Resolve principalId inside diagnostic module to avoid cross-scope reference error (#762)

tjementum · web-flow · commit a85f0ea59690 · 2025-07-04T23:18:06.000+02:00
### Summary & Motivation Resolve `principalId` inside the diagnostics module to eliminate the cross-scope `reference()` error during deployment. This fixes [this cloud infrastructure error](https://github.com/platformplatform/PlatformPlatform/actions/runs/16051114349/job/45293755354). - Remove the `principalId` parameter from the diagnostics module interface. - Retrieve the `principalId` internally within the module, ensuring all references stay within the same scope. - Update calling templates to reflect the revised module signature. ### Checklist - [x] I have added tests, or done manual regression tests - [x] I have updated the documentation, if necessary
diff --git a/cloud-infrastructure/cluster/main-cluster.bicep b/cloud-infrastructure/cluster/main-cluster.bicep
@@ -120,7 +120,6 @@ module microsoftSqlDerverDiagnosticConfiguration '../modules/microsoft-sql-serve
   params: {
     diagnosticStorageAccountName: diagnosticStorageAccountName
     microsoftSqlServerName: resourceGroupName
-    principalId: microsoftSqlServer.outputs.principalId
     dianosticStorageAccountBlobEndpoint: diagnosticStorageAccount.outputs.blobEndpoint
     dianosticStorageAccountSubscriptionId: subscription().subscriptionId
   }
diff --git a/cloud-infrastructure/modules/microsoft-sql-server-diagnostic.bicep b/cloud-infrastructure/modules/microsoft-sql-server-diagnostic.bicep
@@ -1,21 +1,22 @@
 param diagnosticStorageAccountName string
 param microsoftSqlServerName string
-param principalId string
 param dianosticStorageAccountSubscriptionId string
 param dianosticStorageAccountBlobEndpoint string
 
-module diagnosticStorageBlobDataContributorRoleAssignment 'role-assignments-storage-blob-data-contributor.bicep' = if (principalId != '') {
+resource existingMicrosoftSqlServer 'Microsoft.Sql/servers@2023-05-01-preview' existing = {
+  name: microsoftSqlServerName
+}
+
+var contributorPrincipalId = existingMicrosoftSqlServer.identity.principalId
+
+module diagnosticStorageBlobDataContributorRoleAssignment './role-assignments-storage-blob-data-contributor.bicep' = {
   name: '${microsoftSqlServerName}-microsoft-sql-server-blob-contributer'
   params: {
     storageAccountName: diagnosticStorageAccountName
-    principalId: principalId
+    principalId: contributorPrincipalId
   }
 }
 
-resource existingMicrosoftSqlServer 'Microsoft.Sql/servers@2023-05-01-preview' existing = {
-  name: microsoftSqlServerName
-}
-
 resource microsoftSqlServerOutboundFirewallRules 'Microsoft.Sql/servers/outboundFirewallRules@2023-05-01-preview' = {
   parent: existingMicrosoftSqlServer
   name: replace(replace(dianosticStorageAccountBlobEndpoint, 'https:', ''), '/', '')

Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,6 @@ module microsoftSqlDerverDiagnosticConfiguration '../modules/microsoft-sql-serve`
`120`	`120`	`params: {`
`121`	`121`	`diagnosticStorageAccountName: diagnosticStorageAccountName`
`122`	`122`	`microsoftSqlServerName: resourceGroupName`
`123`		`- principalId: microsoftSqlServer.outputs.principalId`
`124`	`123`	`dianosticStorageAccountBlobEndpoint: diagnosticStorageAccount.outputs.blobEndpoint`
`125`	`124`	`dianosticStorageAccountSubscriptionId: subscription().subscriptionId`
`126`	`125`	`}`