Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" for a UAMI in another subscription #1297

Open
joaosa-microsoft opened this issue Mar 14, 2024 · 0 comments
Open

"[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" for a UAMI in another subscription #1297

joaosa-microsoft opened this issue Mar 14, 2024 · 0 comments

Comments

@joaosa-microsoft
Copy link 

ISSUE TITLE:

"[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" currently expects the UAMI's resource group name and name as parameters with the UAMI in the same subscription and could receive an UMA from another subscription.

ISSUE DESCRIPTION (this template):

The "[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" (https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Managed%20Identity/VM_UAI_DINE.json) built-in policy definition that creates and assigns a built-in user-assigned managed identity or assigns a pre-created user-assigned managed identity at scale to virtual machines currently provides the user-assigned managed identity name and resource group name as parameters expecting that it is on the same subscription as the virtual machine resource. However, in a scenario where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource it does not apply.

Therefore, the referred built-in policy definition could be modified having the user assigned managed identity resource URI (which contains the subscription ID) as a parameter for instance; e.g.: please find the code snippet below:

{ "mode": "Indexed", "parameters": { "userAssignedIdentityResourceId": { "type": "String", "metadata": { "displayName": "User-Assigned Managed Identity resource ID", "description": "The resource ID of the pre-created user-assigned managed identity." } }, "effect": { "type": "String", "metadata": { "displayName": "Policy Effect", "description": "The effect determines what happens when the policy rule is evaluated to match." }, "allowedValues": [ "AuditIfNotExists", "DeployIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Compute/virtualMachines", "name": "[field('name')]", "evaluationDelay": "AfterProvisioning", "deploymentScope": "subscription", "existenceCondition": { "anyOf": [ { "allOf": [ { "field": "identity.type", "contains": "UserAssigned" }, { "field": "identity.userAssignedIdentities", "containsKey": "[parameters('userAssignedIdentityResourceId')]" } ] }, { "allOf": [ { "field": "identity.type", "equals": "UserAssigned" }, { "value": "[string(length(field('identity.userAssignedIdentities')))]", "equals": "1" } ] } ] }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" ], "deployment": { "location": "eastus", "properties": { "mode": "incremental", "parameters": { "location": { "value": "[field('location')]" }, "userAssignedIdentityResourceId": { "value": "[parameters('userAssignedIdentityResourceId')]" }, "vmName": { "value": "[field('name')]" }, "vmResourceGroup": { "value": "[resourceGroup().name]" }, "resourceId": { "value": "[field('id')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.1", "parameters": { "location": { "type": "string" }, "userAssignedIdentityResourceId": { "type": "string" }, "vmName": { "type": "string" }, "vmResourceGroup": { "type": "string" }, "resourceId": { "type": "string" } }, "variables": { "userAssignedIdentityResourceId": "[parameters('userAssignedIdentityResourceId')]", "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", "deployUserAssignedIdentity": "[concat('deployUserAssignedIdentity-', uniqueString(deployment().name))]" }, "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "name": "[variables('deployGetResourceProperties')]", "location": "eastus", "properties": { "mode": "Incremental", "template": { "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [], "outputs": { "resource": { "type": "object", "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" } } } } }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "name": "[concat(variables('deployUserAssignedIdentity'))]", "resourceGroup": "[parameters('vmResourceGroup')]", "properties": { "mode": "Incremental", "expressionEvaluationOptions": { "scope": "inner" }, "parameters": { "userAssignedIdentityResourceId": { "value": "[parameters('userAssignedIdentityResourceId')]" }, "vmName": { "value": "[parameters('vmName')]" }, "location": { "value": "[parameters('location')]" }, "identityType": { "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" }, "userAssignedIdentities": { "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "userAssignedIdentityResourceId": { "type": "string" }, "vmName": { "type": "string" }, "location": { "type": "string" }, "identityType": { "type": "string" }, "userAssignedIdentities": { "type": "object" } }, "variables": { "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('userAssignedIdentityResourceId'), createObject()))]", "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" }, "resources": [ { "condition": "[not(variables('resourceWithSingleUAI'))]", "apiVersion": "2019-07-01", "type": "Microsoft.Compute/virtualMachines", "name": "[parameters('vmName')]", "location": "[parameters('location')]", "identity": { "type": "[variables('identityTypeValue')]", "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" } } ] } } } ] } } } } } } }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joaosa-microsoft