Existing resource reference cannot find scope

[AlexanderSehr]

Bicep version

> bicep --version
Bicep CLI version 0.4.1008 (223b8d227a)

Describe the bug
Using an existing resource and as such a reference() (+ externalReference()) is unable to correctly use its scope property if that scope is deployed in the same template:

PS C:\dev\ip\Azure-ResourceModules\ResourceModules> New-AzDeployment -Name 'vmWinDepTestAlsehrtest' -Location 'Westeurope' -TemplateFile 'C:\dev\ip\Azure-ResourceModules\ResourceModules\utilities\pipelines\moduleDependencies\Microsoft.Compute\virtualMachines\dummy.bicep' -Verbose -resourceGroupName 'test-alsehr'VERBOSE: Using Bicep v0.4.1008
VERBOSE: 
VERBOSE: 17:23:48 - Template is valid.
VERBOSE: 17:23:50 - Create template deployment 'vmWinDepTestAlsehrtest'
VERBOSE: 17:23:50 - Checking deployment status in 5 seconds
VERBOSE: 17:23:55 - Resource Microsoft.Resources/deployments '6zsywyhlpux56-rg' provisioning status is running
VERBOSE: 17:23:55 - Resource Microsoft.Resources/resourceGroups 'test-alsehr' provisioning status is succeeded
VERBOSE: 17:23:55 - Checking deployment status in 14 seconds
VERBOSE: 17:24:09 - Resource Microsoft.Resources/deployments '6zsywyhlpux56-mi' provisioning status is running
VERBOSE: 17:24:09 - Resource Microsoft.Resources/deployments '6zsywyhlpux56-rg' provisioning status is succeeded
VERBOSE: 17:24:09 - Checking deployment status in 16 seconds
VERBOSE: 17:24:26 - Resource Microsoft.Resources/deployments '6zsywyhlpux56-mi' provisioning status is succeeded
VERBOSE: 17:24:26 - Resource Microsoft.ManagedIdentity/userAssignedIdentities 'adp-sxx-msi-vmwinpar-01' provisioning status is succeeded
New-AzDeployment: 17:24:26 - The deployment 'vmWinDepTestAlsehrtest' failed with error(s). Showing 1 out of 1 error(s).
Status Message: Resource group 'test-alsehr' could not be found. (Code:ResourceGroupNotFound)
CorrelationId: 6a937a55-96e0-4171-8d87-797848def038

Id                      : /subscriptions/a.../providers/Microsoft.Resources/deployments/vmWinDepTestAlsehrtest
DeploymentName          : vmWinDepTestAlsehrtest
Location                : westeurope
ProvisioningState       : Failed
Timestamp               : 06.12.2021 16:24:26
Mode                    : Incremental
TemplateLink            : 
Parameters              : 
                          Name                 Type                       Value     
                          ===================  =========================  ==========
                          resourceGroupName    String                     test-alsehr
                          location             String                     Westeurope

Outputs                 : 
DeploymentDebugLogLevel : 


PS C:\dev\ip\Azure-ResourceModules\ResourceModules> 

To Reproduce
Note the following example template in which run's in a deployment scope to deploy a resource group and resources into it.

targetScope = 'subscription'

// ========== //
// Parameters //
// ========== //

// Resource Group
@description('Required. The name of the resource group to deploy for a testing purposes')
param resourceGroupName string

@description('Optional. The location to deploy to')
param location string = deployment().location

// ========= //
// Variables //
// ========= //

var managedIdentityParameters = {
  name: 'adp-sxx-msi-vmwinpar-01'
}

// =========== //
// Deployments //
// =========== //

module resourceGroup '../../../../../arm/Microsoft.Resources/resourceGroups/deploy.bicep' = {
  name: '${uniqueString(deployment().name, location)}-rg'
  params: {
    name: resourceGroupName
    location: location
  }
}

module managedIdentity '../../../../../arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep' = {
  scope: az.resourceGroup(resourceGroupName)
  name: '${uniqueString(deployment().name, location)}-mi'
  params: {
    name: managedIdentityParameters.name
  }
  dependsOn: [
    resourceGroup
  ]
}

resource miRef 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
  scope: az.resourceGroup(resourceGroupName)
  name: managedIdentityParameters.name
}

output principalRef string = miRef.properties.principalId

Additional context
When consulting the deployment in Azure I can clearly see that the MI was successfully deployed. However, the reference itself can apparently not resolve the already deployed resource group.

Note that the above example is a working version that can reproduce the bug. However, it is not the use case I have. That one wants to reference the deployed principal to fetch it's object ID and create role assignment for a storage account.

[StefanIvemo]

The existing keyword is ment to be used to reference existing resources not declared in the current template.

In your case you can fetch the principalId of the managed identity by doing the steps below.

1. Add an output to your module file that deploys the managed identity. This will output the princiaplId as a string and allows you to reference that property in your template consuming the module.

output principalId string = managedIdentity.properties.principalId

2. Change your output in the main template to:

output principalRef string = managedIdentity.outputs.principalId

Can you check if these changes fixes your issue?

[AlexanderSehr]

Hey @StefanIvemo,
thanks for your reponse. We actually do have that output in our module, but I was trying to avoid it to not be dependent on it (e.g. names could change, outputs removed, etc.). Fetching the already deployed resource and taking the principalID directly from it seemed to be the more reliable solution (if it would work, that is).
I'll fallback to the output then.

However, I do have to wonder if there is not a use case in using existing for any resources, as long as they are deployed first.

I guess it's not working because ARM searches resources in resource pool that existed before the deployment was triggered. However, if that's the case I'd hope that it's possible to consider also those resources that were added during runtime.

[alex-frankel]

This will also be improved with #2245/#2246 since you will be able to pass the entire resource as an output and not have to use existing at all. Going to close this and we can track the improvement there.