Question 105424 in Azure Question posted in
The official documentation to get you started can be found here.

Azure bicep dependsOn for existing resource

From my "main" bicep module, I would like to reference an existing function that is created by a module called from the same "main" bicep. So used the following code:

resource functionApp 'Microsoft.Web/sites@2021-02-01' existing = {
  name: functionAppName
  scope: resourceGroup(subscriptionId, 'rg-365response-${env}-001')
}

I am then able to use properties from the "functionApp" resource variable to obtain the function key and store as a key vault secret as follows:

resource funcSecret 'Microsoft.KeyVault/vaults/secrets@2021-04-01-preview' = {
  name: '${kvName}/funcAppKey'
  properties: {
    value: listKeys('${functionApp.id}/host/default', functionApp.apiVersion).functionKeys.default
  }
}

However, when I run a resource group deployment and see the following error:

The Resource ‘Microsoft.Web/sites/func-365response-int-001’ under
resource group ‘rg-365response-int-001’ was not found

This is some kind of timing issue, I guess it’s checking for the function app before the call to the module that creates it has had chance to complete.

If I run the "main" bicep module a second time, everything works okay.

It seems it’s not possible to use the "dependsOn" syntax for a resource that is "existing".

Is there an alternative?

Tags:

2

Answers


  1. 0

    I think you are correct in that the listKeys() is called too early, you can’t fix it with dependsOn unfortunately. There is a bit more explanation here: https://bmoore-msft.blog/2020/07/26/resource-not-found-dependson-is-not-working/

    The only fix for this is to put the listKeys and the function into different modules and make sure you have dependsOs if the second module doesn’t consume an input from the first.

    The part that’s not adding up for me is that you have an existing keyword on the resource in the sample above but you say you’re creating it. The symptoms you describe also suggest you’re creating it in the same deployment. If you are, they you don’t need the `existing’ keyword.

    If all else fails – post all the code.

    Login or Signup to reply.
  2. 0

    DependOns can only be used for resources defined in the same bicep file (ARM template).
    When you use the existing keyword, it will compiled to a resourceId() or reference() by Bicep

    You could create a module to create secret:

    // key-vault-secret.bicep

param kvName string
param secretName string
@secure()
param secretValue string

resource kvSecret 'Microsoft.KeyVault/vaults/secrets@2021-04-01-preview' = {
  name: '${kvName}/${secretName}'
  properties: {
    value: secretValue
  }
}

    Then from where you are creating your function, you could invoke it like that:

    resource functionApp 'Microsoft.Web/sites@2021-03-01' = {
  name: functionAppName
  location: location
  kind: 'functionapp'
  ...
}

// Add secret to KV
module functionKey 'key-vault-secret.bicep' = {
  name: 'function-default-host-key'
  scope: resourceGroup()
  params:{
    kvName: kvName
    secretName: 'funcAppKey'
    secretValue: listKeys('${functionApp.id}/host/default', functionApp.apiVersion).functionKeys.default
  }
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search