Can not perform requested operation on nested resource. Parent resource 'tst-edp-fn-001' bicep

Question

Hi,

I encountered this error in the bicep file while creating function app with VNET integration. My Vnet is in another resource group named 'tst-vnet' separate from my function app. Here is the code snippet:

    resource functionApp 'Microsoft.Web/sites@2022-03-01' = {  
      name: functionAppName  
      location: location  
      tags: tags  
      kind: 'functionapp'  
      identity: {  
        type: 'SystemAssigned'  
      }  
      properties: {  
        httpsOnly: true  
        serverFarmId: functionAppHostingPlan.id  
        clientAffinityEnabled: true  
        publicNetworkAccess: 'Disabled'  
        siteConfig: {  
          appSettings: [  
            {  
              name: 'AzureWebJobsStorage'  
              value: 'DefaultEndpointsProtocol=https;AccountName=${functionAppStorageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${listKeys(functionAppStorageAccount.id, functionAppStorageAccount.apiVersion).keys[0].value}'  
            }  
            {  
              name: 'FUNCTIONS_EXTENSION_VERSION'  
              value: runtimeStackVersion  
            }  
            {  
              name: 'FUNCTIONS_WORKER_RUNTIME'  
              value: runtimeStack  
            }  
            {  
              name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'  
              value: 'DefaultEndpointsProtocol=https;AccountName=${functionAppStorageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${listKeys(functionAppStorageAccount.id, functionAppStorageAccount.apiVersion).keys[0].value}'  
            }  
            {  
              name: 'WEBSITE_CONTENTSHARE'  
              value: 'functionapp'  
            }  
            {  
              name: 'WEBSITE_VNET_ROUTE_ALL'  
              value: '1'  
            }  
            {  
              name: 'WEBSITE_DNS_SERVER'  
              value: '168.63.129.16'  
            }  
            {  
              name: 'WEBSITE_CONTENTOVERVNET'  
              value: '1'  
            }  
          ]  
          minTlsVersion: '1.2'  
          linuxFxVersion: linuxFxVersion  
          ftpsState: 'FtpsOnly'  
        }  
      }  
    }  
  
module networkConfig 'modules/network-config.bicep' = {  
  name: '${deploymentPrefix}-fn-networkcfg'   
  dependsOn: [  
    functionApp  
  ]  
  scope: resourceGroup(pvtResourceGroupName)  
  params: {  
    functionAppName: functionAppName  
    privateBackendSubnet: privateBackendSubnet  
    privateEndpointVNet: privateEndpointVNet  
    privateBackendSubnetCIDR: privateBackendSubnetCIDR  
  }  
}  

This is the content of network-config.bicep

resource networkConfig 'Microsoft.Web/sites/networkConfig@2022-03-01' = {  
  name: '${functionAppName}/virtualNetwork'  
  properties: {  
    subnetResourceId: resourceId('Microsoft.Network/virtualNetworks/subnets', privateEndpointVNet, privateBackendSubnet)  
    swiftSupported: true  
  }  
}  

Answer 1

The networkConfig resource needs to be created in the same resourceGroup as the functionApp itself, no module is needed. Then the subnetResourceId property of the networkConfig resource needs to have a fully qualified reference to the subnet in the other resourceGroup, e.g.

resourceId(pvtResourceGroupName, 'Microsoft.Network/virtualNetworks/subnets', privateEndpointVNet, privateBackendSubnet)