From c88e63174d6dfd77fdaed70eeef57aa5bb4e4ba8 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Mon, 30 Oct 2023 15:00:26 +0100 Subject: [PATCH 1/6] first draft --- .../federated-identity-credential/main.bicep | 15 ---- .../user-assigned-identity/main.bicep | 26 ++++-- .../e2e/defaults}/main.test.bicep | 13 ++- .../e2e/max}/dependencies.bicep | 0 .../common => tests/e2e/max}/main.test.bicep | 14 ++-- .../tests/e2e/waf-aligned/dependencies.bicep | 13 +++ .../tests/e2e/waf-aligned/main.test.bicep | 80 +++++++++++++++++++ 7 files changed, 125 insertions(+), 36 deletions(-) rename modules/managed-identity/user-assigned-identity/{.test/min => tests/e2e/defaults}/main.test.bicep (81%) rename modules/managed-identity/user-assigned-identity/{.test/common => tests/e2e/max}/dependencies.bicep (100%) rename modules/managed-identity/user-assigned-identity/{.test/common => tests/e2e/max}/main.test.bicep (87%) create mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep index b1b0165c47..c229e10643 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep @@ -17,21 +17,6 @@ param issuer string @description('Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD.') param subject string -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { name: userAssignedIdentityName } diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index 1b1a737132..21d75cc9af 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -2,6 +2,9 @@ metadata name = 'User Assigned Identities' metadata description = 'This module deploys a User Assigned Identity.' metadata owner = 'Azure/module-maintainers' +// ================ // +// Parameters // +// ================ // @description('Optional. Name of the User Assigned Identity.') param name string = guid(resourceGroup().id) @@ -20,10 +23,12 @@ param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object = {} -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true +@description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true -var enableReferencedModulesTelemetry = false +// =========== // +// Variables // +// =========== // var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -35,14 +40,24 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' +// ============ // +// Dependencies // +// ============ // + +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { + name: '46d3xbcp.res.managedidentity-userassignedidentity.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' properties: { mode: 'Incremental' template: { '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' contentVersion: '1.0.0.0' resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } } } } @@ -70,7 +85,6 @@ module userMsi_federatedIdentityCredentials 'federated-identity-credential/main. audiences: federatedIdentityCredential.audiences issuer: federatedIdentityCredential.issuer subject: federatedIdentityCredential.subject - enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep similarity index 81% rename from modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep index d7da3a5c01..1410c5c204 100644 --- a/modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep @@ -17,11 +17,8 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'miuaimin' -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' +param namePrefix string = '#_namePrefix_#' // ============ // // Dependencies // @@ -38,10 +35,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { - enableDefaultTelemetry: enableDefaultTelemetry + } } +] diff --git a/modules/managed-identity/user-assigned-identity/.test/common/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep similarity index 100% rename from modules/managed-identity/user-assigned-identity/.test/common/dependencies.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/max/dependencies.bicep diff --git a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep similarity index 87% rename from modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep rename to modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index a382b213a5..e946242dd8 100644 --- a/modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -15,13 +15,10 @@ param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassigned param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'miuaicom' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true +param serviceShort string = 'miuaimax' @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '[[namePrefix]]' +param namePrefix string = '#_namePrefix_#' // ============ // // Dependencies // @@ -46,11 +43,11 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { - enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' lock: { kind: 'CanNotDelete' @@ -80,3 +77,4 @@ module testDeployment '../../main.bicep' = { } } } +] diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e946242dd8 --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,80 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'miuaimax' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + federatedIdentityCredentials: [ + { + name: 'test-fed-cred-${serviceShort}-001' + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: 'https://contoso.com/${subscription().tenantId}/${guid(deployment().name)}/' + subject: 'system:serviceaccount:default:workload-identity-sa' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} +] From 039800814f3cd018545c08a9ec9a8a89e32e0800 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Mon, 6 Nov 2023 19:30:31 +0100 Subject: [PATCH 2/6] updated avm draft --- .../user-assigned-identity/README.md | 142 +++++++++++++++--- .../federated-identity-credential/README.md | 11 +- .../federated-identity-credential/main.bicep | 24 +++ .../federated-identity-credential/main.json | 25 +-- .../version.json | 2 +- .../user-assigned-identity/main.json | 53 +++---- .../tests/e2e/defaults/main.test.bicep | 9 +- .../tests/e2e/max/main.test.bicep | 8 +- .../tests/e2e/waf-aligned/main.test.bicep | 11 +- .../user-assigned-identity/version.json | 2 +- 10 files changed, 179 insertions(+), 108 deletions(-) diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index d76e767ebe..fab918d8af 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -41,10 +42,9 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-miuaimin' - params: { - enableDefaultTelemetry: '' - } + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' + params: {} } ``` @@ -59,11 +59,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": { - "enableDefaultTelemetry": { - "value": "" - } - } + "parameters": {} } ``` @@ -81,34 +77,34 @@ This instance deploys the module with most of its features enabled. ```bicep module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - name: '${uniqueString(deployment().name, location)}-test-miuaimax' +name: '${uniqueString(deployment().name, location)}-test-miauimax' params: { - enableDefaultTelemetry: '' + name: 'miuaimax001' + enableTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } federatedIdentityCredentials: [ { + name: 'test-fed-cred-miuaimax-001' audiences: [ 'api://AzureADTokenExchange' ] issuer: '' - name: 'test-fed-cred-miuaimax-001' subject: 'system:serviceaccount:default:workload-identity-sa' } ] - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } - name: 'miuaimax001' roleAssignments: [ { + roleDefinitionIdOrName: 'Reader' principalId: '' principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' } ] tags: { - Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' Role: 'DeploymentValidation' } } @@ -127,7 +123,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "enableDefaultTelemetry": { + "enableTelemetry": { "value": "" }, "federatedIdentityCredentials": { @@ -174,6 +170,106 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-pratices of the Well-Architectured-Framework. + + +

+ +via Bicep module + +```bicep +module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { +name: '${uniqueString(deployment().name, location)}-test-miauiwaf' + params: { + name: 'miuaiwaf001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + federatedIdentityCredentials: [ + { + name: 'test-fed-cred-miuaiwaf-001' + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: '' + subject: 'system:serviceaccount:default:workload-identity-sa' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: '' + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "federatedIdentityCredentials": { + "value": [ + { + "audiences": [ + "api://AzureADTokenExchange" + ], + "issuer": "", + "name": "test-fed-cred-miuaiwaf-001", + "subject": "system:serviceaccount:default:workload-identity-sa" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "name": { + "value": "miuaiwaf001" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters @@ -181,7 +277,7 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide | Parameter | Type | Description | | :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`federatedIdentityCredentials`](#parameter-federatedidentitycredentials) | array | The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | @@ -189,9 +285,9 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -### Parameter: `enableDefaultTelemetry` +### Parameter: `enableTelemetry` -Enable telemetry via a Globally Unique Identifier (GUID). +Enable/Disable usage telemetry for module. - Required: No - Type: bool - Default: `True` diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md index ab9e7a346f..fee9a25b03 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md @@ -22,6 +22,7 @@ This module deploys a User Assigned Identity Federated Identity Credential. | Parameter | Type | Description | | :-- | :-- | :-- | | [`audiences`](#parameter-audiences) | array | The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`issuer`](#parameter-issuer) | string | The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. | | [`name`](#parameter-name) | string | The name of the secret. | | [`subject`](#parameter-subject) | string | The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. | @@ -32,21 +33,15 @@ This module deploys a User Assigned Identity Federated Identity Credential. | :-- | :-- | :-- | | [`userAssignedIdentityName`](#parameter-userassignedidentityname) | string | The name of the parent user assigned identity. Required if the template is used in a standalone deployment. | -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | - ### Parameter: `audiences` The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. - Required: Yes - Type: array -### Parameter: `enableDefaultTelemetry` +### Parameter: `enableTelemetry` -Enable telemetry via a Globally Unique Identifier (GUID). +Enable/Disable usage telemetry for module. - Required: No - Type: bool - Default: `True` diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep index c229e10643..caf448addc 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep @@ -8,6 +8,9 @@ param userAssignedIdentityName string @description('Required. The name of the secret.') param name string +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + @description('Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token.') param audiences array @@ -17,6 +20,27 @@ param issuer string @description('Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD.') param subject string +@description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { + name: '46d3xbcp.res.managedidentity-userassignedidentity.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } +} + resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { name: userAssignedIdentityName } diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json index d7d037aaa3..daba95ce53 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15026838206978058830" + "version": "0.23.1.45101", + "templateHash": "4906524580099045986" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", @@ -41,30 +41,9 @@ "metadata": { "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } } }, "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, { "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", "apiVersion": "2023-01-31", diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json index 96236a61ba..7fa401bdf7 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", + "version": "0.1", "pathFilters": [ "./main.json" ] diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index 4e8baa2ed8..b1fbbaec32 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1438876956443234621" + "version": "0.23.1.45101", + "templateHash": "17564684040391369711" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -146,16 +146,15 @@ "description": "Optional. Tags of the resource." } }, - "enableDefaultTelemetry": { + "enableTelemetry": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "variables": { - "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", @@ -167,17 +166,23 @@ } }, "resources": { - "defaultTelemetry": { - "condition": "[parameters('enableDefaultTelemetry')]", + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "apiVersion": "2023-07-01", + "name": "[format('46d3xbcp.res.managedidentity-userassignedidentity.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "resources": [] + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } } } }, @@ -252,9 +257,6 @@ }, "subject": { "value": "[parameters('federatedIdentityCredentials')[copyIndex()].subject]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -263,8 +265,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15026838206978058830" + "version": "0.23.1.45101", + "templateHash": "4906524580099045986" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", @@ -300,30 +302,9 @@ "metadata": { "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } } }, "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, { "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", "apiVersion": "2023-01-31", diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep index c0127ae37a..48084597af 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep @@ -18,7 +18,7 @@ param location string = deployment().location param serviceShort string = 'miuaimin' @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '#_namePrefix_#' +param namePrefix string = '[[namePrefix]]' // ============ // // Dependencies // @@ -35,11 +35,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' =[for iteration in [ 'init', 'idem' ]: { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { - - } + params: {} } ] diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index 1a2d8f27cf..01870333cb 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -17,11 +17,8 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'miuaimax' -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '#_namePrefix_#' +param namePrefix string = '[[namePrefix]]' // ============ // // Dependencies // @@ -46,7 +43,8 @@ module nestedDependencies 'dependencies.bicep' = { // Test Execution // // ============== // -module testDeployment '../../../main.bicep' = { +@batchSize(1) +module testDeployment '../../../main.bicep' =[for iteration in [ 'init', 'idem' ]: { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep index e946242dd8..77c431083f 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-pratices of the Well-Architectured-Framework.' // ========== // // Parameters // @@ -15,10 +15,10 @@ param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassigned param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'miuaimax' +param serviceShort string = 'miuaiwaf' @description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '#_namePrefix_#' +param namePrefix string = '[[namePrefix]]' // ============ // // Dependencies // @@ -42,9 +42,8 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // - @batchSize(1) -module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { +module testDeployment '../../../main.bicep' =[for iteration in [ 'init', 'idem' ]: { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { diff --git a/modules/managed-identity/user-assigned-identity/version.json b/modules/managed-identity/user-assigned-identity/version.json index 96236a61ba..7fa401bdf7 100644 --- a/modules/managed-identity/user-assigned-identity/version.json +++ b/modules/managed-identity/user-assigned-identity/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", + "version": "0.1", "pathFilters": [ "./main.json" ] From 115ff5112932271b6eaef9a36d86265035498d48 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Mon, 6 Nov 2023 19:39:16 +0100 Subject: [PATCH 3/6] moved to avm --- modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md diff --git a/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md b/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md new file mode 100644 index 0000000000..cec0941d12 --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/MOVED-TO-AVM.md @@ -0,0 +1 @@ +This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). From 007169b017f5e83fb122dc914f926839d2cd181c Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 22 Nov 2023 12:51:50 +0100 Subject: [PATCH 4/6] conflicts --- .../tests/e2e/defaults/main.test.bicep | 9 ------ .../tests/e2e/max/main.test.bicep | 9 ------ .../tests/e2e/waf-aligned/main.test.bicep | 30 ------------------- 3 files changed, 48 deletions(-) diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep index b599213227..8ca5bbd739 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep @@ -36,14 +36,6 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { // ============== // @batchSize(1) -<<<<<<< HEAD -module testDeployment '../../../main.bicep' =[for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: {} -} -] -======= module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' @@ -51,4 +43,3 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' enableDefaultTelemetry: enableDefaultTelemetry } }] ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index dfb1e9893e..c3ded2430e 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -44,11 +44,7 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // @batchSize(1) -<<<<<<< HEAD -module testDeployment '../../../main.bicep' =[for iteration in [ 'init', 'idem' ]: { -======= module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { @@ -90,9 +86,4 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' Role: 'DeploymentValidation' } } -<<<<<<< HEAD -} -] -======= }] ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep index a7ceafb7dd..17904d21b4 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -1,11 +1,7 @@ targetScope = 'subscription' metadata name = 'WAF-aligned' -<<<<<<< HEAD -metadata description = 'This instance deploys the module in alignment with the best-pratices of the Well-Architectured-Framework.' -======= metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 // ========== // // Parameters // @@ -21,12 +17,9 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'miuaiwaf' -<<<<<<< HEAD -======= @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '[[namePrefix]]' @@ -52,13 +45,6 @@ module nestedDependencies 'dependencies.bicep' = { // ============== // // Test Execution // // ============== // -<<<<<<< HEAD -@batchSize(1) -module testDeployment '../../../main.bicep' =[for iteration in [ 'init', 'idem' ]: { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: { -======= @batchSize(1) module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' ]: { @@ -66,7 +52,6 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { enableDefaultTelemetry: enableDefaultTelemetry ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 name: '${namePrefix}${serviceShort}001' lock: { kind: 'CanNotDelete' @@ -82,25 +67,10 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' subject: 'system:serviceaccount:default:workload-identity-sa' } ] -<<<<<<< HEAD - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] -======= ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' Role: 'DeploymentValidation' } } -<<<<<<< HEAD -} -] -======= }] ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 From f8350f6d0b71073bd9a9fa97a979bbea670ec9c8 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Mon, 4 Dec 2023 17:44:15 +0100 Subject: [PATCH 5/6] final userid --- .../user-assigned-identity/README.md | 34 +++++++----- .../federated-identity-credential/README.md | 7 ++- .../federated-identity-credential/main.bicep | 17 ++---- .../federated-identity-credential/main.json | 25 ++++++++- .../version.json | 2 +- .../user-assigned-identity/main.bicep | 26 +++------ .../user-assigned-identity/main.json | 53 +++++++++++-------- .../tests/e2e/defaults/main.test.bicep | 3 ++ .../tests/e2e/max/main.test.bicep | 4 ++ .../user-assigned-identity/version.json | 2 +- 10 files changed, 100 insertions(+), 73 deletions(-) diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index 5e56e45f09..cb4ec31501 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -42,9 +42,10 @@ This instance deploys the module with the minimum set of required parameters. ```bicep module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' - params: {} + name: '${uniqueString(deployment().name, location)}-test-miuaimin' + params: { + enableDefaultTelemetry: '' + } } ``` @@ -59,7 +60,11 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": {} + "parameters": { + "enableDefaultTelemetry": { + "value": "" + } + } } ``` @@ -77,24 +82,24 @@ This instance deploys the module with most of its features enabled. ```bicep module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { -name: '${uniqueString(deployment().name, location)}-test-miauimax' + name: '${uniqueString(deployment().name, location)}-test-miuaimax' params: { - name: 'miuaimax001' - enableTelemetry: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' - } + enableDefaultTelemetry: '' federatedIdentityCredentials: [ { - name: 'test-fed-cred-miuaimax-001' audiences: [ 'api://AzureADTokenExchange' ] issuer: '' + name: 'test-fed-cred-miuaimax-001' subject: 'system:serviceaccount:default:workload-identity-sa' } ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + name: 'miuaimax001' roleAssignments: [ { principalId: '' @@ -113,8 +118,8 @@ name: '${uniqueString(deployment().name, location)}-test-miauimax' } ] tags: { - 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } } @@ -133,7 +138,7 @@ name: '${uniqueString(deployment().name, location)}-test-miauimax' "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "enableTelemetry": { + "enableDefaultTelemetry": { "value": "" }, "federatedIdentityCredentials": { @@ -194,6 +199,7 @@ name: '${uniqueString(deployment().name, location)}-test-miauimax' This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. +

via Bicep module diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md index 0a49a9fc8c..a9483eb2d7 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md @@ -22,7 +22,6 @@ This module deploys a User Assigned Identity Federated Identity Credential. | Parameter | Type | Description | | :-- | :-- | :-- | | [`audiences`](#parameter-audiences) | array | The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. | -| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`issuer`](#parameter-issuer) | string | The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. | | [`name`](#parameter-name) | string | The name of the secret. | | [`subject`](#parameter-subject) | string | The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. | @@ -33,6 +32,12 @@ This module deploys a User Assigned Identity Federated Identity Credential. | :-- | :-- | :-- | | [`userAssignedIdentityName`](#parameter-userassignedidentityname) | string | The name of the parent user assigned identity. Required if the template is used in a standalone deployment. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). | + ### Parameter: `audiences` The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep index caf448addc..b1b0165c47 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep @@ -8,9 +8,6 @@ param userAssignedIdentityName string @description('Required. The name of the secret.') param name string -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - @description('Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token.') param audiences array @@ -20,23 +17,17 @@ param issuer string @description('Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD.') param subject string -@description('Optional. Enable/Disable usage telemetry for module.') -param enableTelemetry bool = true +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true -resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { - name: '46d3xbcp.res.managedidentity-userassignedidentity.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { mode: 'Incremental' template: { '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' contentVersion: '1.0.0.0' resources: [] - outputs: { - telemetry: { - type: 'String' - value: 'For more information, see https://aka.ms/avm/TelemetryInfo' - } - } } } } diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json index daba95ce53..d7d037aaa3 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4906524580099045986" + "version": "0.22.6.54827", + "templateHash": "15026838206978058830" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", @@ -41,9 +41,30 @@ "metadata": { "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } } }, "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, { "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", "apiVersion": "2023-01-31", diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json index 7fa401bdf7..96236a61ba 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "0.4", "pathFilters": [ "./main.json" ] diff --git a/modules/managed-identity/user-assigned-identity/main.bicep b/modules/managed-identity/user-assigned-identity/main.bicep index 19bc60eafc..19afb3549c 100644 --- a/modules/managed-identity/user-assigned-identity/main.bicep +++ b/modules/managed-identity/user-assigned-identity/main.bicep @@ -2,9 +2,6 @@ metadata name = 'User Assigned Identities' metadata description = 'This module deploys a User Assigned Identity.' metadata owner = 'Azure/module-maintainers' -// ================ // -// Parameters // -// ================ // @description('Optional. Name of the User Assigned Identity.') param name string = guid(resourceGroup().id) @@ -23,12 +20,10 @@ param roleAssignments roleAssignmentType @description('Optional. Tags of the resource.') param tags object? -@description('Optional. Enable/Disable usage telemetry for module.') -param enableTelemetry bool = true +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true -// =========== // -// Variables // -// =========== // +var enableReferencedModulesTelemetry = false var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') @@ -40,24 +35,14 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -// ============ // -// Dependencies // -// ============ // - -resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { - name: '46d3xbcp.res.managedidentity-userassignedidentity.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { mode: 'Incremental' template: { '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' contentVersion: '1.0.0.0' resources: [] - outputs: { - telemetry: { - type: 'String' - value: 'For more information, see https://aka.ms/avm/TelemetryInfo' - } - } } } } @@ -85,6 +70,7 @@ module userMsi_federatedIdentityCredentials 'federated-identity-credential/main. audiences: federatedIdentityCredential.audiences issuer: federatedIdentityCredential.issuer subject: federatedIdentityCredential.subject + enableDefaultTelemetry: enableReferencedModulesTelemetry } }] diff --git a/modules/managed-identity/user-assigned-identity/main.json b/modules/managed-identity/user-assigned-identity/main.json index d052aa4c86..b143e7a16b 100644 --- a/modules/managed-identity/user-assigned-identity/main.json +++ b/modules/managed-identity/user-assigned-identity/main.json @@ -6,11 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", -<<<<<<< HEAD - "templateHash": "17564684040391369711" -======= "templateHash": "13454855788862691467" ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity.", @@ -150,15 +146,16 @@ "description": "Optional. Tags of the resource." } }, - "enableTelemetry": { + "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } } }, "variables": { + "enableReferencedModulesTelemetry": false, "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", @@ -170,23 +167,17 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", + "defaultTelemetry": { + "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.managedidentity-userassignedidentity.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", "properties": { "mode": "Incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } + "resources": [] } } }, @@ -261,6 +252,9 @@ }, "subject": { "value": "[parameters('federatedIdentityCredentials')[copyIndex()].subject]" + }, + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -270,11 +264,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", -<<<<<<< HEAD - "templateHash": "4906524580099045986" -======= "templateHash": "16507829721467583096" ->>>>>>> 3d827c3621e7d83ad5b9d9266e593f0afc6b7683 }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.", @@ -310,9 +300,30 @@ "metadata": { "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD." } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } } }, "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, { "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", "apiVersion": "2023-01-31", diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep index 8ca5bbd739..fba55f1303 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/defaults/main.test.bicep @@ -17,6 +17,9 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'miuaimin' +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '[[namePrefix]]' diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep index c3ded2430e..f633bc4d28 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/max/main.test.bicep @@ -17,6 +17,9 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'miuaimax' +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '[[namePrefix]]' @@ -48,6 +51,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem' scope: resourceGroup name: '${uniqueString(deployment().name, location)}-test-${serviceShort}-${iteration}' params: { + enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' lock: { kind: 'CanNotDelete' diff --git a/modules/managed-identity/user-assigned-identity/version.json b/modules/managed-identity/user-assigned-identity/version.json index 7fa401bdf7..96236a61ba 100644 --- a/modules/managed-identity/user-assigned-identity/version.json +++ b/modules/managed-identity/user-assigned-identity/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "0.4", "pathFilters": [ "./main.json" ] From c3e8e7b166fb96d298dc5e4ba364cdd6ad2ff4dc Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Mon, 11 Dec 2023 12:29:25 +0100 Subject: [PATCH 6/6] readme update --- modules/managed-identity/user-assigned-identity/README.md | 2 ++ .../federated-identity-credential/main.json | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index cb4ec31501..0e9abdef58 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -1,5 +1,7 @@ # User Assigned Identities `[Microsoft.ManagedIdentity/userAssignedIdentities]` +> This module has already been migrated to [AVM](https://github.com/Azure/bicep-registry-modules/tree/main/avm/res). Only the AVM version is expected to receive updates / new features. Please do not work on improving this module in [CARML](https://aka.ms/carml). + This module deploys a User Assigned Identity. ## Navigation diff --git a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json index d7d037aaa3..ac48d00ac2 100644 --- a/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json +++ b/modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15026838206978058830" + "version": "0.23.1.45101", + "templateHash": "16507829721467583096" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential.",