Behavior of exported variables in file published to ACR is different to a local file.

[lumunro]

Bicep version
Bicep CLI version 0.33.93 (7a77c7f)
Bicep VSCode version 0.33.93

Describe the bug
The behavior of a working bicep file with exported variables functions differently depending on if it sourced as a local file or in an ACR

To Reproduce
Steps to reproduce the behavior:

// roles.bicep
@export()
var acrPull = {
  id: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
  name: 'AcrPull'
}

This works:

// main.bicep
import { acrPull } from 'roles.bicep'

This does not work:

// main.bicep
import { acrPull } from 'br/vars:roles:<published-version>'

// The following error is shown:
// 'The 'acrPull' symbol was not found in (or was not exported by) the imported template. bicepBCP360'

Additional context
I would expect this to work as the contents of the file published to the ACR is the same as local 'roles.bicep' file which works.

[jeskew]

The issue is the subscriptionResourceId function -- that can't be evaluated outside of the context of a deployment. I think it's a bug that we're not blocking it from being exported in roles.bicep.

[lumunro]

@jeskew

When I do a simple test with taking the id and outputting it using the local file it works fine.

// main.bicep
import { acrPull } from 'roles.bicep'

// If you add an output and deploy this it shows the full resourceId
output id string = acrPull.id

// Shows: id = '/subscriptions/<my-sub-id-removed>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d'

I have been using the local roles.bicep file in actual deployments of resources too, issue has come up when I want to version the roles.bicep in an ACR and use it.

[jeskew]

I get the use case, but I think it's a bug that you can do this with a local file since acrPull is not a compile-time constant.

Can you use a function instead?

// roles.bicep
@export()
func acrPull() object => {
  id: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
  name: 'AcrPull'
}

[lumunro]

Thanks for the detail as to why it was not working and the example code.

Using the information you provided I added a new function to my roles.bicep file, which still allows the use of the variable properties using intelisense (it didnt work the same for the func)

Posting below as others may find it useful:

// roles.bicep
@export()
func roleDefinitionId(roleId string) string => subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)

// Added more than a single role
@export()
var acrPull = {
  id: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
  name: 'AcrPull'
}

@export()
var acrPush = {
  id: '8311e382-0749-4cb8-b61a-304f252e45ec'
  name: 'AcrPush'
}

// main.bicep
import { roleDefinitionId, acrPull, acrPush } from 'br/vars:roles:<published-version>'

output acrPullRoleDefinitionId string = roleDefinitionId(acrPull.id)
// Outputs value as '/subscriptions/<my-sub-id-removed>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d'

output acrPushRoleDefinitionId string = roleDefinitionId(acrPush.id)
// Outputs value as '/subscriptions/<my-sub-id-removed>/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec'