fix: add missing managed identities

Azure-Samples · Mar 21, 2024 · 09cbe21 · 09cbe21
1 parent d9f4f11
commit 09cbe21
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/infra/core/security/managed-identity.bicep b/infra/core/security/managed-identity.bicep
@@ -0,0 +1,7 @@
+param name string
+param location string = resourceGroup().location
+
+resource apiIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: name
+  location: location
+}
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -83,6 +83,9 @@ var resourceToken = toLower(uniqueString(subscription().id, environmentName, loc
 var tags = union({ 'azd-env-name': environmentName }, empty(aliasTag) ? {} : { alias: aliasTag })
 var allowedOrigins = empty(allowedOrigin) ? [webApp.outputs.uri] : [webApp.outputs.uri, allowedOrigin]
 
+var indexerApiIdentityName = '${abbrs.managedIdentityUserAssignedIdentities}indexer-api-${resourceToken}'
+var searchApiIdentityName = '${abbrs.managedIdentityUserAssignedIdentities}search-api-${resourceToken}'
+
 // Organize resources in a resource group
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: !empty(resourceGroupName) ? resourceGroupName : '${abbrs.resourcesResourceGroups}${environmentName}'
@@ -142,6 +145,16 @@ module webApp './core/host/staticwebapp.bicep' = {
   }
 }
 
+// search API identity
+module searchApiIdentity 'core/security/managed-identity.bicep' = {
+  name: 'search-api-identity'
+  scope: resourceGroup
+  params: {
+    name: searchApiIdentityName
+    location: location
+  }
+}
+
 // The search API
 module searchApi './core/host/container-app.bicep' = {
   name: 'search-api'
@@ -152,7 +165,7 @@ module searchApi './core/host/container-app.bicep' = {
     tags: union(tags, { 'azd-service-name': searchApiName })
     containerAppsEnvironmentName: containerApps.outputs.environmentName
     containerRegistryName: containerApps.outputs.registryName
-    identityName: '${abbrs.managedIdentityUserAssignedIdentities}search-api-${resourceToken}'
+    identityName: searchApiIdentityName
     allowedOrigins: allowedOrigins
     containerCpuCoreCount: '1.0'
     containerMemory: '2.0Gi'
@@ -207,6 +220,19 @@ module searchApi './core/host/container-app.bicep' = {
     imageName: !empty(searchApiImageName) ? searchApiImageName : 'nginx:latest'
     targetPort: 3000
   }
+  dependsOn: [
+    searchApiIdentity
+  ]
+}
+
+// Indexer API identity
+module indexerApiIdentity 'core/security/managed-identity.bicep' = {
+  name: 'indexer-api-identity'
+  scope: resourceGroup
+  params: {
+    name: indexerApiIdentityName
+    location: location
+  }
 }
 
 // The indexer API
@@ -219,7 +245,7 @@ module indexerApi './core/host/container-app.bicep' = {
     tags: union(tags, { 'azd-service-name': indexerApiName })
     containerAppsEnvironmentName: containerApps.outputs.environmentName
     containerRegistryName: containerApps.outputs.registryName
-    identityName: '${abbrs.managedIdentityUserAssignedIdentities}indexer-api-${resourceToken}'
+    identityName: indexerApiIdentityName
     containerCpuCoreCount: '1.0'
     containerMemory: '2.0Gi'
     secrets: [
@@ -273,6 +299,9 @@ module indexerApi './core/host/container-app.bicep' = {
     imageName: !empty(indexerApiImageName) ? indexerApiImageName : 'nginx:latest'
     targetPort: 3001
   }
+  dependsOn: [
+    indexerApiIdentity
+  ]
 }
 
 module openAi 'core/ai/cognitiveservices.bicep' = {
@@ -505,3 +534,6 @@ output INDEXER_API_URI string = indexerApi.outputs.uri
 
 output ALLOWED_ORIGINS string = join(allowedOrigins, ',')
 output BACKEND_URI string = !empty(backendUri) ? backendUri : searchApi.outputs.uri
+
+output INDEXER_PRINCIPAL_ID string = indexerApi.outputs.identityPrincipalId
+output SEARCH_API_PRINCIPAL_ID string = searchApi.outputs.identityPrincipalId