Merge pull request #5 from ronaldbosma/add-user-assigned-identities

Add user-assigned managed identities

Author: ronaldbosma

README.md

@@ -186,7 +186,7 @@ As mentioned in the [Overview](#overview) section, this template deploys a set o
 
 When the `includeApiManagement` parameter or the corresponding `INCLUDE_API_MANAGEMENT` environment variable is set to `true`, a Consumption tier API Management service is deployed via the [api-management.bicep](./infra/modules/services/api-management.bicep) module:
 
-- The system-assigned managed identity is enabled to provide access to other services. See the [Role Assignments](#role-assignments) section for more information.
+- Both a user-assigned managed identity and system-assigned managed identity are deployed to provide access to other services. See the [Role Assignments](#role-assignments) section for more information.
 - The primary key of the default `master` subscription is stored in a Key Vault secret called `apim-master-subscription-key`. This key can be used, for example, by the Function App to access APIs hosted on API Management.
 - The deployment also includes backends for the Service Bus (\*), various Storage Account endpoints and the Event Hubs namespace (\*).  
   _Note: The `*` indicates that the backend is only deployed if the corresponding service is included._
@@ -198,7 +198,7 @@ When the `includeFunctionApp` parameter or the corresponding `INCLUDE_FUNCTION_A
 
 - The `Y1` (Consumption) pricing tier is used. 
 - The worker runtime is configured to .NET 9 isolated. 
-- The system-assigned managed identity is enabled to provide access to other services. See the [Role Assignments](#role-assignments) section for more information.
+- Both a user-assigned managed identity and system-assigned managed identity are deployed to provide access to other services. See the [Role Assignments](#role-assignments) section for more information.
 
 The following app settings (environment variables) are configured to facilitate connections to other services.
 
@@ -223,7 +223,7 @@ When the `includeLogicApp` parameter or the corresponding `INCLUDE_LOGIC_APP` en
 
 - The `WS1` (Workflow Standard) pricing tier is used. 
 - The worker runtime is configured to .NET 9 to enable the use of [custom .NET code](https://learn.microsoft.com/en-us/azure/logic-apps/create-run-custom-code-functions). 
-- The system-assigned managed identity is enabled and provides access to other services. See the [Role Assignments](#role-assignments) section for more information.
+- Both a user-assigned managed identity and system-assigned managed identity are deployed to provide access to other services. See the [Role Assignments](#role-assignments) section for more information.
 
 The following app settings (environment variables) are configured to facilitate connections to other services. These are used in the [connections.json](./src/logicApp/connections.json) file of the sample application.
 
@@ -250,7 +250,7 @@ When the `includeEventHubsNamespace` parameter or the corresponding `INCLUDE_EVE
 
 #### Role Assignments
 
-The [assign-roles-to-principal.bicep](./infra/modules/shared/assign-roles-to-principal.bicep) module is used to assign roles to the principal of the deployer and to the system-assigned managed identity of API Management, the Function App and Logic App. These role assignments are:
+The [assign-roles-to-principal.bicep](./infra/modules/shared/assign-roles-to-principal.bicep) module is used to assign roles to the principal of the deployer and to the user-assigned & system-assigned managed identities of API Management, the Function App and Logic App. These role assignments are:
 
 - Event Hubs namespace roles:
   - Azure Event Hubs Data Receiver

azure.yaml

@@ -2,7 +2,7 @@
 
 name: azure-integration-services-quickstart
 metadata:
-  template: tdd-azure-integration-services-quickstart@1.1.0
+  template: tdd-azure-integration-services-quickstart@1.2.0
 services:
   functionApp:
     project: ./src/functionApp

images/deployed-resources.png

@@ -59,6 +59,7 @@ var resourceGroupName = getResourceName('resourceGroup', environmentName, locati
 
 var apiManagementSettings = !includeApiManagement ? null : {
   serviceName: getResourceName('apiManagement', environmentName, location, instanceId)
+  identityName: getResourceName('managedIdentity', environmentName, location, 'apim-${instanceId}')
   publisherName: '[email protected]'
   publisherEmail: '[email protected]'
 }
@@ -75,12 +76,14 @@ var eventHubSettings = !includeEventHubsNamespace ? null : {
 
 var functionAppSettings = !includeFunctionApp ? null : {
   functionAppName: getResourceName('functionApp', environmentName, location, instanceId)
+  identityName: getResourceName('managedIdentity', environmentName, location, 'functionapp-${instanceId}')
   appServicePlanName: getResourceName('appServicePlan', environmentName, location, 'functionapp-${instanceId}')
   netFrameworkVersion: 'v9.0'
 }
 
 var logicAppSettings = !includeLogicApp ? null : {
   logicAppName: getResourceName('logicApp', environmentName, location, instanceId)
+  identityName: getResourceName('managedIdentity', environmentName, location, 'logicapp-${instanceId}')
   appServicePlanName: getResourceName('appServicePlan', environmentName, location, 'logicapp-${instanceId}')
   netFrameworkVersion: 'v9.0'
 }

infra/main.bicep

@@ -66,6 +66,26 @@ resource masterSubscription 'Microsoft.ApiManagement/service/subscriptions@2023-
 // Resources
 //=============================================================================
 
+// Create API Management user-assigned identity and assign roles to it
+
+resource apimIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = {
+  name: apiManagementSettings.identityName
+  location: location
+  tags: tags
+}
+
+module assignRolesToApimUserAssignedIdentity '../shared/assign-roles-to-principal.bicep' = {
+  name: 'assignRolesToApimUserAssignedIdentity'
+  params: {
+    principalId: apimIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+    eventHubSettings: eventHubSettings
+    keyVaultName: keyVaultName
+    serviceBusSettings: serviceBusSettings
+    storageAccountName: storageAccountName
+  }
+}
+
 // API Management - Consumption tier (see also: https://learn.microsoft.com/en-us/azure/api-management/quickstart-bicep?tabs=CLI)
 
 resource apiManagementService 'Microsoft.ApiManagement/service@2023-09-01-preview' = {
@@ -81,7 +101,10 @@ resource apiManagementService 'Microsoft.ApiManagement/service@2023-09-01-previe
     publisherEmail: apiManagementSettings.publisherEmail
   }
   identity: {
-    type: 'SystemAssigned'
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${apimIdentity.id}': {}
+    }
   }
 }
 

infra/modules/services/api-management.bicep

@@ -107,6 +107,26 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' existing
 // Resources
 //=============================================================================
 
+// Create Function App user-assigned identity and assign roles to it
+
+resource functionAppIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = {
+  name: functionAppSettings.identityName
+  location: location
+  tags: tags
+}
+
+module assignRolesToFunctionAppUserAssignedIdentity '../shared/assign-roles-to-principal.bicep' = {
+  name: 'assignRolesToFunctionAppUserAssignedIdentity'
+  params: {
+    principalId: functionAppIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+    eventHubSettings: eventHubSettings
+    keyVaultName: keyVaultName
+    serviceBusSettings: serviceBusSettings
+    storageAccountName: storageAccountName
+  }
+}
+
 // Create the App Service Plan for the Function App
 
 resource hostingPlan 'Microsoft.Web/serverfarms@2024-04-01' = {
@@ -130,7 +150,10 @@ resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
   tags: serviceTags
   kind: 'functionapp'
   identity: {
-    type: 'SystemAssigned'
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${functionAppIdentity.id}': {}
+    }
   }
   properties: {
     serverFarmId: hostingPlan.id

infra/modules/services/function-app.bicep

@@ -110,6 +110,26 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' existing
 // Resources
 //=============================================================================
 
+// Create Logic App user-assigned identity and assign roles to it
+
+resource logicAppIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = {
+  name: logicAppSettings.identityName
+  location: location
+  tags: tags
+}
+
+module assignRolesToLogicAppUserAssignedIdentity '../shared/assign-roles-to-principal.bicep' = {
+  name: 'assignRolesToLogicAppUserAssignedIdentity'
+  params: {
+    principalId: logicAppIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+    eventHubSettings: eventHubSettings
+    keyVaultName: keyVaultName
+    serviceBusSettings: serviceBusSettings
+    storageAccountName: storageAccountName
+  }
+}
+
 // Create the App Service Plan for the Logic App
 
 resource hostingPlan 'Microsoft.Web/serverfarms@2024-04-01' = {
@@ -135,7 +155,10 @@ resource logicApp 'Microsoft.Web/sites@2024-04-01' = {
   tags: serviceTags
   kind: 'functionapp,workflowapp'
   identity: {
-    type: 'SystemAssigned'
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${logicAppIdentity.id}': {}
+    }
   }
   properties: {
     serverFarmId: hostingPlan.id

infra/modules/services/logic-app.bicep

@@ -16,6 +16,9 @@ import { eventHubSettingsType, serviceBusSettingsType } from '../../types/settin
 @description('The id of the principal that will be assigned the roles')
 param principalId string
 
+@description('The type of the principal that will be assigned the roles')
+param principalType string?
+
 @description('The flag to determine if the principal is an admin or not')
 param isAdmin bool = false
 
@@ -85,44 +88,48 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' existing
 
 // Assign role on Event Hubs namespace to the principal (if Event Hubs namespace is included)
 
-resource assignRolesOnEventHubNamespaceToManagedIdentity 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in eventHubRoles: if (eventHubSettings != null) {
+resource assignRolesOnEventHubNamespaceToPrincipal 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in eventHubRoles: if (eventHubSettings != null) {
   name: guid(principalId, eventHubsNamespace.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role))
   scope: eventHubsNamespace
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
     principalId: principalId
+    principalType: principalType
   }
 }]
 
 // Assign role on Key Vault to the principal
 
-resource assignRolesOnKeyVaultToManagedIdentity 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+resource assignRolesOnKeyVaultToPrincipal 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(principalId, keyVault.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultRole))
   scope: keyVault
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultRole)
     principalId: principalId
+    principalType: principalType
   }
 }
 
 // Assign roles on Service Bus to the principal (if Service Bus is included)
 
-resource assignRolesOnServiceBusToManagedIdentity 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in serviceBusRoles: if (serviceBusSettings != null) {
+resource assignRolesOnServiceBusToPrincipal 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in serviceBusRoles: if (serviceBusSettings != null) {
   name: guid(principalId, serviceBusNamespace.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role))
   scope: serviceBusNamespace
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
     principalId: principalId
+    principalType: principalType
   }
 }]
 
 // Assign roles on Storage Account to the principal
 
-resource assignRolesOnStorageAccountToManagedIdentity 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in storageAccountRoles: {
+resource assignRolesOnStorageAccountToPrincipal 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in storageAccountRoles: {
   name: guid(principalId, storageAccount.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role))
   scope: storageAccount
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role)
     principalId: principalId
+    principalType: principalType
   }
 }]

infra/modules/shared/assign-roles-to-principal.bicep

@@ -6,6 +6,9 @@ type apiManagementSettingsType = {
   @description('The name of the API Management service')
   serviceName: string
 
+  @description('The name of the user-assigned managed identity for the API Management service')
+  identityName: string
+
   @description('The name of the owner of the API Management service')
   publisherName: string
 
@@ -48,6 +51,9 @@ type functionAppSettingsType = {
   @description('The name of the Function App')
   functionAppName: string
 
+  @description('The name of the user-assigned managed identity for the Function App')
+  identityName: string
+
   @description('The name of the App Service for the Function App')
   appServicePlanName: string
 
@@ -64,6 +70,9 @@ type logicAppSettingsType = {
   @description('The name of the Logic App')
   logicAppName: string
 
+  @description('The name of the user-assigned managed identity for the Logic App')
+  identityName: string
+
   @description('The name of the App Service for the Logic App')
   appServicePlanName: string