Share via

Bicep : Reference resources from different resource groups

Vikas Tiwari 771 Reputation points
2022-12-20T06:29:02.373+00:00

Hi,

I am trying to deploy azure function which needs RBAC to resources (i.e. event hub, cosmos etc) present in different resource group. I have followed sample example here, however while deploying bicep file its throwing errors :

"A resource's computed scope must match that of the Bicep file for it to be deployable. This resource's scope is computed from the "scope" property value assigned to ancestor resource "eventHubNamespace". You must use modules to deploy resources to a different scope."

"A resource's scope must match the scope of the Bicep file for it to be deployable. You must use module to deploy resources to a different scope."

Its looks like we can not define resource group in the resource as mentioned in reference doc. I wanted to know how can I deploy azure function to resource group "rg1" which can reference other existing resources in "rg2"?

Thanks

Community Center Not monitored
Accepted answer
  1. Alistair Ross 7,466 Reputation points Microsoft Employee
    2022-12-20T15:10:32.633+00:00

    Hi @VikaTiwari-2263

    Looking at your ARM template, I can see you have declared a resource called "eventHubNamespaceName_eventHubName_Listen" which is a child of "eventHubNamespaceName_eventHubName" which in turn is a child of "eventHubNamespace". All of these must be in the same resource group as the children are dependant on the root parent, therefore you cannot declare a different scopes for these resources. They all must be declared as a resource (not an exisitng resource), even but all you need for resources deployed outside of the template is the resource name.
    https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/child-resource-name-type#outside-parent-resource

    Also when declaring a scope, you need to use a scope function e.g. resourceGroup("ResourceGroupName")
    https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-scope

    Below is the first few resources which hopefully make sense 

    resource rawStorageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {  
  name: 'mystorageaccount'  
  scope: resourceGroup('rg3')  
}  
  
resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' = {  
  name: 'myeventhub'  
}  
  
resource eventHubNamespaceName_eventHubName 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' = {  
  parent: eventHubNamespace  
  name: 'ehname'  
}  
  
resource eventHubNamespaceName_eventHubName_Listen 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2021-11-01' = {  
  parent: eventHubNamespaceName_eventHubName  
  name: 'ConsumerListens'  
  properties: {  
    rights: [  
      'Listen'  
    ]  
  }  
}
    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vikas Tiwari 771 Reputation points
    2022-12-27T19:52:32.117+00:00

    @Alistair Ross I have used modules for resources belongs to different resource groups and passed respective resource group names from main file, that fixed the issued and deployed my function with RBAC access to other resources, here is the flow:

    Main.bicep -> 1) az function deployment code
    2) Call to "Module1.bicep" for existing storage account RBAC assignment (passed function managed identity and storage account's resource group name as param)
    3) Call to "Module2.bicep" for existing eventhub RBAC assignment (passed function managed identity and eventhub's resource group name as param)

    Module1.bicep -> add code to assign RBAC permission on storage account to az function
    Module2.bicep -> add code to assign RBAC permission on event hub to az function

    Adding details here hope it will help someone. Thanks

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.