Add stacks extensibility linting rule. Restrict syntax on config assignments. (#17654)

## Description

- Adds `stacks-extensibility-compat` linter rule. Defaults to `Info`
level. Flags non-key vault references for secure extension config
properties as well as key vault references for non-secure properties.
- Add syntax restriction diagnostics for unsupported scenarios (object
spreads, ternaries, invalid references)
- Migrate main baselines and params baselines to use the newer
`TestExternalArtifactManager`, as well as supply some mock extensions by
default to test different config schemas.
- Update tests and baselines with additional scenarios.
- Update the `moduleExtensionConfigs` experimental flag doc. It should
be ready for use now.

## Example Usage

## Checklist

- [x] I have read and adhere to the [contribution
guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md).

###### Microsoft Reviewers: [Open in
CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/17654)

Author: kalbert312

src/Bicep.Cli.IntegrationTests/BuildCommandTests.cs

@@ -1,26 +1,21 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-using System.IO.Abstractions;
 using System.IO.Abstractions.TestingHelpers;
-using System.Text.RegularExpressions;
-using Bicep.Cli.UnitTests;
 using Bicep.Core;
 using Bicep.Core.Configuration;
 using Bicep.Core.FileSystem;
-using Bicep.Core.Modules;
 using Bicep.Core.Registry;
 using Bicep.Core.Samples;
 using Bicep.Core.UnitTests;
 using Bicep.Core.UnitTests.Assertions;
-using Bicep.Core.UnitTests.Baselines;
+using Bicep.Core.UnitTests.Features;
 using Bicep.Core.UnitTests.Mock;
 using Bicep.Core.UnitTests.Registry;
 using Bicep.Core.UnitTests.Utils;
-using Bicep.IO.FileSystem;
+using Bicep.TextFixtures.Utils;
 using FluentAssertions;
 using FluentAssertions.Execution;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 using Moq;
 using Newtonsoft.Json.Linq;
@@ -65,12 +60,15 @@ public async Task Build_NonBicepFiles_ShouldFail_WithExpectedErrorMessage()
         public async Task Build_Valid_SingleFile_WithTemplateSpecReference_ShouldSucceed(DataSet dataSet)
         {
             var outputDirectory = dataSet.SaveFilesToTestDirectory(TestContext);
-            var clientFactory = dataSet.CreateMockRegistryClients();
-            var templateSpecRepositoryFactory = dataSet.CreateMockTemplateSpecRepositoryFactory(TestContext);
-            await dataSet.PublishModulesToRegistryAsync(clientFactory);
-            var bicepFilePath = Path.Combine(outputDirectory, DataSet.TestFileMain);
+            var features = new FeatureProviderOverrides(TestContext);
+            FileHelper.GetCacheRootDirectory(TestContext).EnsureExists();
+
+            var artifactManager = new TestExternalArtifactManager(TestCompiler.ForMockFileSystemCompilation().WithFeatureOverrides<FeatureProviderOverrides, OverriddenFeatureProviderFactory>(features));
+            await dataSet.PublishAllDataSetArtifacts(artifactManager, publishSource: true);
 
-            var settings = new InvocationSettings(new(TestContext, RegistryEnabled: dataSet.HasExternalModules), clientFactory, templateSpecRepositoryFactory);
+            var settings = new InvocationSettings(features).WithArtifactManager(artifactManager, TestContext);
+
+            var bicepFilePath = Path.Combine(outputDirectory, DataSet.TestFileMain);
             var (output, error, result) = await Bicep(settings, "build", bicepFilePath);
 
             using (new AssertionScope())
@@ -108,12 +106,15 @@ public async Task Build_Valid_SingleFile_WithTemplateSpecReference_ShouldSucceed
         public async Task Build_Valid_SingleFile_WithTemplateSpecReference_ToStdOut_ShouldSucceed(DataSet dataSet)
         {
             var outputDirectory = dataSet.SaveFilesToTestDirectory(TestContext);
-            var clientFactory = dataSet.CreateMockRegistryClients();
-            var templateSpecRepositoryFactory = dataSet.CreateMockTemplateSpecRepositoryFactory(TestContext);
-            await dataSet.PublishModulesToRegistryAsync(clientFactory);
-            var bicepFilePath = Path.Combine(outputDirectory, DataSet.TestFileMain);
+            var features = new FeatureProviderOverrides(TestContext);
+            FileHelper.GetCacheRootDirectory(TestContext).EnsureExists();
+
+            var artifactManager = new TestExternalArtifactManager(TestCompiler.ForMockFileSystemCompilation().WithFeatureOverrides<FeatureProviderOverrides, OverriddenFeatureProviderFactory>(features));
+            await dataSet.PublishAllDataSetArtifacts(artifactManager, publishSource: true);
 
-            var settings = new InvocationSettings(new(TestContext, RegistryEnabled: dataSet.HasExternalModules), clientFactory, templateSpecRepositoryFactory);
+            var settings = new InvocationSettings(features).WithArtifactManager(artifactManager, TestContext);
+
+            var bicepFilePath = Path.Combine(outputDirectory, DataSet.TestFileMain);
 
             var (output, error, result) = await Bicep(settings, "build", "--stdout", bicepFilePath);
 
@@ -148,12 +149,16 @@ public async Task Build_Valid_SingleFile_WithTemplateSpecReference_ToStdOut_Shou
         public async Task Build_Valid_SingleFile_After_Restore_Should_Succeed(DataSet dataSet)
         {
             var outputDirectory = dataSet.SaveFilesToTestDirectory(TestContext);
-            var clientFactory = dataSet.CreateMockRegistryClients();
-            var templateSpecRepositoryFactory = dataSet.CreateMockTemplateSpecRepositoryFactory(TestContext);
-            await dataSet.PublishModulesToRegistryAsync(clientFactory);
-            var bicepFilePath = Path.Combine(outputDirectory, DataSet.TestFileMain);
 
-            var settings = new InvocationSettings(new(TestContext, RegistryEnabled: dataSet.HasExternalModules), clientFactory, templateSpecRepositoryFactory);
+            var features = new FeatureProviderOverrides(TestContext);
+            FileHelper.GetCacheRootDirectory(TestContext).EnsureExists();
+
+            var artifactManager = new TestExternalArtifactManager(TestCompiler.ForMockFileSystemCompilation().WithFeatureOverrides<FeatureProviderOverrides, OverriddenFeatureProviderFactory>(features));
+            await dataSet.PublishAllDataSetArtifacts(artifactManager, publishSource: true);
+
+            var settings = new InvocationSettings(features).WithArtifactManager(artifactManager, TestContext);
+
+            var bicepFilePath = Path.Combine(outputDirectory, DataSet.TestFileMain);
 
             var (restoreOutput, restoreError, restoreResult) = await Bicep(settings, "restore", bicepFilePath);
             using (new AssertionScope())

src/Bicep.Cli.IntegrationTests/BuildParamsCommandTests.cs

@@ -12,7 +12,6 @@
 using Bicep.Core.UnitTests;
 using Bicep.Core.UnitTests.Assertions;
 using Bicep.Core.UnitTests.Baselines;
-using Bicep.Core.UnitTests.Mock;
 using Bicep.Core.UnitTests.Utils;
 using FluentAssertions;
 using FluentAssertions.Execution;
@@ -22,27 +21,19 @@
 using Moq;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
+using StrictMock = Bicep.Core.UnitTests.Mock.StrictMock;
+using TestEnvironment = Bicep.Core.UnitTests.Utils.TestEnvironment;
 
 namespace Bicep.Cli.IntegrationTests
 {
 
     [TestClass]
     public class BuildParamsCommandTests : TestBase
     {
-        private InvocationSettings Settings
-            => new()
-            {
-                Environment = TestEnvironment.Default.WithVariables(
-                    ("stringEnvVariableName", "test"),
-                    ("intEnvVariableName", "100"),
-                    ("boolEnvironmentVariable", "true")
-                )
-            };
-
         [TestMethod]
         public async Task Build_Params_With_NonExisting_File_ShouldFail_WithExpectedErrorMessage()
         {
-            var (output, error, result) = await Bicep(Settings, "build-params", "/nonexisting/nonexisting.bicepparam");
+            var (output, error, result) = await Bicep(CreateDefaultSettings(), "build-params", "/nonexisting/nonexisting.bicepparam");
 
             result.Should().Be(1);
             output.Should().BeEmpty();
@@ -58,7 +49,7 @@ public async Task Build_Params_With_Incorrect_Bicep_File_Extension_ShouldFail_Wi
             var outputFilePath = FileHelper.GetResultFilePath(TestContext, "output.json");
 
             File.Exists(outputFilePath).Should().BeFalse();
-            var (output, error, result) = await Bicep(Settings, "build-params", bicepparamsPath, "--bicep-file", bicepPath, "--outfile", outputFilePath);
+            var (output, error, result) = await Bicep(CreateDefaultSettings(), "build-params", bicepparamsPath, "--bicep-file", bicepPath, "--outfile", outputFilePath);
 
             result.Should().Be(1);
             output.Should().BeEmpty();
@@ -76,7 +67,7 @@ public async Task Build_Params_With_CLI_Input_And_Using_Declaration_Bicep_File_R
             var outputFilePath = FileHelper.GetResultFilePath(TestContext, "output.json");
 
             File.Exists(outputFilePath).Should().BeFalse();
-            var result = await Bicep(Settings, "build-params", bicepparamsPath, "--bicep-file", otherBicepPath, "--outfile", outputFilePath);
+            var result = await Bicep(CreateDefaultSettings(), "build-params", bicepparamsPath, "--bicep-file", otherBicepPath, "--outfile", outputFilePath);
 
             result.Should().Fail().And.HaveStderrMatch($"Bicep file {otherBicepPath} provided with --bicep-file option doesn't match the Bicep file {bicepPath} referenced by the \"using\" declaration in the parameters file.*");
         }
@@ -96,7 +87,7 @@ public async Task Build_Params_Bicep_File_Reference_Mismatch_And_Other_Diagnosti
 
             var outputFilePath = FileHelper.GetResultFilePath(TestContext, "output.json");
 
-            var result = await Bicep(Settings, "build-params", bicepparamsPath, "--bicep-file", otherBicepPath, "--outfile", outputFilePath);
+            var result = await Bicep(CreateDefaultSettings(), "build-params", bicepparamsPath, "--bicep-file", otherBicepPath, "--outfile", outputFilePath);
 
             result.Should().Fail().And.HaveStderrMatch($"Bicep file {otherBicepPath} provided with --bicep-file option doesn't match the Bicep file {bicepPath} referenced by the \"using\" declaration in the parameters file.*");
             File.Exists(outputFilePath).Should().BeFalse();
@@ -144,11 +135,11 @@ param objParam object
                 }
                 """;
 
-            var settings = Settings with
+            var settings = CreateDefaultSettings() with
             {
                 Environment = TestEnvironment.Default.WithVariables(
-                ("BICEP_PARAMETERS_OVERRIDES", paramsOverrides)
-            )
+                    ("BICEP_PARAMETERS_OVERRIDES", paramsOverrides)
+                )
             };
 
             var outputFilePath = FileHelper.GetResultFilePath(TestContext, "output.json");
@@ -196,7 +187,7 @@ public async Task Build_params_with_default_value_override_succeeds()
                 foo = "bar"
             }.ToJson()));
 
-            var settings = Settings with { Environment = environment };
+            var settings = CreateDefaultSettings() with { Environment = environment };
             var result = await Bicep(settings, "build-params", bicepparamsPath, "--stdout");
 
             result.Should().NotHaveStderr();
@@ -240,7 +231,7 @@ public async Task Build_params_with_incorrect_default_value_override_fails()
                 wrongName = "bar"
             }.ToJson()));
 
-            var settings = Settings with { Environment = environment };
+            var settings = CreateDefaultSettings() with { Environment = environment };
             var result = await Bicep(settings, "build-params", bicepparamsPath, "--stdout");
 
             result.Should().Fail().And.HaveStderrMatch($"*Error BCP259: The parameter \"wrongName\" is assigned in the params file without being declared in the Bicep file.*");
@@ -271,11 +262,11 @@ param intParam int
                 }
                 """;
 
-            var settings = Settings with
+            var settings = CreateDefaultSettings() with
             {
                 Environment = TestEnvironment.Default.WithVariables(
-                ("BICEP_PARAMETERS_OVERRIDES", paramsOverrides)
-            )
+                    ("BICEP_PARAMETERS_OVERRIDES", paramsOverrides)
+                )
             };
 
             var outputFilePath = FileHelper.GetResultFilePath(TestContext, "output.json");
@@ -292,7 +283,8 @@ param intParam int
         public async Task Build_Valid_Params_File_Should_Succeed(BaselineData_Bicepparam baselineData)
         {
             var data = baselineData.GetData(TestContext);
-            var (output, error, result) = await Bicep(Settings, "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath);
+
+            var (output, error, result) = await Bicep(await CreateDefaultSettingsWithDefaultMockRegistry(), "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath);
 
             using (new AssertionScope())
             {
@@ -311,7 +303,8 @@ public async Task Build_Valid_Params_File_Should_Succeed(BaselineData_Bicepparam
         public async Task Build_Valid_Params_File_To_Outdir_Should_Succeed(BaselineData_Bicepparam baselineData)
         {
             var data = baselineData.GetData(TestContext);
-            var (output, error, result) = await Bicep(Settings, "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath, "--outdir", Path.GetDirectoryName(data.Compiled!.OutputFilePath));
+
+            var (output, error, result) = await Bicep(await CreateDefaultSettingsWithDefaultMockRegistry(), "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath, "--outdir", Path.GetDirectoryName(data.Compiled!.OutputFilePath));
 
             using (new AssertionScope())
             {
@@ -332,7 +325,7 @@ public async Task Build_Valid_Params_File_ToStdOut_Should_Succeed(BaselineData_B
         {
             var data = baselineData.GetData(TestContext);
 
-            var (output, error, result) = await Bicep(Settings, "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath, "--stdout");
+            var (output, error, result) = await Bicep(await CreateDefaultSettingsWithDefaultMockRegistry(), "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath, "--stdout");
 
             using (new AssertionScope())
             {
@@ -356,9 +349,17 @@ public async Task Build_Invalid_Single_Params_File_ShouldFail_WithExpectedErrorM
         {
             var data = baselineData.GetData(TestContext);
 
-            var diagnostics = await GetAllParamDiagnostics(data.Parameters.OutputFilePath);
+            var artifactManager = await CreateDefaultExternalArtifactManager();
+
+            var serviceBuilder = new ServiceBuilder()
+                .WithFeatureOverrides(CreateDefaultFeatureProviderOverrides())
+                .WithTestArtifactManager(artifactManager);
+
+            var diagnostics = await GetAllParamDiagnostics(serviceBuilder, data.Parameters.OutputFilePath);
+
+            var settings = CreateDefaultSettings().WithArtifactManager(artifactManager, TestContext);
 
-            var (output, error, result) = await Bicep(Settings, "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath);
+            var (output, error, result) = await Bicep(settings, "build-params", data.Parameters.OutputFilePath, "--bicep-file", data.Bicep.OutputFilePath);
 
             using (new AssertionScope())
             {
@@ -376,10 +377,7 @@ public async Task Build_params_to_stdout_with_non_bicep_references_should_succee
             var baselineFolder = BaselineFolder.BuildOutputFolder(TestContext, paramFile);
             var outputFile = baselineFolder.GetFileOrEnsureCheckedIn("output.json");
 
-            var clients = await MockRegistry.Build();
-            var settings = new InvocationSettings(new(TestContext, RegistryEnabled: true), clients.ContainerRegistry, clients.TemplateSpec);
-
-            var result = await Bicep(settings, "build-params", baselineFolder.EntryFile.OutputFilePath, "--stdout");
+            var result = await Bicep(await CreateDefaultSettingsWithDefaultMockRegistry(), "build-params", baselineFolder.EntryFile.OutputFilePath, "--stdout");
             result.Should().Succeed();
 
             var parametersStdout = result.Stdout.FromJson<BuildParamsStdout>();
@@ -393,9 +391,6 @@ public async Task Build_params_to_stdout_with_non_bicep_references_should_succee
         [TestCategory(BaselineHelper.BaselineTestCategory)]
         public async Task Build_params_to_stdout_with_experimentalfeaturenotenabled_should_fail()
         {
-            var clients = await MockRegistry.Build();
-            var settings = new InvocationSettings(new(TestContext, RegistryEnabled: true), clients.ContainerRegistry, clients.TemplateSpec);
-
             var mainBicepParamPath = FileHelper.SaveResultFile(
                 TestContext,
                 "main.bicepparam",
@@ -421,7 +416,7 @@ public async Task Build_params_to_stdout_with_experimentalfeaturenotenabled_shou
                 "bicepconfig.json", "{}",
                 Path.GetDirectoryName(mainBicepParamPath));
 
-            var result = await Bicep(settings, "build-params", mainBicepParamPath, "--stdout");
+            var result = await Bicep(await CreateDefaultSettingsWithDefaultMockRegistry(), "build-params", mainBicepParamPath, "--stdout");
 
             result.Should().Fail().And.HaveStderrMatch($"*Error BCP406: Using \"extends\" keyword requires enabling EXPERIMENTAL feature \"ExtendableParamFiles\".*");
         }
@@ -435,10 +430,7 @@ public async Task Build_params_returns_intuitive_error_if_invoked_with_bicep_fil
             var bicepFile = Path.Combine(baselineFolder.OutputFolderPath, "main.bicep");
             File.WriteAllText(bicepFile, "");
 
-            var clients = await MockRegistry.Build();
-            var settings = new InvocationSettings(new(TestContext, RegistryEnabled: true), clients.ContainerRegistry, clients.TemplateSpec);
-
-            var result = await Bicep(settings, "build-params", baselineFolder.EntryFile.OutputFilePath, "--bicep-file", bicepFile, "--stdout");
+            var result = await Bicep(await CreateDefaultSettingsWithDefaultMockRegistry(), "build-params", baselineFolder.EntryFile.OutputFilePath, "--bicep-file", bicepFile, "--stdout");
             result.Should().Fail().And.HaveStderrMatch($"Bicep file * provided with --bicep-file can only be used if the Bicep parameters \"using\" declaration refers to a Bicep file on disk.*");
         }
 
@@ -476,8 +468,7 @@ public async Task Build_params_to_stdout_with_registry_should_succeed_after_rest
             var baselineFolder = BaselineFolder.BuildOutputFolder(TestContext, paramFile);
             var outputFile = baselineFolder.GetFileOrEnsureCheckedIn("output.json");
 
-            var clients = await MockRegistry.Build();
-            var settings = new InvocationSettings(new(TestContext, RegistryEnabled: true), clients.ContainerRegistry, clients.TemplateSpec);
+            var settings = await CreateDefaultSettingsWithDefaultMockRegistry();
 
             var result = await Bicep(settings, "restore", baselineFolder.EntryFile.OutputFilePath);
             result.Should().Succeed().And.NotHaveStdout().And.NotHaveStderr();

src/Bicep.Cli.IntegrationTests/Files/BuildParamsCommandTests/TemplateSpec/output.json

@@ -1,5 +1,5 @@
 {
   "parametersJson": "{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"stringParam\": {\n      \"value\": \"foo\"\n    },\n    \"intParam\": {\n      \"value\": 123\n    },\n    \"boolParam\": {\n      \"value\": false\n    },\n    \"objectParam\": {\n      \"value\": {\n        \"abc\": \"def\"\n      }\n    },\n    \"arrayParam\": {\n      \"value\": [\n        \"abc\",\n        \"def\"\n      ]\n    }\n  }\n}",
   "templateJson": null,
-  "templateSpecId": "/subscriptions/<todo_fill_in>/resourceGroups/<todo_fill_in>/providers/Microsoft.Resources/templateSpecs/<todo_fill_in>/versions/<todo_fill_in>"
+  "templateSpecId": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/prod-rg/providers/Microsoft.Resources/templateSpecs/parameters-basic/versions/v1"
 }