[Modules] Updated Managed Identity API Version and Added Federated Identity Credential (#3941)

Author: ahmadabdalla

modules/managed-identity/user-assigned-identity/.test/common/main.test.bicep

@@ -50,6 +50,16 @@ module testDeployment '../../main.bicep' = {
     enableDefaultTelemetry: enableDefaultTelemetry
     name: '${namePrefix}${serviceShort}001'
     lock: 'CanNotDelete'
+    federatedIdentityCredentials: [
+      {
+        name: 'test-fed-cred-${serviceShort}-001'
+        audiences: [
+          'api://AzureADTokenExchange'
+        ]
+        issuer: 'https://contoso.com/${subscription().tenantId}/${guid(deployment().name)}/'
+        subject: 'system:serviceaccount:default:workload-identity-sa'
+      }
+    ]
     roleAssignments: [
       {
         roleDefinitionIdOrName: 'Reader'

modules/managed-identity/user-assigned-identity/.test/min/main.test.bicep

@@ -0,0 +1,41 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.managedidentity.userassignedidentities-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'miuaimin'
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../main.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-test-${serviceShort}'
+  params: {
+    enableDefaultTelemetry: enableDefaultTelemetry
+  }
+}

modules/managed-identity/user-assigned-identity/README.md

@@ -16,7 +16,8 @@ This module deploys a User Assigned Identity.
 | :-- | :-- |
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
-| `Microsoft.ManagedIdentity/userAssignedIdentities` | [2018-11-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2018-11-30/userAssignedIdentities) |
+| `Microsoft.ManagedIdentity/userAssignedIdentities` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities) |
+| `Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities/federatedIdentityCredentials) |
 
 ## Parameters
 
@@ -25,6 +26,7 @@ This module deploys a User Assigned Identity.
 | Parameter Name | Type | Default Value | Allowed Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via a Globally Unique Identifier (GUID). |
+| `federatedIdentityCredentials` | array | `[]` |  | The federated identity credentials list to indicate which token from the external IdP should be trusted by your application. Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object. |
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
 | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `name` | string | `[guid(resourceGroup().id)]` |  | Name of the User Assigned Identity. |
@@ -165,6 +167,16 @@ module userAssignedIdentity './managed-identity/user-assigned-identity/main.bice
   name: '${uniqueString(deployment().name, location)}-test-miuaicom'
   params: {
     enableDefaultTelemetry: '<enableDefaultTelemetry>'
+    federatedIdentityCredentials: [
+      {
+        audiences: [
+          'api://AzureADTokenExchange'
+        ]
+        issuer: '<issuer>'
+        name: 'test-fed-cred-miuaicom-001'
+        subject: 'system:serviceaccount:default:workload-identity-sa'
+      }
+    ]
     lock: 'CanNotDelete'
     name: 'miuaicom001'
     roleAssignments: [
@@ -200,6 +212,18 @@ module userAssignedIdentity './managed-identity/user-assigned-identity/main.bice
     "enableDefaultTelemetry": {
       "value": "<enableDefaultTelemetry>"
     },
+    "federatedIdentityCredentials": {
+      "value": [
+        {
+          "audiences": [
+            "api://AzureADTokenExchange"
+          ],
+          "issuer": "<issuer>",
+          "name": "test-fed-cred-miuaicom-001",
+          "subject": "system:serviceaccount:default:workload-identity-sa"
+        }
+      ]
+    },
     "lock": {
       "value": "CanNotDelete"
     },
@@ -230,3 +254,40 @@ module userAssignedIdentity './managed-identity/user-assigned-identity/main.bice
 
 </details>
 <p>
+
+<h3>Example 2: Min</h3>
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module userAssignedIdentity './managed-identity/user-assigned-identity/main.bicep' = {
+  name: '${uniqueString(deployment().name, location)}-test-miuaimin'
+  params: {
+    enableDefaultTelemetry: '<enableDefaultTelemetry>'
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "enableDefaultTelemetry": {
+      "value": "<enableDefaultTelemetry>"
+    }
+  }
+}
+```
+
+</details>
+<p>

modules/managed-identity/user-assigned-identity/federated-identity-credential/README.md

@@ -0,0 +1,52 @@
+# User Assigned Identity Federated Identity Credential `[Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials]`
+
+This module deploys a User Assigned Identity Federated Identity Credential.
+
+## Navigation
+
+- [Resource Types](#Resource-Types)
+- [Parameters](#Parameters)
+- [Outputs](#Outputs)
+- [Cross-referenced modules](#Cross-referenced-modules)
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2023-01-31/userAssignedIdentities/federatedIdentityCredentials) |
+
+## Parameters
+
+**Required parameters**
+
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `audiences` | array | The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token. |
+| `issuer` | string | The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged. |
+| `name` | string | The name of the secret. |
+| `subject` | string | The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. |
+
+**Conditional parameters**
+
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `userAssignedIdentityName` | string | The name of the parent user assigned identity. Required if the template is used in a standalone deployment. |
+
+**Optional parameters**
+
+| Parameter Name | Type | Default Value | Description |
+| :-- | :-- | :-- | :-- |
+| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). |
+
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the federated identity credential. |
+| `resourceGroupName` | string | The name of the resource group the federated identity credential was created in. |
+| `resourceId` | string | The resource ID of the federated identity credential. |
+
+## Cross-referenced modules
+
+_None_

modules/managed-identity/user-assigned-identity/federated-identity-credential/main.bicep

@@ -0,0 +1,56 @@
+metadata name = 'User Assigned Identity Federated Identity Credential'
+metadata description = 'This module deploys a User Assigned Identity Federated Identity Credential.'
+metadata owner = 'Azure/module-maintainers'
+
+@description('Conditional. The name of the parent user assigned identity. Required if the template is used in a standalone deployment.')
+param userAssignedIdentityName string
+
+@description('Required. The name of the secret.')
+param name string
+
+@description('Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token.')
+param audiences array
+
+@description('Required. The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged.')
+param issuer string
+
+@description('Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD.')
+param subject string
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: userAssignedIdentityName
+}
+
+resource federatedIdentityCredential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = {
+  name: name
+  parent: userAssignedIdentity
+  properties: {
+    audiences: audiences
+    issuer: issuer
+    subject: subject
+  }
+}
+
+@description('The name of the federated identity credential.')
+output name string = federatedIdentityCredential.name
+
+@description('The resource ID of the federated identity credential.')
+output resourceId string = federatedIdentityCredential.id
+
+@description('The name of the resource group the federated identity credential was created in.')
+output resourceGroupName string = resourceGroup().name

modules/managed-identity/user-assigned-identity/federated-identity-credential/main.json

@@ -0,0 +1,102 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.20.4.51522",
+      "templateHash": "13014227007294077055"
+    },
+    "name": "User Assigned Identity Federated Identity Credential",
+    "description": "This module deploys a User Assigned Identity Federated Identity Credential.",
+    "owner": "Azure/module-maintainers"
+  },
+  "parameters": {
+    "userAssignedIdentityName": {
+      "type": "string",
+      "metadata": {
+        "description": "Conditional. The name of the parent user assigned identity. Required if the template is used in a standalone deployment."
+      }
+    },
+    "name": {
+      "type": "string",
+      "metadata": {
+        "description": "Required. The name of the secret."
+      }
+    },
+    "audiences": {
+      "type": "array",
+      "metadata": {
+        "description": "Required. The list of audiences that can appear in the issued token. Should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your IdP to serve as the audience of this token."
+      }
+    },
+    "issuer": {
+      "type": "string",
+      "metadata": {
+        "description": "Required. The URL of the issuer to be trusted. Must match the issuer claim of the external token being exchanged."
+      }
+    },
+    "subject": {
+      "type": "string",
+      "metadata": {
+        "description": "Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD."
+      }
+    },
+    "enableDefaultTelemetry": {
+      "type": "bool",
+      "defaultValue": true,
+      "metadata": {
+        "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)."
+      }
+    }
+  },
+  "resources": [
+    {
+      "condition": "[parameters('enableDefaultTelemetry')]",
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2021-04-01",
+      "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]",
+      "properties": {
+        "mode": "Incremental",
+        "template": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "resources": []
+        }
+      }
+    },
+    {
+      "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
+      "apiVersion": "2023-01-31",
+      "name": "[format('{0}/{1}', parameters('userAssignedIdentityName'), parameters('name'))]",
+      "properties": {
+        "audiences": "[parameters('audiences')]",
+        "issuer": "[parameters('issuer')]",
+        "subject": "[parameters('subject')]"
+      }
+    }
+  ],
+  "outputs": {
+    "name": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the federated identity credential."
+      },
+      "value": "[parameters('name')]"
+    },
+    "resourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "The resource ID of the federated identity credential."
+      },
+      "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentityName'), parameters('name'))]"
+    },
+    "resourceGroupName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the resource group the federated identity credential was created in."
+      },
+      "value": "[resourceGroup().name]"
+    }
+  }
+}

modules/managed-identity/user-assigned-identity/federated-identity-credential/version.json

@@ -0,0 +1,7 @@
+{
+    "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+    "version": "0.4",
+    "pathFilters": [
+        "./main.json"
+    ]
+}