Updated Deployment Script module

Azure · Oct 23, 2023 · b74a86d · b74a86d
1 parent 69648d7
commit b74a86d
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 41 deletions.
diff --git a/modules/resources/deployment-script/.test/cli/main.test.bicep b/modules/resources/deployment-script/.test/cli/main.test.bicep
@@ -58,8 +58,10 @@ module testDeployment '../../main.bicep' = {
     scriptContent: 'echo \'echo echo echo\''
     storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId
     timeout: 'PT30M'
-    userAssignedIdentities: {
-      '${nestedDependencies.outputs.managedIdentityResourceId}': {}
+    managedIdentities: {
+      userAssignedResourcesIds: [
+        nestedDependencies.outputs.managedIdentityResourceId
+      ]
     }
     tags: {
       'hidden-title': 'This is visible in the resource name'

diff --git a/modules/resources/deployment-script/.test/ps/main.test.bicep b/modules/resources/deployment-script/.test/ps/main.test.bicep
@@ -62,8 +62,10 @@ module testDeployment '../../main.bicep' = {
     scriptContent: 'Write-Host \'The cake is a lie!\''
     storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId
     timeout: 'PT30M'
-    userAssignedIdentities: {
-      '${nestedDependencies.outputs.managedIdentityResourceId}': {}
+    managedIdentities: {
+      userAssignedResourcesIds: [
+        nestedDependencies.outputs.managedIdentityResourceId
+      ]
     }
     tags: {
       'hidden-title': 'This is visible in the resource name'

diff --git a/modules/resources/deployment-script/README.md b/modules/resources/deployment-script/README.md
@@ -57,6 +57,11 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
       ]
     }
     kind: 'AzureCLI'
+    managedIdentities: {
+      userAssignedResourcesIds: [
+        '<managedIdentityResourceId>'
+      ]
+    }
     retentionInterval: 'P1D'
     runOnce: false
     scriptContent: 'echo \'echo echo echo\''
@@ -67,9 +72,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
       Role: 'DeploymentValidation'
     }
     timeout: 'PT30M'
-    userAssignedIdentities: {
-      '<managedIdentityResourceId>': {}
-    }
   }
 }
 ```
@@ -117,6 +119,13 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
     "kind": {
       "value": "AzureCLI"
     },
+    "managedIdentities": {
+      "value": {
+        "userAssignedResourcesIds": [
+          "<managedIdentityResourceId>"
+        ]
+      }
+    },
     "retentionInterval": {
       "value": "P1D"
     },
@@ -138,11 +147,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
     },
     "timeout": {
       "value": "PT30M"
-    },
-    "userAssignedIdentities": {
-      "value": {
-        "<managedIdentityResourceId>": {}
-      }
     }
   }
 }
@@ -172,6 +176,11 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
       kind: 'CanNotDelete'
       name: 'myCustomLockName'
     }
+    managedIdentities: {
+      userAssignedResourcesIds: [
+        '<managedIdentityResourceId>'
+      ]
+    }
     retentionInterval: 'P1D'
     runOnce: false
     scriptContent: 'Write-Host \'The cake is a lie!\''
@@ -182,9 +191,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
       Role: 'DeploymentValidation'
     }
     timeout: 'PT30M'
-    userAssignedIdentities: {
-      '<managedIdentityResourceId>': {}
-    }
   }
 }
 ```
@@ -224,6 +230,13 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
         "name": "myCustomLockName"
       }
     },
+    "managedIdentities": {
+      "value": {
+        "userAssignedResourcesIds": [
+          "<managedIdentityResourceId>"
+        ]
+      }
+    },
     "retentionInterval": {
       "value": "P1D"
     },
@@ -245,11 +258,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
     },
     "timeout": {
       "value": "PT30M"
-    },
-    "userAssignedIdentities": {
-      "value": {
-        "<managedIdentityResourceId>": {}
-      }
     }
   }
 }
@@ -281,6 +289,7 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
 | [`kind`](#parameter-kind) | string | Type of the script. AzurePowerShell, AzureCLI. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
+| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
 | [`primaryScriptUri`](#parameter-primaryscripturi) | string | Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. |
 | [`retentionInterval`](#parameter-retentioninterval) | string | Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). |
 | [`runOnce`](#parameter-runonce) | bool | When set to false, script will run every time the template is deployed. When set to true, the script will only run once. |
@@ -289,7 +298,6 @@ module deploymentScript 'br:bicep/modules/resources.deployment-script:1.0.0' = {
 | [`supportingScriptUris`](#parameter-supportingscripturis) | array | List of supporting files for the external script (defined in primaryScriptUri). Does not work with internal scripts (code defined in scriptContent). |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
 | [`timeout`](#parameter-timeout) | string | Maximum allowed script execution time specified in ISO 8601 format. Default value is PT1H - 1 hour; 'PT30M' - 30 minutes; 'P5D' - 5 days; 'P1Y' 1 year. |
-| [`userAssignedIdentities`](#parameter-userassignedidentities) | object | The ID(s) to assign to the resource. |
 
 **Generated parameters**
 
@@ -396,6 +404,24 @@ Optional. Specify the name of lock.
 - Required: No
 - Type: string
 
+### Parameter: `managedIdentities`
+
+The managed identity definition for this resource.
+- Required: No
+- Type: object
+
+
+| Name | Required | Type | Description |
+| :-- | :-- | :--| :-- |
+| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | Yes | array | Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. |
+
+### Parameter: `managedIdentities.userAssignedResourcesIds`
+
+Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.
+
+- Required: Yes
+- Type: array
+
 ### Parameter: `name`
 
 Display name of the script to be run.
@@ -458,13 +484,6 @@ Maximum allowed script execution time specified in ISO 8601 format. Default valu
 - Type: string
 - Default: `'PT1H'`
 
-### Parameter: `userAssignedIdentities`
-
-The ID(s) to assign to the resource.
-- Required: No
-- Type: object
-- Default: `{object}`
-
 
 ## Outputs
 

diff --git a/modules/resources/deployment-script/main.bicep b/modules/resources/deployment-script/main.bicep
@@ -5,8 +5,8 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. Display name of the script to be run.')
 param name string
 
-@description('Optional. The ID(s) to assign to the resource.')
-param userAssignedIdentities object = {}
+@description('Optional. The managed identity definition for this resource.')
+param managedIdentities managedIdentitiesType
 
 @description('Optional. Location for all resources.')
 param location string = resourceGroup().location
@@ -79,11 +79,11 @@ var containerSettings = {
   containerGroupName: containerGroupName
 }
 
-var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None'
+var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
 
-var identity = identityType != 'None' ? {
-  type: identityType
-  userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
+var identity = !empty(managedIdentities) ? {
+  type: !empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null
+  userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
 } : null
 
 var storageAccountSettings = !empty(storageAccountResourceId) ? {
@@ -154,6 +154,11 @@ output outputs object = contains(deploymentScript.properties, 'outputs') ? deplo
 //   Definitions   //
 // =============== //
 
+type managedIdentitiesType = {
+  @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.')
+  userAssignedResourcesIds: string[]
+}?
+
 type lockType = {
   @description('Optional. Specify the name of lock.')
   name: string?

diff --git a/modules/resources/deployment-script/main.json b/modules/resources/deployment-script/main.json
@@ -6,13 +6,28 @@
     "_generator": {
       "name": "bicep",
       "version": "0.22.6.54827",
-      "templateHash": "2858511394966028740"
+      "templateHash": "16512891187654531738"
     },
     "name": "Deployment Scripts",
     "description": "This module deploys a Deployment Script.",
     "owner": "Azure/module-maintainers"
   },
   "definitions": {
+    "managedIdentitiesType": {
+      "type": "object",
+      "properties": {
+        "userAssignedResourcesIds": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "metadata": {
+            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+          }
+        }
+      },
+      "nullable": true
+    },
     "lockType": {
       "type": "object",
       "properties": {
@@ -46,11 +61,10 @@
         "description": "Required. Display name of the script to be run."
       }
     },
-    "userAssignedIdentities": {
-      "type": "object",
-      "defaultValue": {},
+    "managedIdentities": {
+      "$ref": "#/definitions/managedIdentitiesType",
       "metadata": {
-        "description": "Optional. The ID(s) to assign to the resource."
+        "description": "Optional. The managed identity definition for this resource."
       }
     },
     "location": {
@@ -199,8 +213,8 @@
     "containerSettings": {
       "containerGroupName": "[parameters('containerGroupName')]"
     },
-    "identityType": "[if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None')]",
-    "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]"
+    "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
+    "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null()), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]"
   },
   "resources": {
     "defaultTelemetry": {