-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathModule-managedIdentity.bicep
More file actions
51 lines (40 loc) · 2.17 KB
/
Copy pathModule-managedIdentity.bicep
File metadata and controls
51 lines (40 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
targetScope = 'resourceGroup'
@description('Name of the user-assigned managed identity.')
param managedIdentityName string
@description('Optional flag to lock the managed identity from deletion. Lock created only with federated credential.')
param managedIdentityLockDelete bool = true
@description('Optional federated credential name. Leave empty to skip creation.')
param federatedCredentialName string = ''
@description('Optional federated credential token issuer URL.')
param federatedCredentialIssuer string = ''
@description('Optional federated credential subject claim.')
param federatedCredentialSubject string = ''
@description('Optional federated credential audiences. Defaults to api://AzureADTokenExchange.')
param federatedCredentialAudiences string[] = []
var shouldCreateFederatedCredential = !empty(federatedCredentialName) && !empty(federatedCredentialIssuer) && !empty(federatedCredentialSubject)
var resolvedAudiences = length(federatedCredentialAudiences) > 0 ? federatedCredentialAudiences : ['api://AzureADTokenExchange']
resource devOpsIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = {
name: managedIdentityName
location: resourceGroup().location
}
resource devOpsFederatedCredential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2024-11-30' = if (shouldCreateFederatedCredential) {
name: federatedCredentialName
parent: devOpsIdentity
properties: {
issuer: federatedCredentialIssuer
subject: federatedCredentialSubject
audiences: resolvedAudiences
}
}
resource devOpsIdentityLock 'Microsoft.Authorization/locks@2020-05-01' = if (managedIdentityLockDelete && shouldCreateFederatedCredential) {
name: 'used by DevOps'
scope: devOpsIdentity
properties: {
level: 'CanNotDelete'
notes: 'Managed identity lock for federated credential: ${federatedCredentialName}'
}
}
output resourceId string = devOpsIdentity.id
output clientId string = devOpsIdentity.properties.clientId
output principalId string = devOpsIdentity.properties.principalId
output federatedCredentialName string = shouldCreateFederatedCredential ? devOpsFederatedCredential.name : ''