Resource is getting deployed even though the if condition makes it false thereby giving error resource defined multiple times

[vinsten99]

Bicep version
v0.8.9

Describe the bug

Resource is getting deployed even though the if condition makes it false.
Trying to do policy assignments with parameters & one without parameters, have the name & ids in an array but inspite of having bool false value the resource is getting deployed which is throwing an error .

{"error":{"code":"InvalidTemplate","message":"Deployment template validation failed: 'The resource 'Microsoft.Authorization/policyAssignments/Azure Security Benchmark' at line '1' and column '785' is defined multiple times in a template. Please see https://aka.ms/arm-template/#resources for usage details.'.","additionalInfo":[{"type":"TemplateViolation","info":{"lineNumber":1,"linePosition":785,"path":"properties.template.resources[0]"}}]}}

To Reproduce
Steps to reproduce the behavior:

param location string = resourceGroup().location
param initiativeDefinition array = [
  {
    isParameterized : false
    name : 'Azure Security Benchmark'
    id : '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
  }
  {
    name : 'Enable Azure Monitor'
    id : '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a'
    para : {
      logAnalytics_1 : {
        value : 'test-123'
    }}
    isParameterized : true

  }
]
resource initiativeDefinitionPolicyAssignmentWithPara 'Microsoft.Authorization/policyAssignments@2019-09-01' = [for policy in initiativeDefinition: if(policy.isParameterized) {
  name: policy.name
  identity: {
    type: 'SystemAssigned'
  }
  location: location
  properties: {
    scope: resourceGroup().id
    enforcementMode: 'Default'
    policyDefinitionId: policy.id
    parameters: policy.para
    }
  
}]

resource initiativeDefinitionPolicyAssignmentNotPara 'Microsoft.Authorization/policyAssignments@2019-09-01' = [for policy in initiativeDefinition: if (!policy.isParameterized) {
  name: policy.name
  identity: {
    type: 'SystemAssigned'
  }
  location: location
  properties: {
    scope: resourceGroup().id
    enforcementMode: 'Default'
    policyDefinitionId: policy.id
    

  }
}]

Additional context
Not sure if this is a bug or my code issue i am just staring out with Bicep, any help would be appreciated. Thank you :)

[jeskew]

I believe the template validation engine will run prior to any conditions being evaluated, so this behavior is expected. For example, I get the same error when trying to deploy a template with boolean constant conditions:

For the specific scenario you describe, it looks like the difference between initiativeDefinitionPolicyAssignmentWithPara and initiativeDefinitionPolicyAssignmentNotPara is whether the parameters property is present. You could also achieve this by conditionally adding the property to a single resource type:

resource initiativeDefinitionPolicyAssignment 'Microsoft.Authorization/policyAssignments@2019-09-01' = [for policy in initiativeDefinition: {
  name: policy.name
  identity: {
    type: 'SystemAssigned'
  }
  location: location
  properties: union(
    {
      scope: resourceGroup().id
      enforcementMode: 'Default'
      policyDefinitionId: policy.id
    },
    policy.isParameterized ? {parameters: policy.para} : {}
  )
}]

[vinsten99]

@jeskew Oh okay makes sense, Thank you so much that helps :)

[miqm]

@jeskew can we close this or we have something to do here?

[jeskew]

@miqm There's some overlap between this issue and #2371 (if we were to solve the issue in the ARM runtime), but we may be able to improve the user experience here by not emitting resources whose condition is known to be false at compile time. The latter would probably require #444 to be completed first, but it's worth discussing at triage.

[alex-frankel]

I'm going to close this as a dup of #2371