Block the existing keyword for extension resources that have no readable scopes (#18260)

## Description

Since some extension resources do not have a concept of existing
resources, it is a requirement to block the existing keyword when
authoring these extension resources.

## Example Usage

### Write-Only Resource

**Scenario**: A resource type with no readable scopes but has writable
scopes cannot be used with the `existing` keyword.

```bicep
// This will produce error BCP441
resource writeOnlyResource 'Microsoft.Example/writeOnlyType@2024-01-01' existing = {
  name: 'myResource'
}
```
**Error Message** - Resource type
"Microsoft.Example/writeOnlyType@2024-01-01" cannot be used with the
'existing' keyword.

## Checklist

- [x] I have read and adhere to the [contribution
guide](https://github.com/Azure/bicep/blob/main/CONTRIBUTING.md).

###### Microsoft Reviewers: [Open in
CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/18260)

Author: harshpatel17

src/Bicep.Core.IntegrationTests/ExtensibilityTests.cs

@@ -271,6 +271,60 @@ extension kubernetes with {
             });
         }
 
+        [TestMethod]
+        public async Task Extension_import_existing_blocked_for_writeonly_resource()
+        {
+            // Create a mock extension with a write only resource (no readable scopes, has writable scopes)
+            var services = CreateServiceBuilder();
+            await ExtensionTestHelper.AddMockExtensions(services, TestContext, CreateMockExtWithWriteOnlyResource());
+
+            var mainUri = new Uri("file:///main.bicep");
+            var files = new Dictionary<Uri, string>
+            {
+                [mainUri] = """
+                extension 'br:mcr.microsoft.com/bicep/extensions/writeonly/v1:1.2.3'
+
+                resource myResource 'writeOnlyType@v1' existing = {
+                  identifier: 'test-resource'
+                }
+                """
+            };
+
+            var compilation = await services.BuildCompilationWithRestore(files, mainUri);
+
+            compilation.Should().HaveDiagnostics(new[] {
+                ("no-unused-existing-resources", DiagnosticLevel.Warning, "Existing resource \"myResource\" is declared but never used."),
+                ("BCP441", DiagnosticLevel.Error, "Resource type \"writeOnlyType@v1\" cannot be used with the 'existing' keyword."),
+            });
+        }
+
+        [TestMethod]
+        public async Task Extension_writeonly_resource_can_be_deployed_normally()
+        {
+            // Create a mock extension with a write only resource
+            var services = CreateServiceBuilder();
+            await ExtensionTestHelper.AddMockExtensions(services, TestContext, CreateMockExtWithWriteOnlyResource());
+
+            var mainUri = new Uri("file:///main.bicep");
+            var files = new Dictionary<Uri, string>
+            {
+                [mainUri] = """
+                extension 'br:mcr.microsoft.com/bicep/extensions/writeonly/v1:1.2.3'
+
+                // Write-only resources should work fine for normal (non-existing) deployment
+                resource myResource 'writeOnlyType@v1' = {
+                  identifier: 'test-resource'
+                }
+
+                output resourceId string = myResource.identifier
+                """
+            };
+
+            var compilation = await services.BuildCompilationWithRestore(files, mainUri);
+
+            compilation.Should().NotHaveAnyDiagnostics();
+        }
+
         [TestMethod]
         public void Kubernetes_competing_imports_are_blocked()
         {
@@ -1121,6 +1175,32 @@ private static MockExtensionData CreateMockExtWithDiscriminatedConfigType(string
                         }))
                 });
 
+        private static MockExtensionData CreateMockExtWithWriteOnlyResource(string extName = "writeonly") =>
+            ExtensionTestHelper.CreateMockExtensionMockData(
+                extName, "1.2.3", "v1", new CustomExtensionTypeFactoryDelegates
+                {
+                    CreateResourceTypes = (ctx, tf) =>
+                    {
+                        var bodyType = tf.Create(() => new ObjectType(
+                            "writeOnlyBody",
+                            new Dictionary<string, ObjectTypeProperty>
+                            {
+                                ["identifier"] = new(ctx.CoreStringTypeRef, ObjectTypePropertyFlags.Required | ObjectTypePropertyFlags.Identifier, "The resource identifier")
+                            },
+                            null));
+
+                        // Create a write only resource: no readable scopes, but has writable scopes
+                        var writeOnlyType = tf.Create(() => new ResourceType(
+                            "writeOnlyType@v1",
+                            tf.GetReference(bodyType),
+                            null,
+                            writableScopes_in: ScopeType.All,
+                            readableScopes_in: (ScopeType)0)); // No readable scopes makes it write only
+
+                        return [writeOnlyType];
+                    }
+                });
+
         #endregion
 
     }

src/Bicep.Core/Diagnostics/DiagnosticBuilder.cs

@@ -1245,6 +1245,10 @@ public Diagnostic LambdaVariablesInInlineFunctionUnsupported(string functionName
                 $"Using lambda variables inside the \"{functionName}\" function is not currently supported."
                     + $" Found the following lambda variable(s) being accessed: {ToQuotedString(variableNames)}.");
 
+            public Diagnostic CannotUseExistingWithWriteOnlyResource(ResourceTypeReference resourceTypeReference) => CoreError(
+                "BCP441",
+                $"Resource type \"{resourceTypeReference.FormatName()}\" cannot be used with the 'existing' keyword.");
+
             public Diagnostic ExpectedLoopVariableBlockWith2Elements(int actualCount) => CoreError(
                 "BCP249",
                 $"Expected loop variable block to consist of exactly 2 elements (item variable and index variable), but found {actualCount}.");

src/Bicep.Core/TypeSystem/Providers/Extensibility/ExtensionResourceTypeFactory.cs

@@ -239,12 +239,19 @@ private static ResourceFlags ToResourceFlags(Azure.Bicep.Types.Concrete.Resource
             var output = ResourceFlags.None;
             var (readableScopes, writableScopes) = GetScopeInfo(input);
 
-            // Resource is ReadOnly if there are no writable scopes (matches legacy behavior)
-            if (writableScopes == ResourceScope.None)
+            // Resource is ReadOnly if there are no writable scopes but has readable scopes
+            if (writableScopes == ResourceScope.None && readableScopes != ResourceScope.None)
             {
                 output |= ResourceFlags.ReadOnly;
             }
 
+            // Resource is WriteOnly if there are no readable scopes but has writable scopes
+            // This is specifically for extensions which cannot be referenced as existing
+            if (readableScopes == ResourceScope.None && writableScopes != ResourceScope.None)
+            {
+                output |= ResourceFlags.WriteOnly;
+            }
+
             return output;
         }
 

src/Bicep.Core/TypeSystem/ResourceFlags.cs

@@ -14,5 +14,10 @@ public enum ResourceFlags
         /// The resource must be used with the 'existing' keyword.
         /// </summary>
         ReadOnly = 1 << 0,
+
+        /// <summary>
+        /// The resource cannot be used with the 'existing' keyword.
+        /// </summary>
+        WriteOnly = 1 << 1,
     }
 }

src/Bicep.Core/TypeSystem/TypeAssignmentVisitor.cs

@@ -326,6 +326,11 @@ public override void VisitResourceDeclarationSyntax(ResourceDeclarationSyntax sy
                     {
                         diagnostics.Write(syntax.Type, x => x.ResourceTypeIsReadonly(resourceType.TypeReference));
                     }
+
+                    if (syntax.IsExistingResource() && resourceType.Flags.HasFlag(ResourceFlags.WriteOnly))
+                    {
+                        diagnostics.Write(syntax.Type, x => x.CannotUseExistingWithWriteOnlyResource(resourceType.TypeReference));
+                    }
                 }
 
                 return TypeValidator.NarrowTypeAndCollectDiagnostics(typeManager, binder, this.parsingErrorLookup, diagnostics, syntax.Value, declaredType, true);