Merge pull request #94 from hund030/main

Allow assigning role to service principal
Azure-Samples · Jul 30, 2024 · b2581e8 · b2581e8
2 parents da31834 + f568113
commit b2581e8
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 25 deletions.
diff --git a/deploy/aca/infra/main.bicep b/deploy/aca/infra/main.bicep
@@ -83,8 +83,10 @@ param webAppExists bool = false
 param indexerAppExists bool = false
 
 
-@description('Id of the user to assign application roles for CLI to ingest documents')
-param userPrincipalId string = ''
+@description('Id of the user or app to assign application roles for CLI to ingest documents')
+param principalId string = ''
+@description('Type of the principal. Valid values: User,ServicePrincipal')
+param principalType string = 'User'
 
 @description('Use Application Insights for monitoring and performance tracing')
 param useApplicationInsights bool = false
@@ -413,69 +415,69 @@ module openAiRoleUser '../../shared/security/role.bicep'  = {
   scope: openAiResourceGroup
   name: 'openai-role-user'
   params: {
-    principalId: userPrincipalId
+    principalId: principalId
     roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
 module formRecognizerRoleUser '../../shared/security/role.bicep' = {
   scope: formRecognizerResourceGroup
   name: 'formrecognizer-role-user'
   params: {
-    principalId: userPrincipalId
+    principalId: principalId
     roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
 module storageRoleUser '../../shared/security/role.bicep' = {
   scope: storageResourceGroup
   name: 'storage-role-user'
   params: {
-    principalId: userPrincipalId
+    principalId: principalId
     roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
 module storageContribRoleUser '../../shared/security/role.bicep' = {
   scope: storageResourceGroup
   name: 'storage-contribrole-user'
   params: {
-    principalId: userPrincipalId
+    principalId: principalId
     roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
 module searchRoleUser '../../shared/security/role.bicep' = {
   scope: searchServiceResourceGroup
   name: 'search-role-user'
   params: {
-    principalId: userPrincipalId
+    principalId: principalId
     roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
 module searchContribRoleUser '../../shared/security/role.bicep' = {
   scope: searchServiceResourceGroup
   name: 'search-contrib-role-user'
   params: {
-    principalId: userPrincipalId
+    principalId: principalId
     roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
 module searchSvcContribRoleUser '../../shared/security/role.bicep' = {
   scope: searchServiceResourceGroup
   name: 'search-svccontrib-role-user'
   params: {
-    principalId: userPrincipalId
+    principalId: principalId
     roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 

diff --git a/deploy/aca/infra/main.parameters.json b/deploy/aca/infra/main.parameters.json
@@ -11,9 +11,12 @@
     "location": {
       "value": "${AZURE_LOCATION}"
     },
-    "userPrincipalId": {
+    "principalId": {
       "value": "${AZURE_PRINCIPAL_ID}"
     },
+    "principalType": {
+      "value": "${AZURE_PRINCIPAL_TYPE}"
+    },
     "openAiServiceName": {
       "value": "${AZURE_OPENAI_SERVICE}"
     },

diff --git a/deploy/aks/infra/main.bicep b/deploy/aks/infra/main.bicep
@@ -82,6 +82,8 @@ param keyVaultName string = ''
 
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
+@description('Type of the principal. Valid values: User,ServicePrincipal')
+param principalType string = 'User'
 
 @description('Use Application Insights for monitoring and performance tracing')
 param useApplicationInsights bool = false
@@ -363,7 +365,7 @@ module storageContribRoleUser '../../shared/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 

diff --git a/deploy/aks/infra/main.parameters.json b/deploy/aks/infra/main.parameters.json
@@ -14,6 +14,9 @@
     "principalId": {
       "value": "${AZURE_PRINCIPAL_ID}"
     },
+    "principalType": {
+      "value": "${AZURE_PRINCIPAL_TYPE}"
+    },
     "openAiServiceName": {
       "value": "${AZURE_OPENAI_SERVICE}"
     },

diff --git a/deploy/app-service/infra/main.bicep b/deploy/app-service/infra/main.bicep
@@ -80,6 +80,8 @@ param allowedOrigin string = '' // should start with https://, shouldn't end wit
 
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
+@description('Type of the principal. Valid values: User,ServicePrincipal')
+param principalType string = 'User'
 
 @description('Use Application Insights for monitoring and performance tracing')
 param useApplicationInsights bool = false
@@ -321,7 +323,7 @@ module openAiRoleUser '../../shared/security/role.bicep' = if (openAiHost == 'az
   params: {
     principalId: principalId
     roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
@@ -331,7 +333,7 @@ module formRecognizerRoleUser '../../shared/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
@@ -341,7 +343,7 @@ module storageRoleUser '../../shared/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
@@ -351,7 +353,7 @@ module storageContribRoleUser '../../shared/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
@@ -361,7 +363,7 @@ module searchRoleUser '../../shared/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
@@ -371,7 +373,7 @@ module searchContribRoleUser '../../shared/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 
@@ -381,7 +383,7 @@ module searchSvcContribRoleUser '../../shared/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0'
-    principalType: 'User'
+    principalType: principalType
   }
 }
 

diff --git a/deploy/app-service/infra/main.parameters.json b/deploy/app-service/infra/main.parameters.json
@@ -14,6 +14,9 @@
     "principalId": {
       "value": "${AZURE_PRINCIPAL_ID}"
     },
+    "principalType": {
+      "value": "${AZURE_PRINCIPAL_TYPE}"
+    },
     "openAiServiceName": {
       "value": "${AZURE_OPENAI_SERVICE}"
     },