BCP134 when trying to have a management group scoped module called from a resource group scoped bicep

[sopelt]

Bicep version
0.25.53

Describe the bug
Validation (BCP134) prevents having a module with a different deployment scope type (management group) than its parent deployment (resource group, subscription).

The use-case is deploying a function app to a resource group that needs a certain role assignment on a management group to properly operate. We only found #6597 that explains that the targetScope (type) is not inherited but in this case we would actively want to have it different.

Is this inherently impossible in ARM or "just" prevented by validation in bicep?

Thanks!

[jeskew]

Bicep is reflecting an ARM limitation on what kinds of scopes can be targeted from other scopes.

There is a way to work around it, but it requires two modules so that you can move from resource group scope to tenant scope, then from tenant scope to management group scope. Note that you need the Microsoft.Resources/deployments/write permission on the RG, the tenant, and the MG for this to work.

main.bicep (resource group scoped)

param mgName string

module tenantScoped 'tenant_scoped.bicep' = {
  name: 'tenantScoped'
  scope: tenant()
  params: {
    mgName: mgName
  }
}

output mg object = tenantScoped.outputs.mg

tenant_scoped.bicep

targetScope = 'tenant'

param mgName string

module mgScoped 'mg_scoped.bicep' = {
  name: 'mgScoped'
  scope: managementGroup(mgName)
}

output mg object = mgScoped.outputs.mg

mg_scoped.bicep

targetScope = 'managementGroup'

output mg object = managementGroup()

[sopelt]

Thank you for the answer/workaround/update. Do you happen to know of ARM documentation that we missed that documents which scope changes/combinations are valid?
We will probably stick with an isolated, second deployment as the three biceps + permissions don't seem to make things tangibly better in terms of maintenance etc.

[jeskew]

Do you happen to know of ARM documentation that we missed that documents which scope changes/combinations are valid?

I couldn't find anything that spells this out explicitly and opened #13617 to see if we can get that addressed.

[sopelt]

Thanks for the swift reply and the ticket. I'll keep an eye out on it. Love the work the bicep team & community are doing!

[olahallengren]

Bicep is reflecting an ARM limitation on what kinds of scopes can be targeted from other scopes.

I was wondering about the possibilities of having the underlying ARM limitation addressed (without requiring the workaround).