From eb0a20f742d778fdf31c50eb68711537437bbfac Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Tue, 16 Jan 2024 14:25:26 +0200 Subject: [PATCH] Remove version.json and update managed identity module --- .../.bicep/nested_roleAssignments.bicep | 70 ------ .../userAssignedIdentity/README.md | 233 ------------------ .../userAssignedIdentity/deploy.bicep | 84 ------- .../userAssignedIdentity/version.json | 7 - src/self/subResourceWrapper/deploy.bicep | 6 +- 5 files changed, 3 insertions(+), 397 deletions(-) delete mode 100644 src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/.bicep/nested_roleAssignments.bicep delete mode 100644 src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/README.md delete mode 100644 src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/deploy.bicep delete mode 100644 src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/version.json diff --git a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/.bicep/nested_roleAssignments.bicep b/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/.bicep/nested_roleAssignments.bicep deleted file mode 100644 index 19a13565..00000000 --- a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/.bicep/nested_roleAssignments.bicep +++ /dev/null @@ -1,70 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') -param condition string = '' - -@sys.description('Optional. Version of the condition.') -@allowed([ - '2.0' -]) -param conditionVersion string = '2.0' - -@sys.description('Optional. Id of the delegated managed identity resource.') -param delegatedManagedIdentityResourceId string = '' - -var builtInRoleNames = { - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') - 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - -resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = { - name: last(split(resourceId, '/'))! -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(userMsi.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - condition: !empty(condition) ? condition : null - conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null - delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null - } - scope: userMsi -}] diff --git a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/README.md b/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/README.md deleted file mode 100644 index 3febcca6..00000000 --- a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/README.md +++ /dev/null @@ -1,233 +0,0 @@ -# User Assigned Identities `[Microsoft.ManagedIdentity/userAssignedIdentities]` - -This module deploys a User Assigned Identity. - -## Navigation - -- [User Assigned Identities `[Microsoft.ManagedIdentity/userAssignedIdentities]`](#user-assigned-identities-microsoftmanagedidentityuserassignedidentities) - - [Navigation](#navigation) - - [Resource types](#resource-types) - - [Parameters](#parameters) - - [Optional parameters](#optional-parameters) - - [Parameter Usage: `roleAssignments`](#parameter-usage-roleassignments) - - [Parameter Usage: `tags`](#parameter-usage-tags) - - [Outputs](#outputs) - - [Cross-referenced modules](#cross-referenced-modules) - - [Deployment examples](#deployment-examples) - -## Resource types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/azure/templates/Microsoft.Authorization/2020-05-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.ManagedIdentity/userAssignedIdentities` | [2018-11-30](https://learn.microsoft.com/azure/templates/Microsoft.ManagedIdentity/2018-11-30/userAssignedIdentities) | - -## Parameters - -### Optional parameters - -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `name` | string | `[guid(resourceGroup().id)]` | | Name of the User Assigned Identity. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `tags` | object | `{object}` | | Tags of the resource. | - -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `clientId` | string | The client ID (application ID) of the user assigned identity. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the user assigned identity. | -| `principalId` | string | The principal ID (object ID) of the user assigned identity. | -| `resourceGroupName` | string | The resource group the user assigned identity was deployed into. | -| `resourceId` | string | The resource ID of the user assigned identity. | - -## Cross-referenced modules - -_None_ - -## Deployment examples - -The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. - -

Example 1: Common

- -
- -via Bicep module - -```bicep -module userAssignedIdentity './managed-identity/user-assigned-identity/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-miuaicom' - params: { - enableDefaultTelemetry: '' - lock: 'CanNotDelete' - name: 'miuaicom001' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - tags: { - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } - } -} -``` - -
-

- -

- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "name": { - "value": "miuaicom001" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "Role": "DeploymentValidation" - } - } - } -} -``` - -
-

diff --git a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/deploy.bicep b/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/deploy.bicep deleted file mode 100644 index a4156a95..00000000 --- a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/deploy.bicep +++ /dev/null @@ -1,84 +0,0 @@ -metadata name = 'User Assigned Identities' -metadata description = 'This module deploys a User Assigned Identity.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. Name of the User Assigned Identity.') -param name string = guid(resourceGroup().id) - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] - -@description('Optional. Tags of the resource.') -param tags object = {} - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: name - location: location - tags: tags -} - -resource userMsi_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { - name: '${userMsi.name}-${lock}-lock' - properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: userMsi -} - -module userMsi_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-UserMSI-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' - delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' - resourceId: userMsi.id - } -}] - -@description('The name of the user assigned identity.') -output name string = userMsi.name - -@description('The resource ID of the user assigned identity.') -output resourceId string = userMsi.id - -@description('The principal ID (object ID) of the user assigned identity.') -output principalId string = userMsi.properties.principalId - -@description('The client ID (application ID) of the user assigned identity.') -output clientId string = userMsi.properties.clientId - -@description('The resource group the user assigned identity was deployed into.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = userMsi.location diff --git a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/version.json b/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/version.json deleted file mode 100644 index 96236a61..00000000 --- a/src/carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/version.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] -} diff --git a/src/self/subResourceWrapper/deploy.bicep b/src/self/subResourceWrapper/deploy.bicep index fbf3c8ab..db0e5372 100644 --- a/src/self/subResourceWrapper/deploy.bicep +++ b/src/self/subResourceWrapper/deploy.bicep @@ -463,16 +463,16 @@ module createResourceGroupForDeploymentScript 'br/public:avm/res/resources/resou } } -module createManagedIdentityForDeploymentScript '../../carml/v0.6.0/Microsoft.ManagedIdentity/userAssignedIdentity/deploy.bicep' = if (!empty(resourceProviders)) { +module createManagedIdentityForDeploymentScript 'br/public:avm/res/managed-identity/user-assigned-identity:0.1.0' = if (!empty(resourceProviders)) { scope: resourceGroup(subscriptionId,deploymentScriptResourceGroupName) name: deploymentNames.createDeploymentScriptManagedIdentity dependsOn: [ createResourceGroupForDeploymentScript ] - params:{ + params: { location: deploymentScriptLocation name: deploymentScriptManagedIdentityName - enableDefaultTelemetry: enableTelemetryForCarml + enableTelemetry: disableTelemetry } }