[DO NOT MERGE] ACI: MSI update

azure-mgmt-containerinstance/src/main/java/com/microsoft/azure/management/containerinstance/ContainerGroup.java

@@ -1188,11 +1188,126 @@ interface WithCreate extends
         }
     }
 
+    /**
+     * Grouping of container group update stages.
+     */
+    interface UpdateStages {
+        /**
+         * The stage of the container group update allowing to enable System Assigned (Local) Managed Service Identity.
+         */
+        @Beta(Beta.SinceVersion.V1_23_0)
+        interface WithSystemAssignedManagedServiceIdentity {
+            /**
+             * Specifies that System Assigned (Local) Managed Service Identity needs to be enabled in the
+             * virtual machine.
+             *
+             * @return the next stage of the update
+             */
+            WithSystemAssignedIdentityBasedAccessOrUpdate withSystemAssignedManagedServiceIdentity();
+
+            /**
+             * Specifies that System Assigned (Local) Managed Service Identity needs to be disabled.
+             *
+             * @return the next stage of the update
+             */
+            Update withoutSystemAssignedManagedServiceIdentity();
+        }
+
+        /**
+         * The stage of the System Assigned (Local) Managed Service Identity enabled container group allowing to
+         * set access role for the identity.
+         */
+        @Beta(Beta.SinceVersion.V1_23_0)
+        interface WithSystemAssignedIdentityBasedAccessOrUpdate extends Update {
+            /**
+             * Specifies that container group's system assigned (local) identity should have the given
+             * access (described by the role) on an ARM resource identified by the resource ID.
+             * Applications running on the container group will have the same permission (role) on
+             * the ARM resource.
+             *
+             * @param resourceId the ARM identifier of the resource
+             * @param role access role to assigned to the container group's local identity
+             * @return the next stage of the update
+             */
+            @Beta(Beta.SinceVersion.V1_23_0)
+            WithSystemAssignedIdentityBasedAccessOrUpdate withSystemAssignedIdentityBasedAccessTo(String resourceId, BuiltInRole role);
+
+            /**
+             * Specifies that container group's system assigned (local) identity should have the given access
+             * (described by the role) on the resource group that virtual machine resides. Applications running
+             * on the container group will have the same permission (role) on the resource group.
+             *
+             * @param role access role to assigned to the container group's local identity
+             * @return the next stage of the update
+             */
+            @Beta(Beta.SinceVersion.V1_23_0)
+            WithSystemAssignedIdentityBasedAccessOrUpdate withSystemAssignedIdentityBasedAccessToCurrentResourceGroup(BuiltInRole role);
+
+            /**
+             * Specifies that container group's system assigned (local) identity should have the access
+             * (described by the role definition) on an ARM resource identified by the resource ID.
+             * Applications running on the container group will have the same permission (role) on
+             * the ARM resource.
+             *
+             * @param resourceId scope of the access represented in ARM resource ID format
+             * @param roleDefinitionId access role definition to assigned to the container group's local identity
+             * @return the next stage of the update
+             */
+            @Beta(Beta.SinceVersion.V1_23_0)
+            WithSystemAssignedIdentityBasedAccessOrUpdate withSystemAssignedIdentityBasedAccessTo(String resourceId, String roleDefinitionId);
+
+            /**
+             * Specifies that container group's system assigned (local) identity should have the access (described by the
+             * role definition) on the resource group that container group resides. Applications running
+             * on the virtual machine will have the same permission (role) on the resource group.
+             *
+             * @param roleDefinitionId access role definition to assigned to the container group's local identity
+             * @return the next stage of the update
+             */
+            @Beta(Beta.SinceVersion.V1_23_0)
+            WithSystemAssignedIdentityBasedAccessOrUpdate withSystemAssignedIdentityBasedAccessToCurrentResourceGroup(String roleDefinitionId);
+        }
+
+        /**
+         * The stage of the container group update allowing to add or remove User Assigned (External) Managed Service Identities.
+         */
+        @Beta(Beta.SinceVersion.V1_5_1)
+        interface WithUserAssignedManagedServiceIdentity {
+            /**
+             * Specifies the definition of a not-yet-created user assigned identity to be associated with the container group.
+             *
+             * @param creatableIdentity a creatable identity definition
+             * @return the next stage of the container group update
+             */
+            @Beta(Beta.SinceVersion.V1_5_1)
+            Update withNewUserAssignedManagedServiceIdentity(Creatable<Identity> creatableIdentity);
+
+            /**
+             * Specifies an existing user assigned identity to be associated with the container group.
+             * @param identity the identity
+             * @return the next stage of the container group update
+             */
+            @Beta(Beta.SinceVersion.V1_5_1)
+            Update withExistingUserAssignedManagedServiceIdentity(Identity identity);
+
+            /**
+             * Specifies that an user assigned identity associated with the container group should be removed.
+             *
+             * @param identityId ARM resource id of the identity
+             * @return the next stage of the container group update
+             */
+            @Beta(Beta.SinceVersion.V1_5_1)
+            Update withoutUserAssignedManagedServiceIdentity(String identityId);
+        }
+    }
+
     /**
      * The template for an update operation, containing all the settings that can be modified.
      */
     interface Update extends
             Resource.UpdateWithTags<Update>,
+            UpdateStages.WithSystemAssignedManagedServiceIdentity,
+            UpdateStages.WithUserAssignedManagedServiceIdentity,
             Appliable<ContainerGroup> {
     }
 

azure-mgmt-containerinstance/src/main/java/com/microsoft/azure/management/containerinstance/implementation/ContainerGroupImpl.java

@@ -74,6 +74,8 @@ public class ContainerGroupImpl
                 ContainerInstanceManager>
         implements ContainerGroup,
         ContainerGroup.Definition,
+        ContainerGroup.DefinitionStages.WithSystemAssignedIdentityBasedAccessOrCreate,
+        ContainerGroup.UpdateStages.WithSystemAssignedIdentityBasedAccessOrUpdate,
         ContainerGroup.Update {
 
     private final StorageManager storageManager;
@@ -117,7 +119,13 @@ public Observable<ContainerGroupInner> call(ContainerGroupInner containerGroupIn
                         }
                     });
         } else if (newFileShares == null || creatableStorageAccountKey == null) {
-            return self.manager().inner().containerGroups().createOrUpdateAsync(self.resourceGroupName(), self.name(), self.inner());
+            return self.manager().inner().containerGroups().createOrUpdateAsync(self.resourceGroupName(), self.name(), self.inner()).map(new Func1<ContainerGroupInner, ContainerGroupInner>() {
+                @Override
+                public ContainerGroupInner call(ContainerGroupInner containerGroupInner) {
+                    self.containerGroupMsiHandler.reset(containerGroupInner);
+                    return containerGroupInner;
+                }
+            });
         } else {
             final StorageAccount storageAccount = this.<StorageAccount>taskResult(this.creatableStorageAccountKey);
             return createFileShareAsync(storageAccount)
@@ -142,7 +150,13 @@ public Observable<? extends ContainerGroupInner> call(List<Triple<String, String
                                         .withStorageAccountKey(fileShareEntry.getRight())
                                         .attach();
                             }
-                            return self.manager().inner().containerGroups().createOrUpdateAsync(self.resourceGroupName(), self.name(), self.inner());
+                            return self.manager().inner().containerGroups().createOrUpdateAsync(self.resourceGroupName(), self.name(), self.inner()).map(new Func1<ContainerGroupInner, ContainerGroupInner>() {
+                                @Override
+                                public ContainerGroupInner call(ContainerGroupInner containerGroupInner) {
+                                    self.containerGroupMsiHandler.reset(containerGroupInner);
+                                    return containerGroupInner;
+                                }
+                            });
                         }
                     });
         }
@@ -288,6 +302,12 @@ public ContainerGroupImpl withSystemAssignedManagedServiceIdentity() {
         return this;
     }
 
+    @Override
+    public ContainerGroupImpl withoutSystemAssignedManagedServiceIdentity() {
+        this.containerGroupMsiHandler.withoutLocalManagedServiceIdentity();
+        return this;
+    }
+
     @Override
     public ContainerGroupImpl withSystemAssignedIdentityBasedAccessTo(String resourceId, BuiltInRole role) {
         this.containerGroupMsiHandler.withAccessTo(resourceId, role);
@@ -324,6 +344,12 @@ public ContainerGroupImpl withExistingUserAssignedManagedServiceIdentity(Identit
         return this;
     }
 
+    @Override
+    public ContainerGroupImpl withoutUserAssignedManagedServiceIdentity(String identityId) {
+        this.containerGroupMsiHandler.withoutExternalManagedServiceIdentity(identityId);
+        return this;
+    }
+
     @Override
     public ContainerGroupImpl withPublicImageRegistryOnly() {
         this.inner().withImageRegistryCredentials(null);

azure-mgmt-containerinstance/src/main/java/com/microsoft/azure/management/containerinstance/implementation/ContainerGroupMsiHandler.java

@@ -20,6 +20,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 
 @LangDefinition
 class ContainerGroupMsiHandler extends RoleAssignmentHelper {
@@ -45,8 +46,14 @@ void processCreatedExternalIdentities() {
     }
 
     void handleExternalIdentities() {
-        if (!this.userAssignedIdentities.isEmpty()) {
-            this.containerGroup.inner().identity().withUserAssignedIdentities(this.userAssignedIdentities);
+        this.containerGroup.inner().identity().withUserAssignedIdentities(this.userAssignedIdentities);
+        if (this.containerGroup.inner().identity().userAssignedIdentities() == null || this.containerGroup.inner().identity().userAssignedIdentities().size() == 0) {
+            if (this.containerGroup.inner().identity().type() == ResourceIdentityType.SYSTEM_ASSIGNED_USER_ASSIGNED) {
+                this.containerGroup.inner().identity().withType(ResourceIdentityType.SYSTEM_ASSIGNED);
+            }
+            if (this.containerGroup.inner().identity().type() == ResourceIdentityType.USER_ASSIGNED) {
+                this.containerGroup.inner().identity().withType(ResourceIdentityType.NONE);
+            }
         }
     }
 
@@ -62,6 +69,25 @@ ContainerGroupMsiHandler withLocalManagedServiceIdentity() {
         return this;
     }
 
+    /**
+     * Specifies that Local Managed Service Identity needs to be disabled in the container group.
+     *
+     * @return ContainerGroupMsiHandler
+     */
+    ContainerGroupMsiHandler withoutLocalManagedServiceIdentity() {
+        if (this.containerGroup.inner().identity() == null
+            || this.containerGroup.inner().identity().type() == null
+            || this.containerGroup.inner().identity().type().equals(ResourceIdentityType.NONE)
+            || this.containerGroup.inner().identity().type().equals(ResourceIdentityType.USER_ASSIGNED)) {
+            return this;
+        } else if (this.containerGroup.inner().identity().type().equals(ResourceIdentityType.SYSTEM_ASSIGNED)) {
+            this.containerGroup.inner().identity().withType(ResourceIdentityType.NONE);
+        } else if (this.containerGroup.inner().identity().type().equals(ResourceIdentityType.SYSTEM_ASSIGNED_USER_ASSIGNED)) {
+            this.containerGroup.inner().identity().withType(ResourceIdentityType.USER_ASSIGNED);
+        }
+        return this;
+    }
+
     /**
      * Specifies that given identity should be set as one of the External Managed Service Identity
      * of the container instance.
@@ -81,6 +107,13 @@ ContainerGroupMsiHandler withNewExternalManagedServiceIdentity(Creatable<Identit
         return this;
     }
 
+    void reset(ContainerGroupInner containerGroupInner) {
+        this.userAssignedIdentities.clear();
+        for (String key : containerGroupInner.identity().userAssignedIdentities().keySet()) {
+            this.userAssignedIdentities.put(key, containerGroupInner.identity().userAssignedIdentities().get(key));
+        }
+    }
+
     /**
      * Specifies that given identity should be set as one of the External Managed Service Identity
      * of the container instance.
@@ -94,6 +127,18 @@ ContainerGroupMsiHandler withExistingExternalManagedServiceIdentity(Identity ide
         return this;
     }
 
+    /**
+     * Specifies that given identity should be removed from the list of External Managed Service Identity
+     * associated with the container group.
+     *
+     * @param identityId resource id of the identity
+     * @return ContainerGroupMsiHandler
+     */
+    ContainerGroupMsiHandler withoutExternalManagedServiceIdentity(String identityId) {
+        this.userAssignedIdentities.remove(identityId);
+        return this;
+    }
+
     /**
      * Initialize Container Instance's identity property.
      *