded using an automated reference, but must compose a string myself. The bicep source now also contains a hardcoded reference to the management group where I will deploy it.

I have to do this:

policyDefinitionId: '/providers/Microsoft.Management/managementGroups/MYMANAGEMENTGROUP/providers/${policy01.id}'

I expected to do this:

policyDefinitionId: policy01.id

To Reproduce
Create main.bicep as shown below, and compile. Deploy using New-AzManagementGroupDeployment - ManagementGroup MYMANAGEMENTGROUP -TemplateFile main.json -Location westeurope

Additional context
This might easily be me expecting too much. I did look through the documentation, and did

targetScope = 'managementGroup'

resource policy01 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
  name: 'Allowed locations'
  properties: {
    policyType: 'Custom'
    mode: 'All'
    policyRule: {
      if: {
         field: 'location'
         notIn: [
           'westeurope'
        ]
      }
      then: {
         effect: 'Deny'
      }
   }
  }
}

resource initiative 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = {
  name: 'Default initiative'
  properties: {
    policyDefinitions: [
      {
        policyDefinitionId: policy01.id
//        policyDefinitionId: '/providers/Microsoft.Management/managementGroups/MYMANAGEMENTGROUP/providers/${policy01.id}'
      }
    ]
  }
}

[alex-frankel]

I think this is only an issue when the policy definition is created at scope = 'managementGroup' because we don't have a a managementGroupResourceId() function for ARM Templates like we do for the other scopes, but will need @anthony-c-martin to confirm

[anthony-c-martin]

@bmoore-msft, @filizt, can either of you think of any way in ARM JSON today to get the current scope of a managementGroup-scoped deployment (e.g. /providers/Microsoft.Management/managementGroups/<name>) without having to specify the name?

I've not been able to think of anything we could codegen that doesn't require a code change to the deployment service.

Note - this is documented in the Bicep codebase here

[bmoore-msft]

You're right you cannot today (this came up a lot with LZs). There is a PR on hold #4451578 that will unblock this scenario - it's creating a managementGroup() function to match the other scopes (sub, rg), until then you have to pass in the MG group name to create the resourceId.

You can still codegen the resourceId (using tenantResourceId()) - tenant and mg resourceIds are the same thing which is why there's no managementGroupResourceId() function.

[anthony-c-martin]

You can still codegen the resourceId (using tenantResourceId()) - tenant and mg resourceIds are the same thing which is why there's no managementGroupResourceId() function.

Mind clarifying on this a little bit? In the example given, we have:

targetScope = 'managementGroup'

resource policy01 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
  name: 'Allowed locations'
  ...
}

I would expect the resulting resourceId of the policy01 resource here to be:

/providers/Microsoft.Management/managementGroups/{mg_name}/providers/Microsoft.Authorization/policyDefinitions/Allowed locations

What would codegen for the resourceId look like just using the tenantResourceId() function, given that we don't have a value for {mg_name}?

[bmoore-msft]

the managementGroup() function would give you the name... but it's a fair conversation to say whether we should also have a managementGroupResourceId() function as well (even though it's redundant, it simplifies a bit).

[anthony-c-martin]

the managementGroup() function would give you the name... but it's a fair conversation to say whether we should also have a managementGroupResourceId() function as well (even though it's redundant, it simplifies a bit).

Either works just fine for Bicep - was just curious if there was a way to do this today - sounds like not until we have managementGroup().

[johndowns]

It's nice to be able to use the managementGroup().name property instead of a param, but I'm definitely in favour of adding a managementGroupResourceId() function as the next step.

[johndowns]

Thank you, @anthony-c-martin - that change is awesome!