Skip to content

Commit

Permalink
[Modules] Updated identities to UDT as per AVM specs - Batch 1 (#4124)
Browse files Browse the repository at this point in the history
* Updated API Management module

* Updated Container App module

* Updating Configuration Store module (ongoing)

* Updated Configuration Store module

* Updated Automation Account module

* Comment headers formatted

* Readme/ARM for first four modules

* Updated Batch Account module

* Fixed parameter descriptions

* Updated Readme and ARM

* Updated Redis Cache module

* Container App - Fixed parameter descriptions

* Updated Cognitive Services module

* Updated VMSS module

* Updated Container Group module

* Updated Container Registry module

* Updated Data Factory module

* Updated Event Grid / System Topic module

* Updated EventHub Namespace module

* [Modules] Resolved conflicts (#4129)

* [Modules] Migrated batch [1/4] to AVM RBAC (#4125)

* Updated first badge of templates (readmes pending)

* Update to latest

* Compiled templates

* Compiled templates

* Compiled first few readmes

* Updated test files

* Updated readmes

* Reduced roles

* Updated templates

* Rollback different branches' changes

* Updated nic & pip

* Fixed test file

* Refreshed vm

* Push updated Readme file(s)

* Updated templates

* Updated templates

---------

Co-authored-by: CARMLPipelinePrincipal <CARML@noreply.github.com>

* Clean-up, some fixes

* Removed Azure Firewall changes from branch

* Update API common test file

* Update API common test file2

* Updated Recovery Services Vault module

* Updated ServiceBus Namespace module

* Updated SQL Managed Instance module

* Updated SQL Server module

* Updated Static Website module

* Updated Web Site module

* Updated website slot readme/arm

* Redis Cache - Testing with two identities

* Configuration Store module - Testing with two identities

* Updated Signal-R WebPub Sub module

* Updated Barch module to support only one type of identity

* Updated AKS module

* Updated Databricks Access Connector module

* Updated Disk Encryption Set module

* Updated Search Service module

* Updated Backup Vault module

* Updated Firewall Policy module

* Updated MySQL Flexible server module

* MySQL Flexible server module - namePrefix reset

* Updated Health Bot module

* Updated NetApp Account module

* Updated App Gateway module

* Updated Deployment Script module

* Updated PostgreSQL Flexible Server module

* Fixed description of userAssignedResourcesIds

* Updated Storage Account module

* Updated Web Hosting Environment module

* Updated Log Analytics Workspace module

* Updated Logic Workflow module

* Updated ML Workspace module

* Updated ML Workspace Compute module

* Updated Cosmos DB module

* Updated VM module

* Updated Digital Twins module

* Updated Healthcare APIs module

* Updated DevTest Lab module

* Updated PurView Account module

* Fixed Digital Twins missing references

* Fixed DevTest Lab formattedManagementIdentities ref

* Purview fix

* Purview fix 2

* Purview updated ARM

* SQL MI fix

* SQL MI updated ARM

* SQL MI removed new output

* Small fixes

* Fixed SQL Server module

* DigitalTwins - fixed params

* Digital Twins - reset to main

* mySQL - updated param description

* postgreSQL - updated param description

* mySQL - updated conditional param description

* postgreSQL - updated conditional param description

* Updated param description for "one identity only" modules

* Disk Encryption Set - updated keyVaultPermissions implementation

* Removed identity from Gremlin DB

* Web Hosting Env - changed the way how to suppress warning

---------

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
Co-authored-by: CARMLPipelinePrincipal <CARML@noreply.github.com>
  • Loading branch information
3 people authored Oct 31, 2023
1 parent b61e3b4 commit d57068f
Show file tree
Hide file tree
Showing 217 changed files with 4,835 additions and 2,897 deletions.
3 changes: 3 additions & 0 deletions modules/api-management/service/.test/common/main.test.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,9 @@ module testDeployment '../../main.bicep' = {
}
}
]
managedIdentities: {
systemAssigned: true
}
roleAssignments: [
{
roleDefinitionIdOrName: 'Reader'
Expand Down
8 changes: 5 additions & 3 deletions modules/api-management/service/.test/max/main.test.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -201,9 +201,11 @@ module testDeployment '../../main.bicep' = {
scope: '/apis'
}
]
systemAssignedIdentity: true
userAssignedIdentities: {
'${nestedDependencies.outputs.managedIdentityResourceId}': {}
managedIdentities: {
systemAssigned: true
userAssignedResourcesIds: [
nestedDependencies.outputs.managedIdentityResourceId
]
}
tags: {
'hidden-title': 'This is visible in the resource name'
Expand Down
79 changes: 50 additions & 29 deletions modules/api-management/service/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
kind: 'CanNotDelete'
name: 'myCustomLockName'
}
managedIdentities: {
systemAssigned: true
}
policies: [
{
format: 'xml'
Expand Down Expand Up @@ -141,6 +144,11 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
"name": "myCustomLockName"
}
},
"managedIdentities": {
"value": {
"systemAssigned": true
}
},
"policies": {
"value": [
{
Expand Down Expand Up @@ -279,6 +287,12 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
kind: 'CanNotDelete'
name: 'myCustomLockName'
}
managedIdentities: {
systemAssigned: true
userAssignedResourcesIds: [
'<managedIdentityResourceId>'
]
}
namedValues: [
{
displayName: 'apimkey'
Expand Down Expand Up @@ -339,15 +353,11 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
name: 'testArmSubscriptionAllApis'
}
]
systemAssignedIdentity: true
tags: {
Environment: 'Non-Prod'
'hidden-title': 'This is visible in the resource name'
Role: 'DeploymentValidation'
}
userAssignedIdentities: {
'<managedIdentityResourceId>': {}
}
}
}
```
Expand Down Expand Up @@ -463,6 +473,14 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
"name": "myCustomLockName"
}
},
"managedIdentities": {
"value": {
"systemAssigned": true,
"userAssignedResourcesIds": [
"<managedIdentityResourceId>"
]
}
},
"namedValues": {
"value": [
{
Expand Down Expand Up @@ -535,20 +553,12 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
}
]
},
"systemAssignedIdentity": {
"value": true
},
"tags": {
"value": {
"Environment": "Non-Prod",
"hidden-title": "This is visible in the resource name",
"Role": "DeploymentValidation"
}
},
"userAssignedIdentities": {
"value": {
"<managedIdentityResourceId>": {}
}
}
}
}
Expand Down Expand Up @@ -644,6 +654,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
| [`identityProviders`](#parameter-identityproviders) | array | Identity providers. |
| [`location`](#parameter-location) | string | Location for all Resources. |
| [`lock`](#parameter-lock) | object | The lock settings of the service. |
| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
| [`minApiVersion`](#parameter-minapiversion) | string | Limit control plane API calls to API Management service with version equal to or newer than this value. |
| [`namedValues`](#parameter-namedvalues) | array | Named values. |
| [`newGuidValue`](#parameter-newguidvalue) | string | Necessary to create a new GUID. |
Expand All @@ -657,9 +668,7 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {
| [`skuCount`](#parameter-skucount) | int | The instance size of this API Management service. |
| [`subnetResourceId`](#parameter-subnetresourceid) | string | The full resource ID of a subnet in a virtual network to deploy the API Management service in. |
| [`subscriptions`](#parameter-subscriptions) | array | Subscriptions. |
| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. |
| [`tags`](#parameter-tags) | object | Tags of the resource. |
| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. |
| [`virtualNetworkType`](#parameter-virtualnetworktype) | string | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. |
| [`zones`](#parameter-zones) | array | A list of availability zones denoting where the resource needs to come from. |

Expand Down Expand Up @@ -903,6 +912,32 @@ Optional. Specify the name of lock.
- Required: No
- Type: string

### Parameter: `managedIdentities`

The managed identity definition for this resource.
- Required: No
- Type: object


| Name | Required | Type | Description |
| :-- | :-- | :--| :-- |
| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. |
| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. |

### Parameter: `managedIdentities.systemAssigned`

Optional. Enables system assigned managed identity on the resource.

- Required: No
- Type: bool

### Parameter: `managedIdentities.userAssignedResourcesIds`

Optional. The resource ID(s) to assign to the resource.

- Required: No
- Type: array

### Parameter: `minApiVersion`

Limit control plane API calls to API Management service with version equal to or newer than this value.
Expand Down Expand Up @@ -1075,27 +1110,13 @@ Subscriptions.
- Type: array
- Default: `[]`

### Parameter: `systemAssignedIdentity`

Enables system assigned managed identity on the resource.
- Required: No
- Type: bool
- Default: `False`

### Parameter: `tags`

Tags of the resource.
- Required: No
- Type: object
- Default: `{object}`

### Parameter: `userAssignedIdentities`

The ID(s) to assign to the resource.
- Required: No
- Type: object
- Default: `{object}`

### Parameter: `virtualNetworkType`

The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.
Expand All @@ -1120,7 +1141,7 @@ A list of availability zones denoting where the resource needs to come from.
| `name` | string | The name of the API management service. |
| `resourceGroupName` | string | The resource group the API management service was deployed into. |
| `resourceId` | string | The resource ID of the API management service. |
| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. |
| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. |

## Cross-referenced modules

Expand Down
25 changes: 15 additions & 10 deletions modules/api-management/service/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,8 @@ param enableClientCertificate bool = false
@description('Optional. Custom hostname configuration of the API Management service.')
param hostnameConfigurations array = []

@description('Optional. Enables system assigned managed identity on the resource.')
param systemAssignedIdentity bool = false

@description('Optional. The ID(s) to assign to the resource.')
param userAssignedIdentities object = {}
@description('Optional. The managed identity definition for this resource.')
param managedIdentities managedIdentitiesType

@description('Optional. Location for all Resources.')
param location string = resourceGroup().location
Expand Down Expand Up @@ -135,11 +132,11 @@ var enableReferencedModulesTelemetry = false

var authorizationServerList = !empty(authorizationServers) ? authorizationServers.secureList : []

var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')
var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }

var identity = identityType != 'None' ? {
type: identityType
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
var identity = !empty(managedIdentities) ? {
type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null)
userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
} : null

var builtInRoleNames = {
Expand Down Expand Up @@ -454,7 +451,7 @@ output resourceId string = service.id
output resourceGroupName string = resourceGroup().name

@description('The principal ID of the system assigned identity.')
output systemAssignedPrincipalId string = systemAssignedIdentity && contains(service.identity, 'principalId') ? service.identity.principalId : ''
output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(service.identity, 'principalId') ? service.identity.principalId : ''

@description('The location the resource was deployed into.')
output location string = service.location
Expand All @@ -463,6 +460,14 @@ output location string = service.location
// Definitions //
// =============== //

type managedIdentitiesType = {
@description('Optional. Enables system assigned managed identity on the resource.')
systemAssigned: bool?

@description('Optional. The resource ID(s) to assign to the resource.')
userAssignedResourcesIds: string[]?
}?

type lockType = {
@description('Optional. Specify the name of lock.')
name: string?
Expand Down
47 changes: 31 additions & 16 deletions modules/api-management/service/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,36 @@
"_generator": {
"name": "bicep",
"version": "0.22.6.54827",
"templateHash": "5480824753048175780"
"templateHash": "3274387832095626640"
},
"name": "API Management Services",
"description": "This module deploys an API Management Service.",
"owner": "Azure/module-maintainers"
},
"definitions": {
"managedIdentitiesType": {
"type": "object",
"properties": {
"systemAssigned": {
"type": "bool",
"nullable": true,
"metadata": {
"description": "Optional. Enables system assigned managed identity on the resource."
}
},
"userAssignedResourcesIds": {
"type": "array",
"items": {
"type": "string"
},
"nullable": true,
"metadata": {
"description": "Optional. The resource ID(s) to assign to the resource."
}
}
},
"nullable": true
},
"lockType": {
"type": "object",
"properties": {
Expand Down Expand Up @@ -268,18 +291,10 @@
"description": "Optional. Custom hostname configuration of the API Management service."
}
},
"systemAssignedIdentity": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Optional. Enables system assigned managed identity on the resource."
}
},
"userAssignedIdentities": {
"type": "object",
"defaultValue": {},
"managedIdentities": {
"$ref": "#/definitions/managedIdentitiesType",
"metadata": {
"description": "Optional. The ID(s) to assign to the resource."
"description": "Optional. The managed identity definition for this resource."
}
},
"location": {
Expand Down Expand Up @@ -486,8 +501,8 @@
"variables": {
"enableReferencedModulesTelemetry": false,
"authorizationServerList": "[if(not(empty(parameters('authorizationServers'))), parameters('authorizationServers').secureList, createArray())]",
"identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]",
"identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]",
"formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
"identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
"builtInRoleNames": {
"API Management Developer Portal Content Editor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c031e6a8-4391-4de0-8d69-4706a7ed3729')]",
"API Management Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')]",
Expand Down Expand Up @@ -3053,12 +3068,12 @@
},
"value": "[resourceGroup().name]"
},
"systemAssignedPrincipalId": {
"systemAssignedMIPrincipalId": {
"type": "string",
"metadata": {
"description": "The principal ID of the system assigned identity."
},
"value": "[if(and(parameters('systemAssignedIdentity'), contains(reference('service', '2021-08-01', 'full').identity, 'principalId')), reference('service', '2021-08-01', 'full').identity.principalId, '')]"
"value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('service', '2021-08-01', 'full').identity, 'principalId')), reference('service', '2021-08-01', 'full').identity.principalId, '')]"
},
"location": {
"type": "string",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,9 +109,11 @@ module testDeployment '../../main.bicep' = {
}
]
softDeleteRetentionInDays: 1
systemAssignedIdentity: false
userAssignedIdentities: {
'${nestedDependencies.outputs.managedIdentityResourceId}': {}
managedIdentities: {
systemAssigned: true
userAssignedResourcesIds: [
nestedDependencies.outputs.managedIdentityResourceId
]
}
tags: {
'hidden-title': 'This is visible in the resource name'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,10 @@ module testDeployment '../../main.bicep' = {
}
]
softDeleteRetentionInDays: 1
userAssignedIdentities: {
'${nestedDependencies.outputs.managedIdentityResourceId}': {}
managedIdentities: {
userAssignedResourcesIds: [
nestedDependencies.outputs.managedIdentityResourceId
]
}
tags: {
'hidden-title': 'This is visible in the resource name'
Expand Down
Loading

0 comments on commit d57068f

Please sign in to comment.