[BUG] Throws "Bicep compilation hasn't completed within the timeout window" if Bicep can't fetch external modules from private ACR, error BCP192

[o-l-a-v]

Existing rule

No response

Description of the issue

Running PSRule with PSRule.Rules.Azure throws an error Bicep compilation hasn't completed within the timeout window. This can be caused by errors or warnings. Check the Bicep output by running bicep build and addressing any issues. when the actual cause is that the context it runs from isn't authorized to get the external Bicep modules from a private ACR. I noticed it because I added bicep restore <file>.bicep to my workflow before running PSRule, and it threw following error:

Error BCP192: Unable to restore the artifact with reference "br:<redacted>.azurecr.io/bicep/modules/<redacted>:0.X": Service request failed.
Status: 401 (Unauthorized)

Content:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required, visit https://aka.ms/acr/authorization for more information."}]}

Request: Expose the error thrown by Azure CLI (if using az bicep) or Bicep (if using bicep directly).

Error messages

No response

Reproduction

Run PSRule on Bicep that references Bicep modules in a private ACR, without being authenticated and authorized to get those modules.

Version of PSRule

2.9.0

Version of PSRule for Azure

1.36.0

Additional context

No response

[BernieWhite]

Thanks for reporting the issue @o-l-a-v. Seems like you're hitting the timeout window which by default is 5 seconds, but this can be changed to a different value.

https://azure.github.io/PSRule.Rules.Azure/setup/configuring-expansion/#bicep-compilation-timeout

To clarify, do you feel you are getting the Bicep compilation hasn't completed within the timeout window. This can be caused by errors or warnings. Check the Bicep output by running bicep build and addressing any issues. message incorrectly i.e. the timeout is already set to a high value.

Or is it more that the message is not helpful to diagnose the root cause?

How long did the separate bicep restore task take?

---

The timeout is currently set to prevent cases when running in a CI pipeline are hard to troubleshoot and massively blow out runtime, which could easily occur if you have a large repository of files.

When a timeout occurs, PSRule moves on and doesn't wait for Bicep to complete.

Although possibly we can make this experience better.

[o-l-a-v]

Should've included the command I used for this to happen:

## Get all available rules and find the ones to exclude
$PSRuleRulesAvailable = [array](Get-PSRule -Module 'PSRule.Rules.Azure')
$PSRuleRulesExclude   = [string[]](
    $PSRuleRulesAvailable.Where{
        $_.'Tags'.'Release' -ne 'GA' -or
        $_.'Tags'.'Azure.WAF/pillar' -eq 'Reliability' -or
        $_.'Info'.'Annotations'.'severity' -eq 'Awareness'
    }.'Name' | Sort-Object
)

## Run PSRule
$PSRuleScan = [PSCustomObject[]](
    Invoke-PSRule -InputPath $FilePath -Module 'PSRule.Rules.Azure' -Outcome 'Fail','Error' -OutputFormat 'None' -Option @{
        'AZURE_BICEP_CHECK_TOOL'             = [bool] $true
        'AZURE_BICEP_FILE_EXPANSION'         = [bool] $true
        'AZURE_BICEP_FILE_EXPANSION_TIMEOUT' = [uint16] 30
        'AZURE_BICEP_PARAMS_FILE_EXPANSION'  = [bool] $true
        'Execution.UnprocessedObject'        = [string] 'Ignore'
        'RULE.EXCLUDE'                       = [string[]]($PSRuleRulesExclude)
    } | Sort-Object -Property 'RuleName'
)

So I had the timeout set to 30.

To clarify, do you feel you are getting the Bicep compilation hasn't completed within the timeout window. This can be caused by errors or warnings. Check the Bicep output by running bicep build and addressing any issues. message incorrectly i.e. the timeout is already set to a high value.

Exactly. Would be good to also include whatever error message Bicep might throw, not just a hardcoded error message.