Dynamic loop to create a kv-access policy

[matthiasguentert]

Consider the following template where I create two web apps with a system managed identity.

var location = resourceGroup().location
var tenantId = subscription().tenantId

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: 'kv-bicep-dev'
  location: location
  properties: {
    tenantId: tenantId
    sku: {
      name: 'standard'
      family: 'A'
    }
    accessPolicies: [for (app, i) in apps: {
          tenantId: tenantId
          objectId: apps[i].identity.principalId
          permissions: {
            secrets: [
              'all'
            ]
          }
    }]
  }
}

resource plan 'Microsoft.Web/serverfarms@2020-12-01' = {
  name: 'plan-bicep-dev'
  location: location
  kind: 'linux'
  sku: {
    name: 'B1'
    capacity: 1
  }
}

param names array = [
  'app-bicep-dev0'
  'app-bicep-dev1'
]

resource apps 'Microsoft.Web/sites@2020-12-01' = [for name in names: {
  name: name
  location: location
  kind: 'app,linux,container'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: plan.id
  }
}]

Now I would like to reference the principalId inside my key vault access policy. Doing it like this doesn't work. And IntelliSense is pretty clear about the reason: Directly referencing a resource or module collection is not currently supported. Apply an array indexer to the expression. bicep(BCP144)

accessPolicies: [for app in apps: {
      tenantId: tenantId
      objectId: app.identity.principalId
      permissions: {
        secrets: [
          'all'
        ]
      }
}]

So I can rewrite it to the following, which works, but is static.

  accessPolicies: [for i in range(0, 1): {
        tenantId: tenantId
        objectId: apps[i].identity.principalId
        permissions: {
          secrets: [
            'all'
          ]
        }
  }]

Is there a more dynamic way to create the access policy?

Edit:
Better, but still unsure if there is a better approach..

  accessPolicies: [for i in range(0, length(names)): {
        tenantId: tenantId
        objectId: apps[i].identity.principalId
        permissions: {
          secrets: [
            'all'
          ]
        }
  }]

[brwilkinson]

It appears that you cannot iterate over the object itself, however you can still iterate of the array of names that you used to create apps.

Then reference the other array app object via the index.

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: 'kv-bicep-dev'
  location: location
  properties: {
    tenantId: tenantId
    sku: {
      name: 'standard'
      family: 'A'
    }
    accessPolicies: [for (app, i) in names : {
          tenantId: tenantId
          objectId: apps[i].identity.principalId
          permissions: {
            secrets: [
              'all'
            ]
          }
    }]
  }
}

or adding more info to the array to make it an object... just for demonstration.

notice

• names.name in the apps
• app.secrets in the kv access policies

param names array = [
  {
    name: 'app-bicep-dev0'
    secrets: [
      'all'
    ]
  }
  {
    name: 'app-bicep-dev1'
    secrets: [
      'all'
    ]
  }
]

resource apps 'Microsoft.Web/sites@2020-12-01' = [for name in names: {
  name: name.name
  location: location
  kind: 'app,linux,container'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: plan.id
  }
}]

resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: 'kv-bicep-dev'
  location: location
  properties: {
    tenantId: tenantId
    sku: {
      name: 'standard'
      family: 'A'
    }
    accessPolicies: [for (app, i) in names: {
      tenantId: tenantId
      objectId: apps[i].identity.principalId
      permissions: {
        secrets: app.secrets
      }
    }]
  }
}