CLI version 2.47.0 Bicep build fails with invalid error about required secure parameter on getSecret call

[petergerritsen]

When using the following module:

@description('Properties of the API Management instance')
param apiManagement object

@description('Secret stored in the Key Vault instance, dedicated for API Management secrets and certificates.')
@secure()
param clientId string

@description('Secret stored in the Key Vault instance, dedicated for API Management secrets and certificates.')
@secure()
param clientIdProxy string

@description('Secret stored in the Key Vault instance, dedicated for API Management secrets and certificates.')
@secure()
param clientSecret string

Called from a bicep file as such:

module authorizationServerDeveloperConsole 'br/pitwall:api-management-apis/api-authorization-server-shared:v1' = {
   name: '${apiManagement.api.name}-authorization-server-dev-console'
   params: {
     apiManagement: apiManagement
     clientId: kv.getSecret('sp-pitwall-developer-console')
     clientIdProxy: kv.getSecret('sp-pitwall-public-apis-apim-api')
     clientSecret: kv.getSecret('sp-pitwall-developer-console-secret')
   }
   dependsOn: [
     apiVersionSet
   ]
 }

We get the following error since using CLI version 2.47.0: Error BCP180: Function "getSecret" is not valid at this location. It can only be used when directly assigning to a module parameter with a secure decorator.

With CLI version 2.46.0 this error would not come up.

[yonzhan]

Thank you for opening this issue, we will look into it.

Thank you for your feedback. This has been routed to the support team for assistance.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @josephkwchan, @jennyhunter-msft.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/deployments-owners.