Azure
Secure outputs API is used for all outputs if any output matches heuristic
Bicep version 0.34.44
Describe the bug
If any output in a module has or contains a secureObject or secureString type, the listOutputsWithSecureValues API will be used for all outputs.
To Reproduce
@secure()
output sensitive string = 'foo'
output notSensitive string = 'bar'
If the above template is used as a module, listOutputsWithSecureValues will be used to dereference the notSensitive output.
Additional context
Ran into this while working on #16987. The generated source for output dereferencing is pretty complex because listOutputsWithSecureValues('mod') and reference('mod').outputs have different formats, and the logic is tricky to reproduce because it's not related to the output being dereferenced but instead to the sum type of the outputs of whole module.
Ideally, I think we should only use listOutputsWithSecureValues since it covers all cases, though we can't avoid references('<module copy loop symbolic name>') for expressions like map(mods, m => m.outputs.foo) since there is no collection equivalent of listOutputsWithSecureValues.
Hi @jeskew, I think we're going to see a bigger impact on this as AVM starts to release some cases that use secure outputs.
As you have mentioned, if any output uses a secure type and that is consumed by a parent module then they are all marked as secret.
As a result, there is some potential practical limitations with the approach:
- The resource ID is commonly exported and used by parent modules and returned as a deployment output.
- Treating non-sensitive values as sensitive values might causes problems with the rest of the tool chain.
Ideally, I'd like to:
- Treat sensitive values as sensitive wraped with
listOutputsWithSecureValues. - Avoid treating non-sensitive values as sensitive values and expose with
reference/references.
