From f265ed15669218d2222a58c5a7e9771917394399 Mon Sep 17 00:00:00 2001 From: Kris Baranek Date: Tue, 14 Nov 2023 14:07:45 +0100 Subject: [PATCH] [Modules] Updated identities to UDT as per AVM specs - Batch 2 (#4240) * Wiki update - systemAssignedMIPrincipalId output * Dev Test Lab - removed redundant output * Web Site - aligned slotSystemAssignedMIPrincipalIds output name * Upated ditital twins module * Digital twins - updated readme and arm of child modules * Digital twins - fixed identities of the endpoints * Digital twins - ARM Update * Restored original settingy.yml * Upated Synapse Workspace module * Digital Twins: added systemAssignedMIPrincipalId output and corresponding test --- docs/wiki/The library - Module design.md | 2 +- modules/dev-test-lab/lab/README.md | 1 - modules/dev-test-lab/lab/main.bicep | 3 - modules/dev-test-lab/lab/main.json | 35 ++-- .../digital-twins-instance/README.md | 118 +++++++---- .../endpoint--event-grid/main.json | 4 +- .../endpoint--event-hub/README.md | 35 ++-- .../endpoint--event-hub/main.bicep | 27 ++- .../endpoint--event-hub/main.json | 63 ++++-- .../endpoint--service-bus/README.md | 43 ++-- .../endpoint--service-bus/main.bicep | 27 ++- .../endpoint--service-bus/main.json | 63 ++++-- .../digital-twins-instance/main.bicep | 32 +-- .../digital-twins-instance/main.json | 196 ++++++++++++------ .../tests/e2e/max/main.test.bicep | 15 +- .../tests/e2e/waf-aligned/main.test.bicep | 14 +- modules/synapse/workspace/README.md | 69 +++--- modules/synapse/workspace/main.bicep | 24 ++- modules/synapse/workspace/main.json | 57 +++-- .../workspace/tests/e2e/max/main.test.bicep | 6 +- .../tests/e2e/waf-aligned/main.test.bicep | 6 +- modules/web/site/README.md | 2 +- modules/web/site/main.bicep | 2 +- modules/web/site/main.json | 4 +- 24 files changed, 543 insertions(+), 305 deletions(-) diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index 573c6549dc..a9a4e9fcd2 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -563,7 +563,7 @@ While exceptions might be needed, the following guidance should be followed as m - `name` - `resourceId` - `resourceGroupName` for modules that are deployed at resource group scope - - `systemAssignedPrincipalId` for all modules that support managed identities + - `systemAssignedMIPrincipalId` for all modules that support system-assigned managed identities - `location` for all modules where the primary resource has a location property - Add a `@description('...')` annotation with meaningful description to each output. diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index f4444676bb..58c5cc1fd6 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -1561,7 +1561,6 @@ Resource Group allocation for virtual machines. If left empty, virtual machines | `resourceGroupName` | string | The resource group the lab was deployed into. | | `resourceId` | string | The resource ID of the lab. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | | `uniqueIdentifier` | string | The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates. | ## Cross-referenced modules diff --git a/modules/dev-test-lab/lab/main.bicep b/modules/dev-test-lab/lab/main.bicep index c50c60e192..f3d45514be 100644 --- a/modules/dev-test-lab/lab/main.bicep +++ b/modules/dev-test-lab/lab/main.bicep @@ -303,9 +303,6 @@ resource lab_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01 scope: lab }] -@description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = lab.identity.principalId - @description('The unique identifier for the lab. Used to track tags that the lab applies to each resource that it creates.') output uniqueIdentifier string = lab.properties.uniqueIdentifier diff --git a/modules/dev-test-lab/lab/main.json b/modules/dev-test-lab/lab/main.json index f7339163ff..efdce8eafa 100644 --- a/modules/dev-test-lab/lab/main.json +++ b/modules/dev-test-lab/lab/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "14947280208542929227" + "version": "0.23.1.45101", + "templateHash": "16810111400681874654" }, "name": "DevTest Labs", "description": "This module deploys a DevTest Lab.", @@ -483,8 +483,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "8382075673072622254" + "version": "0.23.1.45101", + "templateHash": "15407797032940609921" }, "name": "DevTest Lab Virtual Networks", "description": "This module deploys a DevTest Lab Virtual Network.\r\n\r\nLab virtual machines must be deployed into a virtual network. This resource type allows configuring the virtual network and subnet settings used for the lab virtual machines.", @@ -656,8 +656,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7402281637422771358" + "version": "0.23.1.45101", + "templateHash": "9914622679648067397" }, "name": "DevTest Lab Policy Sets Policies", "description": "This module deploys a DevTest Lab Policy Sets Policy.\r\n\r\nDevTest lab policies are used to modify the lab settings such as only allowing certain VM Size SKUs, marketplace image types, number of VMs allowed per user and other settings.", @@ -861,8 +861,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "10592511541548002212" + "version": "0.23.1.45101", + "templateHash": "12981849767656574818" }, "name": "DevTest Lab Schedules", "description": "This module deploys a DevTest Lab Schedule.\r\n\r\nLab schedules are used to modify the settings for auto-shutdown, auto-start for lab virtual machines.", @@ -1085,8 +1085,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5225332129791836269" + "version": "0.23.1.45101", + "templateHash": "18307130406875558192" }, "name": "DevTest Lab Notification Channels", "description": "This module deploys a DevTest Lab Notification Channel.\r\n\r\nNotification channels are used by the schedule resource type in order to send notifications or events to email addresses and/or webhooks.", @@ -1269,8 +1269,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12165020180713564819" + "version": "0.23.1.45101", + "templateHash": "2347337632859394324" }, "name": "DevTest Lab Artifact Sources", "description": "This module deploys a DevTest Lab Artifact Source.\r\n\r\nAn artifact source allows you to create custom artifacts for the VMs in the lab, or use Azure Resource Manager templates to create a custom test environment. You must add a private Git repository for the artifacts or Resource Manager templates that your team creates. The repository can be hosted on GitHub or on Azure DevOps Services.", @@ -1485,8 +1485,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12104430168487418019" + "version": "0.23.1.45101", + "templateHash": "12516166788941938286" }, "name": "DevTest Lab Costs", "description": "This module deploys a DevTest Lab Cost.\r\n\r\nManage lab costs by setting a spending target that can be viewed in the Monthly Estimated Cost Trend chart. DevTest Labs can send a notification when spending reaches the specified target threshold.", @@ -1789,13 +1789,6 @@ } }, "outputs": { - "systemAssignedPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[reference('lab', '2018-10-15-preview', 'full').identity.principalId]" - }, "uniqueIdentifier": { "type": "string", "metadata": { diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index 574c196c63..0f43ecff33 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -121,12 +121,20 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } lock: { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -146,16 +154,15 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -207,7 +214,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "lock": { @@ -216,6 +225,14 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -240,7 +257,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "tags": { @@ -249,11 +268,6 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -301,12 +315,19 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } lock: { kind: 'CanNotDelete' name: 'myCustomLockName' } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ @@ -326,16 +347,15 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan authenticationType: 'IdentityBased' endpointUri: '' entityPath: '' - userAssignedIdentity: '' + managedIdentities: { + userAssignedResourceId: '' + } } tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' Role: 'DeploymentValidation' } - userAssignedIdentities: { - '': {} - } } } ``` @@ -387,7 +407,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "lock": { @@ -396,6 +418,13 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "name": "myCustomLockName" } }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "privateEndpoints": { "value": [ { @@ -420,7 +449,9 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "authenticationType": "IdentityBased", "endpointUri": "", "entityPath": "", - "userAssignedIdentity": "" + "managedIdentities": { + "userAssignedResourceId": "" + } } }, "tags": { @@ -429,11 +460,6 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan "hidden-title": "This is visible in the resource name", "Role": "DeploymentValidation" } - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -461,13 +487,12 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan | [`eventHubEndpoint`](#parameter-eventhubendpoint) | object | Event Hub Endpoint. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`serviceBusEndpoint`](#parameter-servicebusendpoint) | object | Service Bus Endpoint. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | | [`tags`](#parameter-tags) | object | Resource tags. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | ### Parameter: `diagnosticSettings` @@ -639,6 +664,32 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | No | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: No +- Type: array + ### Parameter: `name` The name of the Digital Twin Instance. @@ -933,26 +984,12 @@ Service Bus Endpoint. - Type: object - Default: `{}` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - ### Parameter: `tags` Resource tags. - Required: No - Type: object -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{}` - ## Outputs @@ -963,6 +1000,7 @@ The ID(s) to assign to the resource. | `name` | string | The name of the Digital Twins Instance. | | `resourceGroupName` | string | The name of the resource group the resource was created in. | | `resourceId` | string | The resource ID of the Digital Twins Instance. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json index 27b52f1b55..8490ff9e8a 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-grid/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15429197908359098698" + "version": "0.23.1.45101", + "templateHash": "17503518990299492663" }, "name": "Digital Twins Instance Event Grid Endpoints", "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md index 0dd7790d4e..1101a6dfdb 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/README.md @@ -35,9 +35,8 @@ This module deploys a Digital Twins Instance EventHub Endpoint. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`endpointUri`](#parameter-endpointuri) | string | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). | | [`entityPath`](#parameter-entitypath) | string | The EventHub name in the EventHub namespace for identity-based authentication. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedIdentity`](#parameter-userassignedidentity) | string | The ID to assign to the resource. | ### Parameter: `authenticationType` @@ -108,26 +107,38 @@ The EventHub name in the EventHub namespace for identity-based authentication. - Type: string - Default: `''` -### Parameter: `name` +### Parameter: `managedIdentities` -The name of the Digital Twin Endpoint. +The managed identity definition for this resource. - Required: No -- Type: string -- Default: `'EventHubEndpoint'` +- Type: object -### Parameter: `systemAssignedIdentity` -Enables system assigned managed identity on the resource. +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | No | string | Optional. The resource ID to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + - Required: No - Type: bool -- Default: `False` -### Parameter: `userAssignedIdentity` +### Parameter: `managedIdentities.userAssignedResourceId` + +Optional. The resource ID to assign to the resource. -The ID to assign to the resource. - Required: No - Type: string -- Default: `''` + +### Parameter: `name` + +The name of the Digital Twin Endpoint. +- Required: No +- Type: string +- Default: `'EventHubEndpoint'` ## Outputs diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep index bde961d9e6..44a269cc2b 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep @@ -39,17 +39,12 @@ param endpointUri string = '' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType -@description('Optional. The ID to assign to the resource.') -param userAssignedIdentity string = '' - -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentity) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentity) ? 'UserAssigned' : 'None') - -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentity: !empty(userAssignedIdentity) ? userAssignedIdentity : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) + userAssignedIdentity: !empty(managedIdentities.?userAssignedResourceId) ? managedIdentities.?userAssignedResourceId : null } : null resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -92,3 +87,15 @@ output resourceGroupName string = resourceGroup().name @description('The name of the Endpoint.') output name string = endpoint.name + +// =============== // +// Definitions // +// =============== // + +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID to assign to the resource.') + userAssignedResourceId: string? +}? diff --git a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json index 3ef4af7bb3..d0299e46f1 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--event-hub/main.json @@ -1,16 +1,39 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1200386987193874100" + "version": "0.23.1.45101", + "templateHash": "3646158227862088931" }, "name": "Digital Twins Instance EventHub Endpoint", "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -85,27 +108,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -119,7 +133,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -133,9 +153,12 @@ "endpointUri": "[parameters('endpointUri')]", "entityPath": "[parameters('entityPath')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md index fd96f9cd28..c9e29b7746 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/README.md @@ -34,10 +34,9 @@ This module deploys a Digital Twins Instance ServiceBus Endpoint. | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via the Customer Usage Attribution ID (GUID). | | [`endpointUri`](#parameter-endpointuri) | string | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). | | [`entityPath`](#parameter-entitypath) | string | The ServiceBus Topic name for identity-based authentication. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | | [`secondaryConnectionString`](#parameter-secondaryconnectionstring) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | -| [`systemAssignedIdentity`](#parameter-systemassignedidentity) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedIdentity`](#parameter-userassignedidentity) | string | The ID to assign to the resource. | ### Parameter: `authenticationType` @@ -94,6 +93,32 @@ The ServiceBus Topic name for identity-based authentication. - Type: string - Default: `''` +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | No | bool | Optional. Enables system assigned managed identity on the resource. | +| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | No | string | Optional. The resource ID to assign to the resource. | + +### Parameter: `managedIdentities.systemAssigned` + +Optional. Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourceId` + +Optional. The resource ID to assign to the resource. + +- Required: No +- Type: string + ### Parameter: `name` The name of the Digital Twin Endpoint. @@ -115,20 +140,6 @@ SecondaryConnectionString of the endpoint for key-based authentication. Will be - Type: securestring - Default: `''` -### Parameter: `systemAssignedIdentity` - -Enables system assigned managed identity on the resource. -- Required: No -- Type: bool -- Default: `False` - -### Parameter: `userAssignedIdentity` - -The ID to assign to the resource. -- Required: No -- Type: string -- Default: `''` - ## Outputs diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep index 25e6eb0ae7..633cc7ec3d 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep @@ -39,17 +39,12 @@ param secondaryConnectionString string = '' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType -@description('Optional. The ID to assign to the resource.') -param userAssignedIdentity string = '' - -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentity) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentity) ? 'UserAssigned' : 'None') - -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentity: !empty(userAssignedIdentity) ? userAssignedIdentity : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) + userAssignedIdentity: !empty(managedIdentities.?userAssignedResourceId) ? managedIdentities.?userAssignedResourceId : null } : null resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -92,3 +87,15 @@ output resourceGroupName string = resourceGroup().name @description('The name of the Endpoint.') output name string = endpoint.name + +// =============== // +// Definitions // +// =============== // + +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID to assign to the resource.') + userAssignedResourceId: string? +}? diff --git a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json index 31056e282d..6cd452bec3 100644 --- a/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json +++ b/modules/digital-twins/digital-twins-instance/endpoint--service-bus/main.json @@ -1,16 +1,39 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2168121049050485718" + "version": "0.23.1.45101", + "templateHash": "13121115050219114278" }, "name": "Digital Twins Instance ServiceBus Endpoint", "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -85,27 +108,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -119,7 +133,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -133,9 +153,12 @@ "primaryConnectionString": "[parameters('primaryConnectionString')]", "secondaryConnectionString": "[parameters('secondaryConnectionString')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", diff --git a/modules/digital-twins/digital-twins-instance/main.bicep b/modules/digital-twins/digital-twins-instance/main.bicep index 39749fa29a..a05501f0ff 100644 --- a/modules/digital-twins/digital-twins-instance/main.bicep +++ b/modules/digital-twins/digital-twins-instance/main.bicep @@ -16,11 +16,8 @@ param tags object? @description('Optional. The lock settings of the service.') param lock lockType -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. Event Hub Endpoint.') param eventHubEndpoint object = {} @@ -53,11 +50,11 @@ param roleAssignments roleAssignmentType var enableReferencedModulesTelemetry = false -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +var identity = !empty(managedIdentities) ? { + type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null) + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } : null var builtInRoleNames = { @@ -105,8 +102,7 @@ module digitalTwinsInstance_eventHubEndpoint 'endpoint--event-hub/main.bicep' = endpointUri: contains(eventHubEndpoint, 'endpointUri') ? eventHubEndpoint.endpointUri : '' entityPath: contains(eventHubEndpoint, 'entityPath') ? eventHubEndpoint.entityPath : '' enableDefaultTelemetry: enableReferencedModulesTelemetry - systemAssignedIdentity: contains(eventHubEndpoint, 'systemAssignedIdentity') ? eventHubEndpoint.systemAssignedIdentity : false - userAssignedIdentity: contains(eventHubEndpoint, 'userAssignedIdentity') ? eventHubEndpoint.userAssignedIdentity : {} + managedIdentities: contains(eventHubEndpoint, 'managedIdentities') ? eventHubEndpoint.managedIdentities : {} } } @@ -136,8 +132,7 @@ module digitalTwinsInstance_serviceBusEndpoint 'endpoint--service-bus/main.bicep primaryConnectionString: contains(serviceBusEndpoint, 'primaryConnectionString') ? serviceBusEndpoint.primaryConnectionString : '' secondaryConnectionString: contains(serviceBusEndpoint, 'secondaryConnectionString') ? serviceBusEndpoint.secondaryConnectionString : '' enableDefaultTelemetry: enableReferencedModulesTelemetry - systemAssignedIdentity: contains(eventHubEndpoint, 'systemAssignedIdentity') ? eventHubEndpoint.systemAssignedIdentity : false - userAssignedIdentity: contains(eventHubEndpoint, 'userAssignedIdentity') ? eventHubEndpoint.userAssignedIdentity : {} + managedIdentities: contains(serviceBusEndpoint, 'managedIdentities') ? serviceBusEndpoint.managedIdentities : {} } } @@ -229,10 +224,21 @@ output hostname string = digitalTwinsInstance.properties.hostName @description('The location the resource was deployed into.') output location string = digitalTwinsInstance.location +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(digitalTwinsInstance.identity, 'principalId') ? digitalTwinsInstance.identity.principalId : '' + // =============== // // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[]? +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/digital-twins/digital-twins-instance/main.json b/modules/digital-twins/digital-twins-instance/main.json index 166bf7d6ff..5653591407 100644 --- a/modules/digital-twins/digital-twins-instance/main.json +++ b/modules/digital-twins/digital-twins-instance/main.json @@ -5,14 +5,37 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "4900944127202083879" + "version": "0.23.1.45101", + "templateHash": "7414042721706079453" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -415,18 +438,10 @@ "description": "Optional. The lock settings of the service." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "eventHubEndpoint": { @@ -490,8 +505,8 @@ }, "variables": { "enableReferencedModulesTelemetry": false, - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Azure Digital Twins Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", "Azure Digital Twins Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", @@ -612,22 +627,44 @@ "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, - "systemAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'systemAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').systemAssignedIdentity), createObject('value', false()))]", - "userAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'userAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').userAssignedIdentity), createObject('value', createObject()))]" + "managedIdentities": "[if(contains(parameters('eventHubEndpoint'), 'managedIdentities'), createObject('value', parameters('eventHubEndpoint').managedIdentities), createObject('value', createObject()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "1200386987193874100" + "version": "0.23.1.45101", + "templateHash": "3646158227862088931" }, "name": "Digital Twins Instance EventHub Endpoint", "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -702,27 +739,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -736,7 +764,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -750,9 +784,12 @@ "endpointUri": "[parameters('endpointUri')]", "entityPath": "[parameters('entityPath')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -811,8 +848,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "15429197908359098698" + "version": "0.23.1.45101", + "templateHash": "17503518990299492663" }, "name": "Digital Twins Instance Event Grid Endpoints", "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", @@ -950,22 +987,44 @@ "enableDefaultTelemetry": { "value": "[variables('enableReferencedModulesTelemetry')]" }, - "systemAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'systemAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').systemAssignedIdentity), createObject('value', false()))]", - "userAssignedIdentity": "[if(contains(parameters('eventHubEndpoint'), 'userAssignedIdentity'), createObject('value', parameters('eventHubEndpoint').userAssignedIdentity), createObject('value', createObject()))]" + "managedIdentities": "[if(contains(parameters('serviceBusEndpoint'), 'managedIdentities'), createObject('value', parameters('serviceBusEndpoint').managedIdentities), createObject('value', createObject()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2168121049050485718" + "version": "0.23.1.45101", + "templateHash": "13121115050219114278" }, "name": "Digital Twins Instance ServiceBus Endpoint", "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", "owner": "Azure/module-maintainers" }, + "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID to assign to the resource." + } + } + }, + "nullable": true + } + }, "parameters": { "name": { "type": "string", @@ -1040,27 +1099,18 @@ "description": "Optional. Enable telemetry via the Customer Usage Attribution ID (GUID)." } }, - "systemAssignedIdentity": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedIdentity": { - "type": "string", - "defaultValue": "", + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } } }, "variables": { - "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentity'))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentity'))), 'UserAssigned', 'None'))]", - "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentity', if(not(empty(parameters('userAssignedIdentity'))), parameters('userAssignedIdentity'), null())), null())]" + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', if(not(empty(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'))), tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), null())), null())]" }, - "resources": [ - { + "resources": { + "defaultTelemetry": { "condition": "[parameters('enableDefaultTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -1074,7 +1124,13 @@ } } }, - { + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", @@ -1088,9 +1144,12 @@ "primaryConnectionString": "[parameters('primaryConnectionString')]", "secondaryConnectionString": "[parameters('secondaryConnectionString')]", "identity": "[variables('identity')]" - } + }, + "dependsOn": [ + "digitalTwinsInstance" + ] } - ], + }, "outputs": { "resourceId": { "type": "string", @@ -1192,8 +1251,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1595,8 +1654,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1772,6 +1831,13 @@ "description": "The location the resource was deployed into." }, "value": "[reference('digitalTwinsInstance', '2023-01-31', 'full').location]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('digitalTwinsInstance', '2023-01-31', 'full').identity, 'principalId')), reference('digitalTwinsInstance', '2023-01-31', 'full').identity.principalId, '')]" } } } \ No newline at end of file diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep index 6b1f42d08a..2a577e3e87 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep @@ -73,13 +73,17 @@ module testDeployment '../../../main.bicep' = { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.eventhubName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } serviceBusEndpoint: { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.serviceBusTopicName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } eventGridEndpoint: { eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId @@ -87,8 +91,11 @@ module testDeployment '../../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } diagnosticSettings: [ { diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep index 2c2f2e28ca..2043807414 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -73,13 +73,17 @@ module testDeployment '../../../main.bicep' = { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.eventhubName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } serviceBusEndpoint: { authenticationType: 'IdentityBased' endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' entityPath: nestedDependencies.outputs.serviceBusTopicName - userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } } eventGridEndpoint: { eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId @@ -87,8 +91,10 @@ module testDeployment '../../../main.bicep' = { } enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } diagnosticSettings: [ { diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index 879cf28301..4b5f6948f4 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -380,6 +380,11 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { type: 'SelfHosted' } ] + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } managedVirtualNetwork: true privateEndpoints: [ { @@ -402,9 +407,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - userAssignedIdentities: { - '': {} - } } } ``` @@ -468,6 +470,13 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } ] }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "managedVirtualNetwork": { "value": true }, @@ -495,11 +504,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "roleDefinitionIdOrName": "Reader" } ] - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -552,6 +556,11 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { type: 'SelfHosted' } ] + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } managedVirtualNetwork: true privateEndpoints: [ { @@ -574,9 +583,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { roleDefinitionIdOrName: 'Reader' } ] - userAssignedIdentities: { - '': {} - } } } ``` @@ -640,6 +646,13 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { } ] }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, "managedVirtualNetwork": { "value": true }, @@ -667,11 +680,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { "roleDefinitionIdOrName": "Reader" } ] - }, - "userAssignedIdentities": { - "value": { - "": {} - } } } } @@ -708,6 +716,7 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`linkedAccessCheckOnTargetResource`](#parameter-linkedaccesscheckontargetresource) | bool | Linked Access Check On Target Resource. | | [`location`](#parameter-location) | string | The geo-location where the resource lives. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. | | [`managedVirtualNetwork`](#parameter-managedvirtualnetwork) | bool | Enable this to ensure that connection from your workspace to your data sources use Azure Private Links. You can create managed private endpoints to your data sources. | | [`preventDataExfiltration`](#parameter-preventdataexfiltration) | bool | Prevent Data Exfiltration. | @@ -717,7 +726,6 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | [`sqlAdministratorLoginPassword`](#parameter-sqladministratorloginpassword) | string | Password for administrator access to the workspace's SQL pools. If you don't provide a password, one will be automatically generated. You can change the password later. | | [`tags`](#parameter-tags) | object | Tags of the resource. | -| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. | | [`workspaceRepositoryConfiguration`](#parameter-workspacerepositoryconfiguration) | object | Git integration settings. | ### Parameter: `allowedAadTenantIdsForLinking` @@ -959,6 +967,24 @@ Optional. Specify the name of lock. - Required: No - Type: string +### Parameter: `managedIdentities` + +The managed identity definition for this resource. +- Required: No +- Type: object + + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. | + +### Parameter: `managedIdentities.userAssignedResourcesIds` + +Optional. The resource ID(s) to assign to the resource. + +- Required: Yes +- Type: array + ### Parameter: `managedResourceGroupName` Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'. @@ -1292,13 +1318,6 @@ Tags of the resource. - Required: No - Type: object -### Parameter: `userAssignedIdentities` - -The ID(s) to assign to the resource. -- Required: No -- Type: object -- Default: `{}` - ### Parameter: `workspaceRepositoryConfiguration` Git integration settings. @@ -1316,7 +1335,7 @@ Git integration settings. | `name` | string | The name of the deployed Synapse Workspace. | | `resourceGroupName` | string | The resource group of the deployed Synapse Workspace. | | `resourceID` | string | The resource ID of the deployed Synapse Workspace. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/synapse/workspace/main.bicep b/modules/synapse/workspace/main.bicep index a73a3c42f8..360fe2834f 100644 --- a/modules/synapse/workspace/main.bicep +++ b/modules/synapse/workspace/main.bicep @@ -76,8 +76,8 @@ param sqlAdministratorLoginPassword string = '' @description('Optional. Git integration settings.') param workspaceRepositoryConfiguration object = {} -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentitiesType @description('Optional. The lock settings of the service.') param lock lockType @@ -92,15 +92,16 @@ param privateEndpoints privateEndpointType param diagnosticSettings diagnosticSettingType // Variables -var userAssignedIdentitiesUnion = union(userAssignedIdentities, !empty(customerManagedKey.?userAssignedIdentityResourceId ?? []) ? { - '${customerManagedKey!.userAssignedIdentityResourceId}': {} - } : {}) -var identityType = !empty(userAssignedIdentitiesUnion) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' +var cmkUserAssignedIdentityAsArray = !empty(customerManagedKey.?userAssignedIdentityResourceId ?? []) ? [ customerManagedKey.?userAssignedIdentityResourceId ] : [] + +var userAssignedIdentitiesUnion = !empty(managedIdentities) ? union(managedIdentities.?userAssignedResourcesIds ?? [], cmkUserAssignedIdentityAsArray) : cmkUserAssignedIdentityAsArray + +var formattedUserAssignedIdentities = reduce(map((userAssignedIdentitiesUnion ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } var identity = { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentitiesUnion) ? userAssignedIdentitiesUnion : null + type: !empty(userAssignedIdentitiesUnion) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned' + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null } var enableReferencedModulesTelemetry = false @@ -312,7 +313,7 @@ output resourceGroupName string = resourceGroup().name output connectivityEndpoints object = workspace.properties.connectivityEndpoints @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = contains(workspace.identity, 'principalId') ? workspace.identity.principalId : '' +output systemAssignedMIPrincipalId string = contains(workspace.identity, 'principalId') ? workspace.identity.principalId : '' @description('The location the resource was deployed into.') output location string = workspace.location @@ -321,6 +322,11 @@ output location string = workspace.location // Definitions // // =============== // +type managedIdentitiesType = { + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourcesIds: string[] +}? + type lockType = { @description('Optional. Specify the name of lock.') name: string? diff --git a/modules/synapse/workspace/main.json b/modules/synapse/workspace/main.json index e96aed1c93..c2c4f5d7d7 100644 --- a/modules/synapse/workspace/main.json +++ b/modules/synapse/workspace/main.json @@ -5,14 +5,29 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "2450269560530411916" + "version": "0.23.1.45101", + "templateHash": "17402441205082083392" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", "owner": "Azure/module-maintainers" }, "definitions": { + "managedIdentitiesType": { + "type": "object", + "properties": { + "userAssignedResourcesIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource." + } + } + }, + "nullable": true + }, "lockType": { "type": "object", "properties": { @@ -555,11 +570,10 @@ "description": "Optional. Git integration settings." } }, - "userAssignedIdentities": { - "type": "object", - "defaultValue": {}, + "managedIdentities": { + "$ref": "#/definitions/managedIdentitiesType", "metadata": { - "description": "Optional. The ID(s) to assign to the resource." + "description": "Optional. The managed identity definition for this resource." } }, "lock": { @@ -588,11 +602,12 @@ } }, "variables": { - "userAssignedIdentitiesUnion": "[union(parameters('userAssignedIdentities'), if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), createArray()))), createObject(format('{0}', parameters('customerManagedKey').userAssignedIdentityResourceId), createObject()), createObject()))]", - "identityType": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", + "cmkUserAssignedIdentityAsArray": "[if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), createArray()))), createArray(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')), createArray())]", + "userAssignedIdentitiesUnion": "[if(not(empty(parameters('managedIdentities'))), union(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), variables('cmkUserAssignedIdentityAsArray')), variables('cmkUserAssignedIdentityAsArray'))]", + "formattedUserAssignedIdentities": "[reduce(map(coalesce(variables('userAssignedIdentitiesUnion'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", "identity": { - "type": "[variables('identityType')]", - "userAssignedIdentities": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), variables('userAssignedIdentitiesUnion'), null())]" + "type": "[if(not(empty(variables('userAssignedIdentitiesUnion'))), 'SystemAssigned,UserAssigned', 'SystemAssigned')]", + "userAssignedIdentities": "[if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())]" }, "enableReferencedModulesTelemetry": false, "builtInRoleNames": { @@ -772,8 +787,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "3121962670071772951" + "version": "0.23.1.45101", + "templateHash": "15433128731134325120" }, "name": "Synapse Workspace Integration Runtimes", "description": "This module deploys a Synapse Workspace Integration Runtime.", @@ -891,8 +906,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "7188161900918132964" + "version": "0.23.1.45101", + "templateHash": "1182711601328740781" } }, "parameters": { @@ -979,8 +994,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "5952844918734432483" + "version": "0.23.1.45101", + "templateHash": "17878422697036938783" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", @@ -1154,8 +1169,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "12078057657290521609" + "version": "0.23.1.45101", + "templateHash": "6873008238043407177" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1557,8 +1572,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.22.6.54827", - "templateHash": "16391702514342252839" + "version": "0.23.1.45101", + "templateHash": "17578977753131828304" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1728,7 +1743,7 @@ }, "value": "[reference('workspace').connectivityEndpoints]" }, - "systemAssignedPrincipalId": { + "systemAssignedMIPrincipalId": { "type": "string", "metadata": { "description": "The principal ID of the system assigned identity." diff --git a/modules/synapse/workspace/tests/e2e/max/main.test.bicep b/modules/synapse/workspace/tests/e2e/max/main.test.bicep index 70526bbe29..a3fcfac98d 100644 --- a/modules/synapse/workspace/tests/e2e/max/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/max/main.test.bicep @@ -71,8 +71,10 @@ module testDeployment '../../../main.bicep' = { defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName sqlAdministratorLogin: 'synwsadmin' initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } roleAssignments: [ { diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index cd02520ced..4a2f8236fc 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -71,8 +71,10 @@ module testDeployment '../../../main.bicep' = { defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName sqlAdministratorLogin: 'synwsadmin' initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId - userAssignedIdentities: { - '${nestedDependencies.outputs.managedIdentityResourceId}': {} + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] } roleAssignments: [ { diff --git a/modules/web/site/README.md b/modules/web/site/README.md index 491ed806e0..bebdd69f18 100644 --- a/modules/web/site/README.md +++ b/modules/web/site/README.md @@ -1674,7 +1674,7 @@ Virtual Network Route All enabled. This causes all outbound traffic to have Virt | `resourceId` | string | The resource ID of the site. | | `slotResourceIds` | array | The list of the slot resource ids. | | `slots` | array | The list of the slots. | -| `slotSystemAssignedPrincipalIds` | array | The principal ID of the system assigned identity of slots. | +| `slotSystemAssignedMIPrincipalIds` | array | The principal ID of the system assigned identity of slots. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules diff --git a/modules/web/site/main.bicep b/modules/web/site/main.bicep index 6803c41fc8..f2c02e7356 100644 --- a/modules/web/site/main.bicep +++ b/modules/web/site/main.bicep @@ -403,7 +403,7 @@ output resourceGroupName string = resourceGroup().name output systemAssignedMIPrincipalId string = (managedIdentities.?systemAssigned ?? false) && contains(app.identity, 'principalId') ? app.identity.principalId : '' @description('The principal ID of the system assigned identity of slots.') -output slotSystemAssignedPrincipalIds array = [for (slot, index) in slots: app_slots[index].outputs.systemAssignedMIPrincipalId] +output slotSystemAssignedMIPrincipalIds array = [for (slot, index) in slots: app_slots[index].outputs.systemAssignedMIPrincipalId] @description('The location the resource was deployed into.') output location string = app.location diff --git a/modules/web/site/main.json b/modules/web/site/main.json index 45a572bcb1..40e10f96f9 100644 --- a/modules/web/site/main.json +++ b/modules/web/site/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "8496123525886789404" + "templateHash": "5943221871747072299" }, "name": "Web/Function Apps", "description": "This module deploys a Web or Function App.", @@ -4231,7 +4231,7 @@ }, "value": "[if(and(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), contains(reference('app', '2022-09-01', 'full').identity, 'principalId')), reference('app', '2022-09-01', 'full').identity.principalId, '')]" }, - "slotSystemAssignedPrincipalIds": { + "slotSystemAssignedMIPrincipalIds": { "type": "array", "metadata": { "description": "The principal ID of the system assigned identity of slots."