updating logic for managedidentity

tony-box · Jul 22, 2024 · 9462f75 · 9462f75
1 parent 07b3aaa
commit 9462f75
Show file tree

Hide file tree

Showing 24 changed files with 122 additions and 137 deletions.
diff --git a/avm/res/api-management/service/README.md b/avm/res/api-management/service/README.md
@@ -49,7 +49,7 @@ The following section provides usage examples for the module, which were used to
 - [Using only defaults](#example-2-using-only-defaults)
 - [Deploying a Developer SKU](#example-3-deploying-a-developer-sku)
 - [Using large parameter set](#example-4-using-large-parameter-set)
-- [Deploying an APIM v2 sku.](#example-5-deploying-an-apim-v2-sku)
+- [Deploying an APIM v2 sku](#example-5-deploying-an-apim-v2-sku)
 - [WAF-aligned](#example-6-waf-aligned)
 
 ### Example 1: _Deploying a Consumption SKU_
@@ -71,9 +71,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     publisherName: 'az-amorg-x-001'
     // Non-required parameters
     location: '<location>'
-    managedIdentities: {
-      systemAssigned: true
-    }
     sku: 'Consumption'
   }
 }
@@ -105,11 +102,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     "location": {
       "value": "<location>"
     },
-    "managedIdentities": {
-      "value": {
-        "systemAssigned": true
-      }
-    },
     "sku": {
       "value": "Consumption"
     }
@@ -139,9 +131,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     publisherName: 'az-amorg-x-001'
     // Non-required parameters
     location: '<location>'
-    managedIdentities: {
-      systemAssigned: true
-    }
     tags: {
       Environment: 'Non-Prod'
       'hidden-title': 'This is visible in the resource name'
@@ -177,11 +166,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     "location": {
       "value": "<location>"
     },
-    "managedIdentities": {
-      "value": {
-        "systemAssigned": true
-      }
-    },
     "tags": {
       "value": {
         "Environment": "Non-Prod",
@@ -215,9 +199,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     publisherName: 'az-amorg-x-001'
     // Non-required parameters
     location: '<location>'
-    managedIdentities: {
-      systemAssigned: true
-    }
     sku: 'Developer'
   }
 }
@@ -249,11 +230,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     "location": {
       "value": "<location>"
     },
-    "managedIdentities": {
-      "value": {
-        "systemAssigned": true
-      }
-    },
     "sku": {
       "value": "Developer"
     }
@@ -756,7 +732,7 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
 </details>
 <p>
 
-### Example 5: _Deploying an APIM v2 sku._
+### Example 5: _Deploying an APIM v2 sku_
 
 This instance deploys the module using a v2 SKU.
 
@@ -775,9 +751,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     publisherName: 'az-amorg-x-001'
     // Non-required parameters
     location: '<location>'
-    managedIdentities: {
-      systemAssigned: true
-    }
     sku: 'BasicV2'
   }
 }
@@ -809,11 +782,6 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     "location": {
       "value": "<location>"
     },
-    "managedIdentities": {
-      "value": {
-        "systemAssigned": true
-      }
-    },
     "sku": {
       "value": "BasicV2"
     }
@@ -952,7 +920,7 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
       }
     ]
     managedIdentities: {
-      systemAssigned: true
+      systemAssigned: false
       userAssignedResourceIds: [
         '<managedIdentityResourceId>'
       ]
@@ -1178,7 +1146,7 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
     },
     "managedIdentities": {
       "value": {
-        "systemAssigned": true,
+        "systemAssigned": false,
         "userAssignedResourceIds": [
           "<managedIdentityResourceId>"
         ]
@@ -1307,7 +1275,7 @@ module service 'br/public:avm/res/api-management/service:<version>' = {
 | [`location`](#parameter-location) | string | Location for all Resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
 | [`loggers`](#parameter-loggers) | array | Loggers. |
-| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
+| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Will default to "SystemAssigned" if not set. |
 | [`minApiVersion`](#parameter-minapiversion) | string | Limit control plane API calls to API Management service with version equal to or newer than this value. |
 | [`namedValues`](#parameter-namedvalues) | array | Named values. |
 | [`newGuidValue`](#parameter-newguidvalue) | string | Necessary to create a new GUID. |
@@ -1678,7 +1646,7 @@ Loggers.
 
 ### Parameter: `managedIdentities`
 
-The managed identity definition for this resource.
+The managed identity definition for this resource. Will default to "SystemAssigned" if not set.
 
 - Required: No
 - Type: object
@@ -1687,9 +1655,17 @@ The managed identity definition for this resource.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`disabled`](#parameter-managedidentitiesdisabled) | bool | Fully disables mmanaged identities. This will override any other managed identity settings. |
 | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. |
 | [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. |
 
+### Parameter: `managedIdentities.disabled`
+
+Fully disables mmanaged identities. This will override any other managed identity settings.
+
+- Required: No
+- Type: bool
+
 ### Parameter: `managedIdentities.systemAssigned`
 
 Enables system assigned managed identity on the resource.

diff --git a/avm/res/api-management/service/api-version-set/main.json b/avm/res/api-management/service/api-version-set/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "2869637630248924190"
+      "version": "0.29.45.22436",
+      "templateHash": "3139718499935798111"
     },
     "name": "API Management Service API Version Sets",
     "description": "This module deploys an API Management Service API Version Set.",

diff --git a/avm/res/api-management/service/api/diagnostics/main.json b/avm/res/api-management/service/api/diagnostics/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "15990218139655805007"
+      "version": "0.29.45.22436",
+      "templateHash": "9019833562516407010"
     },
     "name": "API Management Service APIs Diagnostics.",
     "description": "This module deploys an API Management Service API Diagnostics.",

diff --git a/avm/res/api-management/service/api/main.json b/avm/res/api-management/service/api/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "4127687153063244658"
+      "version": "0.29.45.22436",
+      "templateHash": "176309181102004003"
     },
     "name": "API Management Service APIs",
     "description": "This module deploys an API Management Service API.",
@@ -281,8 +281,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "5034167782203178970"
+              "version": "0.29.45.22436",
+              "templateHash": "4248825957413244278"
             },
             "name": "API Management Service APIs Policies",
             "description": "This module deploys an API Management Service API Policy.",
@@ -428,8 +428,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "15990218139655805007"
+              "version": "0.29.45.22436",
+              "templateHash": "9019833562516407010"
             },
             "name": "API Management Service APIs Diagnostics.",
             "description": "This module deploys an API Management Service API Diagnostics.",

diff --git a/avm/res/api-management/service/api/policy/main.json b/avm/res/api-management/service/api/policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "5034167782203178970"
+      "version": "0.29.45.22436",
+      "templateHash": "4248825957413244278"
     },
     "name": "API Management Service APIs Policies",
     "description": "This module deploys an API Management Service API Policy.",

diff --git a/avm/res/api-management/service/authorization-server/main.json b/avm/res/api-management/service/authorization-server/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "17095671534556603009"
+      "version": "0.29.45.22436",
+      "templateHash": "10419284544257412745"
     },
     "name": "API Management Service Authorization Servers",
     "description": "This module deploys an API Management Service Authorization Server.",

diff --git a/avm/res/api-management/service/backend/main.json b/avm/res/api-management/service/backend/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "1411324864869146839"
+      "version": "0.29.45.22436",
+      "templateHash": "17752229720870672683"
     },
     "name": "API Management Service Backends",
     "description": "This module deploys an API Management Service Backend.",

diff --git a/avm/res/api-management/service/cache/main.json b/avm/res/api-management/service/cache/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "8223409608484938303"
+      "version": "0.29.45.22436",
+      "templateHash": "7911321501814037020"
     },
     "name": "API Management Service Caches",
     "description": "This module deploys an API Management Service Cache.",

diff --git a/avm/res/api-management/service/identity-provider/main.json b/avm/res/api-management/service/identity-provider/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "834622836195899034"
+      "version": "0.29.45.22436",
+      "templateHash": "15535011628237551858"
     },
     "name": "API Management Service Identity Providers",
     "description": "This module deploys an API Management Service Identity Provider.",

diff --git a/avm/res/api-management/service/loggers/main.json b/avm/res/api-management/service/loggers/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "11123719171758533120"
+      "version": "0.29.45.22436",
+      "templateHash": "11491591556941544130"
     },
     "name": "API Management Service Loggers",
     "description": "This module deploys an API Management Service Logger.",

diff --git a/avm/res/api-management/service/main.bicep b/avm/res/api-management/service/main.bicep
@@ -36,7 +36,7 @@ param enableClientCertificate bool = false
 @description('Optional. Custom hostname configuration of the API Management service.')
 param hostnameConfigurations array = []
 
-@description('Optional. The managed identity definition for this resource.')
+@description('Optional. The managed identity definition for this resource. Will default to "SystemAssigned" if not set.')
 param managedIdentities managedIdentitiesType
 
 @description('Optional. Location for all Resources.')
@@ -152,14 +152,24 @@ var formattedUserAssignedIdentities = reduce(
   (cur, next) => union(cur, next)
 ) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
 
-var identity = !empty(managedIdentities)
+var identity = !empty(managedIdentities) && managedIdentities.?disabled == true
   ? {
-      type: (managedIdentities.?systemAssigned ?? false)
-        ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned')
-        : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : 'None')
-      userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
+      type: 'None'
+      userAssignedIdentities: null
     }
-  : null
+  : !empty(managedIdentities) && managedIdentities.?disabled == false
+      ? {
+          type: (managedIdentities.?systemAssigned ?? false)
+            ? (!empty(managedIdentities.?userAssignedResourceIds ?? {})
+                ? 'SystemAssigned,UserAssigned'
+                : 'SystemAssigned')
+            : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : 'None')
+          userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
+        }
+      : {
+          type: 'SystemAssigned'
+          userAssignedIdentities: null
+        }
 
 var builtInRoleNames = {
   'API Management Developer Portal Content Editor': subscriptionResourceId(
@@ -596,6 +606,9 @@ type managedIdentitiesType = {
 
   @description('Optional. The resource ID(s) to assign to the resource.')
   userAssignedResourceIds: string[]?
+
+  @description('Optional. Fully disables mmanaged identities. This will override any other managed identity settings.')
+  disabled: bool?
 }?
 
 type lockType = {