[Bug Report]: Use networkAcls with key vault

[gsuttie]

Describe the bug

I am trying to add vnet integration to my Keyvault and all the doc say to do this:-

networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
ipRules: []
virtualNetworkRules: [
{
id: '/subscriptions/${subscriptionid}/resourceGroups/${resourceGroup}/providers/Microsoft.Network/virtualNetworks/${myVnet}/subnets/${mysubnet}
}
]

But I am getting this error - InvalidTemplate - Deployment template validation failed: 'The template variable 'virtualNetworkRules' is not valid: The language expression property 'subnet' doesn't exist, available properties are 'id'.. Please see https://aka.ms/arm-template-expressions for usage details.'.

If I comment out the id its fine so something related to that isn't right.

They API I am using is from the Keyvault Bicep in this repo so version Microsoft.KeyVault/vaults@2019-09-01

To reproduce

Create a Keyvault and attempt to associate add a reference to an existing vnet with a subnet (this is for API management in the end).

Code snippet

module createKeyVault 'modules/keyVault.bicep' = {
  scope: resourceGroup(networkHubRg)
  name: KeyVaultName
  params: {
    name: KeyVaultName
    location: primaryLocation
    vaultSku: vaultSku
    tags: tags
    enableVaultForDeployment: true
    enableVaultForTemplateDeployment: true
    enableRbacAuthorization: true
    
    vNetId: '${virtualnetworks_vnet_connectivity_dev_weu_externalid}/subnets/${apimSubnetName}'
    
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Deny'
      ipRules: []
      virtualNetworkRules: [
        {
          id: '/subscriptions/${subscriptionId}/resourceGroups/${networkHubRg}/providers/microsoft.network/virtualnetworks/${hubVNetName}/subnets/${mysubnet}'
        }
      ]
  }
  }
  dependsOn: [
    NewPrimaryRG
  ]
}

Relevant log output

InvalidTemplate - Deployment template validation failed: 'The template variable 'virtualNetworkRules' is not valid: The language expression property 'subnet' doesn't exist, available properties are 'id'.. Please see https://aka.ms/arm-template-expressions for usage details.'.

[eriqua]

Hey @gsuttie, first of all thanks for raising this issue. After your heads-up, we noticed a couple of parameter usage snippets from the module readme file were incorrect, and we fixed them. You can find the updated readme here.

Concerning the matter at hand, the snippet you provided for networkAcls above looks correct, and it's what we're using in our common deployment validation test for keyvault, which you can reference here.

However, the vnetId parameter you shared in the above code snippet is not part of the module input parameters. Could you please remove that line, redeploy the snippet and share the result?

[rahalan]

Issue should not happen with correct parameter settings according to updated documentation. Thanks for bringing it to our attention. If issue still persists, please open a new issue.