bicep icon indicating copy to clipboard operation
bicep copied to clipboard

Published 20 hours ago verified publisher icon Azure

Support regex in parameter validation

Open alex-frankel opened this issue 2 years ago • 2 comments

I think this is tricky to implement in the ARM runtime as there are concerns over non-performant regex, but don't know the details well enough. Also seems like it may be related to #4158. cc @jeskew as FYI

Some context below from #2922:

Coming from the perspective of a longtime AWS CloudFormation and Terraform author now starting to use bicep - this type of password complexity validation can be achieved with a regular expression, as I've seen it done in these other tools.

So, what I think is really missing - like a SERIOUS design omission - is to have a regular expression based validation for parameters. This should have full support for all regex features, including backwards and forward references. It should support the PCRE2 standard as can be validated here: https://regex101.com

I noticed another another open issue to validate IP addresses and CIDRs, while looking to see if regex validation was an existing open issue. This is also something that can be done easily using regular expressions.

Given that this feature has been in CloudFormation templates, first JSON, then YAML, for at least 5 years that I'm personally aware of, it's sort of incredible - a glaring omission which surprised me - that this basic feature is not yet in bicep and arm. Please consider adding it, as it's incredibly useful in both preventing use of incorrect values, but also in precisely describing what values are allowed in a way beyond what's often possible to easily describe in words.

For example, I want to have a startDate parameter with the value entered as 'YYYY-MM-DD' - the fact I can't validate this simple pattern with a message to the user if they don't enter it correctly, is really surprising for a mature IaC template tool.

Originally posted by @michael-crawford in https://github.com/Azure/bicep/issues/2922#issuecomment-1245765330

alex-frankel avatar Sep 14 '22 23:09 alex-frankel

There are some safety mechanisms we could use when executing user-supplied regular expressions, such as setting a strict timeout. We may also be able to use a non-backtracking engine, though I believe that would not support the full PCRE2 standard.

jeskew avatar Sep 15 '22 15:09 jeskew

+1 for adding regex, as it would make parameter/validation so much better. As for language though, wouldn't it make more sense to have .net regex instead of PCRE2? The rest of bicep is .net, and i believe it is also is the flavour used in f.eg PowerShell, so it would be consistent in usage.

bjompen avatar Sep 25 '22 20:09 bjompen

This would extremely useful in a lot of our templates in the following scenarios, with the 'fail early shift left' mentality:

  • AKV naming
  • ACR naming
  • Network address spacing

csaba-almasi avatar May 12 '23 13:05 csaba-almasi

+1 to this. I can use this for Microsoft.DocumentDB/mongoClusters which has a password policy for the cluster resource of 8-256 characters and 3 of the following: lower case, upper case, numeric and symbol.

It would be fantastic to have a parameter object where I could apply rules like these (aside from min/max length which we already have) and have it validate the user input before it gets sent to the RP.

markjbrown avatar May 12 '23 15:05 markjbrown