Referencing resource created in one module in another module Azure Bicep?

Tim 156 Reputation points
2022-09-15T06:45:30.037+00:00

Suppose I have two files/modules in Azure Bicep, both are called in a 'main.bicep'. One is called 'storage.bicep' and contains, among others, the following code to create a storageAccount: 

   resource storageAccountTemp 'Microsoft.Storage/storageAccounts@2021-08-01' = {  
     name: 'tmpst4dnbnlp'  
     location: location  
     sku: {  
       name: storageAccountSku  
     }  
     kind: 'StorageV2'  
     properties: {  
       allowBlobPublicAccess: false  
       accessTier: 'Hot'  
     }  
   }

Another file contains some LogicApp definitions and is called 'orchestration.bicep'. Now in this file, there is a part where I want to reference the 'storageAccountTemp' resource in module 'storage.bicep', as to provide the LogicApp system managed identity access the contributor role for the: 

   resource logicAppStorageAccountRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {  
     scope: 'xxx'  
     name: guid('ra-logicapp-${roleDefinitionId}')  
     properties: {  
       principalType: 'ServicePrincipal'  
       roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)  
       principalId: logicAppTest.identity.principalId  
     }  
   }

Where I need to specify the scope (that now says 'xxx'). I can't say resourceGroup() since the storage is in a different resource group. Instead, I want to reference the storageAccountTemp object. This seems impossible to do when the object is in a different module (I tried outputting the name and id and using these but this was not accepted by Bicep.

Is there any way I can actually reference the original storageAccountTemp object from 'storage.bicep' in the 'orchestration.bicep' file?

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,840 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stephane Lapointe 6 Reputation points MVP
    2023-01-28T14:32:24.16+00:00

    The short answer is no, not at this time. But there is a way to do what you're after.

    You can put your role assignment in a module and provide the scope property to get a resource outside the current deployment scope.

    Pass the information about the name of the target resource as a parameter of the module, you can then use the reference keyword to get a runtime reference to your desired resource.

    You could do something like this:

    //orchestration.bicep


module assignmentInAnotherScope 'roleAssignment.bicep' = {
  name: 'assignmentDeployment'
  scope: resourceGroup('storage-rg')
  params: {
    storageAccountName: storageAccountTemp.name
    logicAppName: 'testlogicapp'
    logicAppResourceGroup: 'logicapp-rg'
  }
}

    //roleAssignment.bicep

param storageAccountName string
param logicAppName string
param logicAppResourceGroup string

var roleDefinitionId = '00000000-0000-0000-0000-000000000000'

resource storageAccountTemp 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {  
  name: storageAccountName
}


resource logicAppTest 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {  
  name: logicAppName  
  scope: resourceGroup(logicAppResourceGroup)  
}


resource logicAppStorageAccountRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {  
  name: guid('ra-logicapp-${roleDefinitionId}')
  scope: storageAccountTemp
  properties: {  
    principalType: 'ServicePrincipal'  
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)  
    principalId: logicAppTest.identity.principalId  
  }  
}

    You can take a look at this Q&A video that will give you an idea on how to use the scope property with the existing keyword.

    https://www.youtube.com/watch?v=H1g_pj1uo5E