From ec9a93c8da2728085e2e3ee48ecd903a65fa9b3c Mon Sep 17 00:00:00 2001
From: Preston Alvarado <700740+coolhome@users.noreply.github.com>
Date: Thu, 7 Dec 2023 13:31:55 -0600
Subject: [PATCH] Potential workaround for #3386

---
 modules/resources/resource-group/README.md  |  1 -
 modules/resources/resource-group/main.bicep | 25 ++++++++++------
 modules/resources/resource-group/main.json  | 32 ++++++++++++++-------
 3 files changed, 37 insertions(+), 21 deletions(-)

diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md
index 3bd54c57d1..c362d4ea7d 100644
--- a/modules/resources/resource-group/README.md
+++ b/modules/resources/resource-group/README.md
@@ -339,7 +339,6 @@ The ID of the resource that manages this resource group.
 
 - Required: No
 - Type: string
-- Default: `''`
 
 ### Parameter: `roleAssignments`
 
diff --git a/modules/resources/resource-group/main.bicep b/modules/resources/resource-group/main.bicep
index 7bb4f4cc20..8ad5190e2f 100644
--- a/modules/resources/resource-group/main.bicep
+++ b/modules/resources/resource-group/main.bicep
@@ -20,7 +20,7 @@ param roleAssignments roleAssignmentType
 param tags object?
 
 @description('Optional. The ID of the resource that manages this resource group.')
-param managedBy string = ''
+param managedBy string?
 
 @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
 param enableDefaultTelemetry bool = true
@@ -51,11 +51,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = if (managedBy == null) {
   location: location
   name: name
   tags: tags
-  managedBy: managedBy
+  properties: {}
+}
+
+resource managedResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = if (managedBy != null) {
+  location: location
+  name: name
+  tags: tags
+  managedBy: length(managedBy ?? '') > 0 ? managedBy : ''
   properties: {}
 }
 
@@ -63,13 +70,13 @@ module resourceGroup_lock 'modules/nested_lock.bicep' = if (!empty(lock ?? {}) &
   name: '${uniqueString(deployment().name, location)}-RG-Lock'
   params: {
     lock: lock
-    name: resourceGroup.name
+    name: managedBy == null ? resourceGroup.name : managedResourceGroup.name
   }
-  scope: resourceGroup
+  scope: managedBy == null ? resourceGroup : managedResourceGroup
 }
 
 resource resourceGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): {
-  name: guid(resourceGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName)
+  name: guid(managedBy == null ? resourceGroup.id : managedResourceGroup.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName)
   properties: {
     roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)
     principalId: roleAssignment.principalId
@@ -82,13 +89,13 @@ resource resourceGroup_roleAssignments 'Microsoft.Authorization/roleAssignments@
 }]
 
 @description('The name of the resource group.')
-output name string = resourceGroup.name
+output name string = managedBy == null ? resourceGroup.name : managedResourceGroup.name
 
 @description('The resource ID of the resource group.')
-output resourceId string = resourceGroup.id
+output resourceId string = managedBy == null ? resourceGroup.id : managedResourceGroup.id
 
 @description('The location the resource was deployed into.')
-output location string = resourceGroup.location
+output location string = managedBy == null ? resourceGroup.location : managedResourceGroup.location
 
 // =============== //
 //   Definitions   //
diff --git a/modules/resources/resource-group/main.json b/modules/resources/resource-group/main.json
index eccb25088a..cb2b36630e 100644
--- a/modules/resources/resource-group/main.json
+++ b/modules/resources/resource-group/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.23.1.45101",
-      "templateHash": "4157027857802113569"
+      "templateHash": "14745510264593051323"
     },
     "name": "Resource Groups",
     "description": "This module deploys a Resource Group.",
@@ -140,7 +140,7 @@
     },
     "managedBy": {
       "type": "string",
-      "defaultValue": "",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The ID of the resource that manages this resource group."
       }
@@ -184,12 +184,22 @@
       }
     },
     "resourceGroup": {
+      "condition": "[equals(parameters('managedBy'), null())]",
       "type": "Microsoft.Resources/resourceGroups",
       "apiVersion": "2021-04-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "tags": "[parameters('tags')]",
-      "managedBy": "[parameters('managedBy')]",
+      "properties": {}
+    },
+    "managedResourceGroup": {
+      "condition": "[not(equals(parameters('managedBy'), null()))]",
+      "type": "Microsoft.Resources/resourceGroups",
+      "apiVersion": "2021-04-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "tags": "[parameters('tags')]",
+      "managedBy": "[if(greater(length(coalesce(parameters('managedBy'), '')), 0), parameters('managedBy'), '')]",
       "properties": {}
     },
     "resourceGroup_roleAssignments": {
@@ -199,7 +209,7 @@
       },
       "type": "Microsoft.Authorization/roleAssignments",
       "apiVersion": "2022-04-01",
-      "name": "[guid(subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]",
+      "name": "[guid(if(equals(parameters('managedBy'), null()), subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]",
       "properties": {
         "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]",
         "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]",
@@ -210,6 +220,7 @@
         "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]"
       },
       "dependsOn": [
+        "managedResourceGroup",
         "resourceGroup"
       ]
     },
@@ -218,7 +229,7 @@
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2022-09-01",
       "name": "[format('{0}-RG-Lock', uniqueString(deployment().name, parameters('location')))]",
-      "resourceGroup": "[parameters('name')]",
+      "location": "[deployment().location]",
       "properties": {
         "expressionEvaluationOptions": {
           "scope": "inner"
@@ -228,9 +239,7 @@
           "lock": {
             "value": "[parameters('lock')]"
           },
-          "name": {
-            "value": "[parameters('name')]"
-          }
+          "name": "[if(equals(parameters('managedBy'), null()), createObject('value', parameters('name')), createObject('value', parameters('name')))]"
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -299,6 +308,7 @@
         }
       },
       "dependsOn": [
+        "managedResourceGroup",
         "resourceGroup"
       ]
     }
@@ -309,21 +319,21 @@
       "metadata": {
         "description": "The name of the resource group."
       },
-      "value": "[parameters('name')]"
+      "value": "[if(equals(parameters('managedBy'), null()), parameters('name'), parameters('name'))]"
     },
     "resourceId": {
       "type": "string",
       "metadata": {
         "description": "The resource ID of the resource group."
       },
-      "value": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name'))]"
+      "value": "[if(equals(parameters('managedBy'), null()), subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')), subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('name')))]"
     },
     "location": {
       "type": "string",
       "metadata": {
         "description": "The location the resource was deployed into."
       },
-      "value": "[reference('resourceGroup', '2021-04-01', 'full').location]"
+      "value": "[if(equals(parameters('managedBy'), null()), reference('resourceGroup', '2021-04-01', 'full').location, reference('managedResourceGroup', '2021-04-01', 'full').location)]"
     }
   }
 }
\ No newline at end of file