From fe82fe398ba7d8cc75668653bfc0fa93c4973c86 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 10:43:37 -0500 Subject: [PATCH 01/11] Using user managed identites with system topic subscriptions --- deploy/quick-start/infra/main.bicep | 4 ++++ .../shared/system-topic-subscription.bicep | 22 +++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/deploy/quick-start/infra/main.bicep b/deploy/quick-start/infra/main.bicep index f65a25c6e6..19e3f3f1a7 100644 --- a/deploy/quick-start/infra/main.bicep +++ b/deploy/quick-start/infra/main.bicep @@ -464,6 +464,8 @@ module storageSub 'shared/system-topic-subscription.bicep' = { name: 'storageSub-${timestamp}' params: { name: 'foundationallm-storage' + identityName: '${abbrs.managedIdentityUserAssignedIdentities}-storageSub-${resourceToken}' + location: location eventGridName: eventgrid.outputs.name topicName: storageTopic.outputs.name destinationTopicName: 'storage' @@ -492,6 +494,8 @@ module configSub 'shared/system-topic-subscription.bicep' = { name: 'configSub-${timestamp}' params: { name: 'app-config' + identityName: '${abbrs.managedIdentityUserAssignedIdentities}-configSub-${resourceToken}' + location: location eventGridName: eventgrid.outputs.name topicName: configTopic.outputs.name destinationTopicName: 'configuration' diff --git a/deploy/quick-start/infra/shared/system-topic-subscription.bicep b/deploy/quick-start/infra/shared/system-topic-subscription.bicep index 7f46b65199..3b4acaa396 100644 --- a/deploy/quick-start/infra/shared/system-topic-subscription.bicep +++ b/deploy/quick-start/infra/shared/system-topic-subscription.bicep @@ -1,4 +1,6 @@ param name string +param identityName string +param location string param topicName string param destinationTopicName string param eventGridName string @@ -19,6 +21,11 @@ resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' existing = name: topicName } +resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { + name: identityName + location: location +} + resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { scope: destinationTopic name: guid(subscription().id, resourceGroup().id, topic.id, 'sendEventRole') @@ -29,13 +36,24 @@ resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } } +resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: destinationTopic + name: guid(subscription().id, resourceGroup().id, identity.id, 'sendEventRole') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + principalType: 'ServicePrincipal' + principalId: identity.properties.principalId + } +} + resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2023-12-15-preview' = { name: name parent: topic properties: { deliveryWithResourceIdentity: { identity: { - type: 'SystemAssigned' + type: 'UserAssigned' + userAssignedIdentity: identity.id } destination: { endpointType: 'NamespaceTopic' @@ -56,5 +74,5 @@ resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscription eventTimeToLiveInMinutes: 1440 } } - dependsOn: [ eventSendRole ] + dependsOn: [ eventSendRole, subSendRole ] } From b823a7bb2a8fe6d6f91aaa1386c5bc09dbebf928 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 10:57:01 -0500 Subject: [PATCH 02/11] Adding check for null to Remove-OAuthCallbackUris.ps1 that occurs when provisioning fails --- tests/scripts/Remove-OAuthCallbackUris.ps1 | 46 +++++++++++----------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/tests/scripts/Remove-OAuthCallbackUris.ps1 b/tests/scripts/Remove-OAuthCallbackUris.ps1 index d5b4810597..2204dd2440 100644 --- a/tests/scripts/Remove-OAuthCallbackUris.ps1 +++ b/tests/scripts/Remove-OAuthCallbackUris.ps1 @@ -68,31 +68,33 @@ $uris = @{ } foreach ($uri in $uris.GetEnumerator()) { - $applicationUri = "https://graph.microsoft.com/v1.0/applications/" + $uri.Value.objectId - $redirects = @(az rest ` - --method "get" ` - --uri $applicationUri ` - --headers "{'Content-Type': 'application/json'}" ` - --query $uri.Value.query ` - -o json | ConvertFrom-Json) - - $redirect = ($uri.Value.endpoint | ConvertFrom-Json) + "/signin-oidc" + if ($uri -ne $null) + { + $applicationUri = "https://graph.microsoft.com/v1.0/applications/" + $uri.Value.objectId + $redirects = @(az rest ` + --method "get" ` + --uri $applicationUri ` + --headers "{'Content-Type': 'application/json'}" ` + --query $uri.Value.query ` + -o json | ConvertFrom-Json) + $redirect = ($uri.Value.endpoint | ConvertFrom-Json) + "/signin-oidc" - if ($redirects.Contains($redirect)) { - $redirects -= $redirect + if ($redirects.Contains($redirect)) { + $redirects -= $redirect - $body = @{ - spa = @{ - redirectUris = $redirects - } - } | ConvertTo-Json -Compress + $body = @{ + spa = @{ + redirectUris = $redirects + } + } | ConvertTo-Json -Compress - Set-Content -Path "$($uri.Key)`.json" $body - az rest ` - --method "patch" ` - --uri $applicationUri ` - --headers "{'Content-Type': 'application/json'}" ` - --body "@$($uri.Key)`.json" + Set-Content -Path "$($uri.Key)`.json" $body + az rest ` + --method "patch" ` + --uri $applicationUri ` + --headers "{'Content-Type': 'application/json'}" ` + --body "@$($uri.Key)`.json" + } } } \ No newline at end of file From 8fa9afbf38754ce7b86ea00450a3b6130a9de2dc Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 11:07:40 -0500 Subject: [PATCH 03/11] Deploying to sandbox to verify deployment errors --- .github/workflows/e2e-daily-testing.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/e2e-daily-testing.yml b/.github/workflows/e2e-daily-testing.yml index a5bfefb685..7d7cb08861 100644 --- a/.github/workflows/e2e-daily-testing.yml +++ b/.github/workflows/e2e-daily-testing.yml @@ -10,12 +10,12 @@ jobs: uses: ./.github/workflows/e2e-testing.yml with: environment: "fllm-e2e-aca-daily-${{ github.run_id }}" - deployOpenAi: true + deployOpenAi: false openAiName: fllm-01 openAiResourceGroup: fllm-shared-01 location: EastUS2 - notificationsEnabled: true - enableTeardown: true + notificationsEnabled: false + enableTeardown: false bypassAndTeardown: false - target: e2e + target: sandbox secrets: inherit From 104e6359bca9c722c7e333d32b10711dc9f9100d Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 11:57:28 -0500 Subject: [PATCH 04/11] Refactoring system topic subscriptions to use user assigned MSIs --- deploy/quick-start/infra/main.bicep | 32 ++++++++++++++++--- .../infra/shared/config-system-topic.bicep | 31 +++++++++++++++++- .../quick-start/infra/shared/identity.bicep | 12 +++++++ .../infra/shared/storage-system-topic.bicep | 31 +++++++++++++++++- .../shared/system-topic-subscription.bicep | 16 ++-------- 5 files changed, 102 insertions(+), 20 deletions(-) create mode 100644 deploy/quick-start/infra/shared/identity.bicep diff --git a/deploy/quick-start/infra/main.bicep b/deploy/quick-start/infra/main.bicep index 19e3f3f1a7..bd799f2a22 100644 --- a/deploy/quick-start/infra/main.bicep +++ b/deploy/quick-start/infra/main.bicep @@ -438,10 +438,23 @@ module storage './shared/storage.bicep' = { dependsOn: [keyVault] } +module configSubIdentity 'shared/identity.bicep' = { + name: 'configSubId-${timestamp}' + params: { + name: '${abbrs.managedIdentityUserAssignedIdentities}-configSub-${resourceToken}' + location: location + } + scope: rg +} + module configTopic 'shared/config-system-topic.bicep' = { name: 'configTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}config${resourceToken}' + eventGridName: eventgrid.outputs.name + destinationTopicName: 'config' + identityClientId: configSubIdentity.outputs.clientId + identityPrincipalId: configSubIdentity.outputs.principalId location: location tags: tags appConfigAccountName: appConfig.outputs.name @@ -449,10 +462,23 @@ module configTopic 'shared/config-system-topic.bicep' = { scope: rg } +module storageSubIdentity 'shared/identity.bicep' = { + name: 'storageSubId-${timestamp}' + params: { + name: '${abbrs.managedIdentityUserAssignedIdentities}-storageSub-${resourceToken}' + location: location + } + scope: rg +} + module storageTopic 'shared/storage-system-topic.bicep' = { name: 'storageTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}storage${resourceToken}' + eventGridName: eventgrid.outputs.name + destinationTopicName: 'storage' + identityClientId: storageSubIdentity.outputs.clientId + identityPrincipalId: storageSubIdentity.outputs.principalId location: location tags: tags storageAccountName: storage.outputs.name @@ -464,8 +490,7 @@ module storageSub 'shared/system-topic-subscription.bicep' = { name: 'storageSub-${timestamp}' params: { name: 'foundationallm-storage' - identityName: '${abbrs.managedIdentityUserAssignedIdentities}-storageSub-${resourceToken}' - location: location + identityName: storageSubIdentity.outputs.name eventGridName: eventgrid.outputs.name topicName: storageTopic.outputs.name destinationTopicName: 'storage' @@ -494,8 +519,7 @@ module configSub 'shared/system-topic-subscription.bicep' = { name: 'configSub-${timestamp}' params: { name: 'app-config' - identityName: '${abbrs.managedIdentityUserAssignedIdentities}-configSub-${resourceToken}' - location: location + identityName: configSubIdentity.outputs.name eventGridName: eventgrid.outputs.name topicName: configTopic.outputs.name destinationTopicName: 'configuration' diff --git a/deploy/quick-start/infra/shared/config-system-topic.bicep b/deploy/quick-start/infra/shared/config-system-topic.bicep index 9fdff7274a..6198dcf0af 100644 --- a/deploy/quick-start/infra/shared/config-system-topic.bicep +++ b/deploy/quick-start/infra/shared/config-system-topic.bicep @@ -1,4 +1,8 @@ param name string +param destinationTopicName string +param eventGridName string +param identityClientId string +param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param appConfigAccountName string @@ -7,12 +11,37 @@ resource appConfig 'Microsoft.AppConfiguration/configurationStores@2023-08-01-pr name: appConfigAccountName } +resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' existing = { + name: eventGridName +} + +resource destinationTopic 'Microsoft.EventGrid/namespaces/topics@2023-12-15-preview' existing = { + name: destinationTopicName + parent: eventGridNamespace +} + +resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: destinationTopic + name: guid(subscription().id, resourceGroup().id, identityPrincipalId, 'sendEventRole') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + principalType: 'ServicePrincipal' + principalId: identityPrincipalId + } +} + resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { name: name location: location tags: tags identity: { - type: 'SystemAssigned' + type: 'UserAssigned' + userAssignedIdentities: { + identity: { + clientId: identityClientId + principalId: identityPrincipalId + } + } } properties: { source: appConfig.id diff --git a/deploy/quick-start/infra/shared/identity.bicep b/deploy/quick-start/infra/shared/identity.bicep new file mode 100644 index 0000000000..15d1cabc38 --- /dev/null +++ b/deploy/quick-start/infra/shared/identity.bicep @@ -0,0 +1,12 @@ +param name string +param location string + +resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { + name: name + location: location +} + +output id string = identity.id +output name string = identity.name +output clientId string = identity.properties.clientId +output principalId string = identity.properties.principalId diff --git a/deploy/quick-start/infra/shared/storage-system-topic.bicep b/deploy/quick-start/infra/shared/storage-system-topic.bicep index 56c3e13bb6..ce33bedf24 100644 --- a/deploy/quick-start/infra/shared/storage-system-topic.bicep +++ b/deploy/quick-start/infra/shared/storage-system-topic.bicep @@ -1,4 +1,8 @@ param name string +param destinationTopicName string +param eventGridName string +param identityClientId string +param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param storageAccountName string @@ -7,12 +11,37 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { name: storageAccountName } +resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' existing = { + name: eventGridName +} + +resource destinationTopic 'Microsoft.EventGrid/namespaces/topics@2023-12-15-preview' existing = { + name: destinationTopicName + parent: eventGridNamespace +} + +resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: destinationTopic + name: guid(subscription().id, resourceGroup().id, identityPrincipalId, 'sendEventRole') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + principalType: 'ServicePrincipal' + principalId: identityPrincipalId + } +} + resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { name: name location: location tags: tags identity: { - type: 'SystemAssigned' + type: 'UserAssigned' + userAssignedIdentities: { + identity: { + clientId: identityClientId + principalId: identityPrincipalId + } + } } properties: { source: storage.id diff --git a/deploy/quick-start/infra/shared/system-topic-subscription.bicep b/deploy/quick-start/infra/shared/system-topic-subscription.bicep index 3b4acaa396..dca0550170 100644 --- a/deploy/quick-start/infra/shared/system-topic-subscription.bicep +++ b/deploy/quick-start/infra/shared/system-topic-subscription.bicep @@ -1,6 +1,5 @@ param name string param identityName string -param location string param topicName string param destinationTopicName string param eventGridName string @@ -21,9 +20,8 @@ resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' existing = name: topicName } -resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { +resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = { name: identityName - location: location } resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { @@ -36,16 +34,6 @@ resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } } -resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - scope: destinationTopic - name: guid(subscription().id, resourceGroup().id, identity.id, 'sendEventRole') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - principalType: 'ServicePrincipal' - principalId: identity.properties.principalId - } -} - resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2023-12-15-preview' = { name: name parent: topic @@ -74,5 +62,5 @@ resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscription eventTimeToLiveInMinutes: 1440 } } - dependsOn: [ eventSendRole, subSendRole ] + dependsOn: [ eventSendRole ] } From 8b84daea0e997d5487c2838e7c2358ec3accb4a4 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 12:22:01 -0500 Subject: [PATCH 05/11] Refactoring system topic subscriptions to use user assigned MSIs --- deploy/quick-start/infra/main.bicep | 8 ----- .../infra/shared/config-system-topic.bicep | 31 +------------------ .../infra/shared/storage-system-topic.bicep | 31 +------------------ .../shared/system-topic-subscription.bicep | 12 ++++++- 4 files changed, 13 insertions(+), 69 deletions(-) diff --git a/deploy/quick-start/infra/main.bicep b/deploy/quick-start/infra/main.bicep index bd799f2a22..bc47f76d3b 100644 --- a/deploy/quick-start/infra/main.bicep +++ b/deploy/quick-start/infra/main.bicep @@ -451,10 +451,6 @@ module configTopic 'shared/config-system-topic.bicep' = { name: 'configTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}config${resourceToken}' - eventGridName: eventgrid.outputs.name - destinationTopicName: 'config' - identityClientId: configSubIdentity.outputs.clientId - identityPrincipalId: configSubIdentity.outputs.principalId location: location tags: tags appConfigAccountName: appConfig.outputs.name @@ -475,10 +471,6 @@ module storageTopic 'shared/storage-system-topic.bicep' = { name: 'storageTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}storage${resourceToken}' - eventGridName: eventgrid.outputs.name - destinationTopicName: 'storage' - identityClientId: storageSubIdentity.outputs.clientId - identityPrincipalId: storageSubIdentity.outputs.principalId location: location tags: tags storageAccountName: storage.outputs.name diff --git a/deploy/quick-start/infra/shared/config-system-topic.bicep b/deploy/quick-start/infra/shared/config-system-topic.bicep index 6198dcf0af..9fdff7274a 100644 --- a/deploy/quick-start/infra/shared/config-system-topic.bicep +++ b/deploy/quick-start/infra/shared/config-system-topic.bicep @@ -1,8 +1,4 @@ param name string -param destinationTopicName string -param eventGridName string -param identityClientId string -param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param appConfigAccountName string @@ -11,37 +7,12 @@ resource appConfig 'Microsoft.AppConfiguration/configurationStores@2023-08-01-pr name: appConfigAccountName } -resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' existing = { - name: eventGridName -} - -resource destinationTopic 'Microsoft.EventGrid/namespaces/topics@2023-12-15-preview' existing = { - name: destinationTopicName - parent: eventGridNamespace -} - -resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - scope: destinationTopic - name: guid(subscription().id, resourceGroup().id, identityPrincipalId, 'sendEventRole') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - principalType: 'ServicePrincipal' - principalId: identityPrincipalId - } -} - resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { name: name location: location tags: tags identity: { - type: 'UserAssigned' - userAssignedIdentities: { - identity: { - clientId: identityClientId - principalId: identityPrincipalId - } - } + type: 'SystemAssigned' } properties: { source: appConfig.id diff --git a/deploy/quick-start/infra/shared/storage-system-topic.bicep b/deploy/quick-start/infra/shared/storage-system-topic.bicep index ce33bedf24..56c3e13bb6 100644 --- a/deploy/quick-start/infra/shared/storage-system-topic.bicep +++ b/deploy/quick-start/infra/shared/storage-system-topic.bicep @@ -1,8 +1,4 @@ param name string -param destinationTopicName string -param eventGridName string -param identityClientId string -param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param storageAccountName string @@ -11,37 +7,12 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { name: storageAccountName } -resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' existing = { - name: eventGridName -} - -resource destinationTopic 'Microsoft.EventGrid/namespaces/topics@2023-12-15-preview' existing = { - name: destinationTopicName - parent: eventGridNamespace -} - -resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - scope: destinationTopic - name: guid(subscription().id, resourceGroup().id, identityPrincipalId, 'sendEventRole') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - principalType: 'ServicePrincipal' - principalId: identityPrincipalId - } -} - resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { name: name location: location tags: tags identity: { - type: 'UserAssigned' - userAssignedIdentities: { - identity: { - clientId: identityClientId - principalId: identityPrincipalId - } - } + type: 'SystemAssigned' } properties: { source: storage.id diff --git a/deploy/quick-start/infra/shared/system-topic-subscription.bicep b/deploy/quick-start/infra/shared/system-topic-subscription.bicep index dca0550170..fc4b724340 100644 --- a/deploy/quick-start/infra/shared/system-topic-subscription.bicep +++ b/deploy/quick-start/infra/shared/system-topic-subscription.bicep @@ -24,6 +24,16 @@ resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-p name: identityName } +resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: destinationTopic + name: guid(subscription().id, resourceGroup().id, identity.id, 'sendEventRole') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + principalType: 'ServicePrincipal' + principalId: identity.properties.principalId + } +} + resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { scope: destinationTopic name: guid(subscription().id, resourceGroup().id, topic.id, 'sendEventRole') @@ -62,5 +72,5 @@ resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscription eventTimeToLiveInMinutes: 1440 } } - dependsOn: [ eventSendRole ] + dependsOn: [ eventSendRole, subSendRole ] } From e54805770edf9760c3626876d54da139c9f95517 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 12:38:09 -0500 Subject: [PATCH 06/11] Refactoring system topic subscriptions to use user assigned MSIs --- deploy/quick-start/infra/main.bicep | 2 ++ .../infra/shared/config-system-topic.bicep | 5 ++++- .../infra/shared/storage-system-topic.bicep | 5 ++++- .../infra/shared/system-topic-subscription.bicep | 14 ++------------ 4 files changed, 12 insertions(+), 14 deletions(-) diff --git a/deploy/quick-start/infra/main.bicep b/deploy/quick-start/infra/main.bicep index bc47f76d3b..efbef61630 100644 --- a/deploy/quick-start/infra/main.bicep +++ b/deploy/quick-start/infra/main.bicep @@ -451,6 +451,7 @@ module configTopic 'shared/config-system-topic.bicep' = { name: 'configTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}config${resourceToken}' + identityPrincipalId: configSubIdentity.outputs.principalId location: location tags: tags appConfigAccountName: appConfig.outputs.name @@ -471,6 +472,7 @@ module storageTopic 'shared/storage-system-topic.bicep' = { name: 'storageTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}storage${resourceToken}' + identityPrincipalId: storageSubIdentity.outputs.principalId location: location tags: tags storageAccountName: storage.outputs.name diff --git a/deploy/quick-start/infra/shared/config-system-topic.bicep b/deploy/quick-start/infra/shared/config-system-topic.bicep index 9fdff7274a..49e3e1eeb9 100644 --- a/deploy/quick-start/infra/shared/config-system-topic.bicep +++ b/deploy/quick-start/infra/shared/config-system-topic.bicep @@ -1,4 +1,5 @@ param name string +param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param appConfigAccountName string @@ -12,7 +13,9 @@ resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { location: location tags: tags identity: { - type: 'SystemAssigned' + principalId: identityPrincipalId + tenantId: tenant().tenantId + type: 'UserAssigned' } properties: { source: appConfig.id diff --git a/deploy/quick-start/infra/shared/storage-system-topic.bicep b/deploy/quick-start/infra/shared/storage-system-topic.bicep index 56c3e13bb6..4617d1fbc5 100644 --- a/deploy/quick-start/infra/shared/storage-system-topic.bicep +++ b/deploy/quick-start/infra/shared/storage-system-topic.bicep @@ -1,4 +1,5 @@ param name string +param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param storageAccountName string @@ -12,7 +13,9 @@ resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { location: location tags: tags identity: { - type: 'SystemAssigned' + principalId: identityPrincipalId + tenantId: tenant().tenantId + type: 'UserAssigned' } properties: { source: storage.id diff --git a/deploy/quick-start/infra/shared/system-topic-subscription.bicep b/deploy/quick-start/infra/shared/system-topic-subscription.bicep index fc4b724340..4f0bdabe88 100644 --- a/deploy/quick-start/infra/shared/system-topic-subscription.bicep +++ b/deploy/quick-start/infra/shared/system-topic-subscription.bicep @@ -24,23 +24,13 @@ resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-p name: identityName } -resource subSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - scope: destinationTopic - name: guid(subscription().id, resourceGroup().id, identity.id, 'sendEventRole') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - principalType: 'ServicePrincipal' - principalId: identity.properties.principalId - } -} - resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { scope: destinationTopic name: guid(subscription().id, resourceGroup().id, topic.id, 'sendEventRole') properties: { roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') principalType: 'ServicePrincipal' - principalId: topic.identity.principalId + principalId: identity.properties.principalId } } @@ -72,5 +62,5 @@ resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscription eventTimeToLiveInMinutes: 1440 } } - dependsOn: [ eventSendRole, subSendRole ] + dependsOn: [ eventSendRole ] } From 133ddb42c4d162ea9dc2d9e6ba592e6c623e2eb7 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 13:03:09 -0500 Subject: [PATCH 07/11] Refactoring system topic subscriptions to use user assigned MSIs --- deploy/quick-start/infra/main.bicep | 8 +++++-- .../infra/shared/config-system-topic.bicep | 21 +++++++++++++++++++ .../infra/shared/storage-system-topic.bicep | 21 +++++++++++++++++++ .../shared/system-topic-subscription.bicep | 11 ---------- 4 files changed, 48 insertions(+), 13 deletions(-) diff --git a/deploy/quick-start/infra/main.bicep b/deploy/quick-start/infra/main.bicep index efbef61630..57a639e471 100644 --- a/deploy/quick-start/infra/main.bicep +++ b/deploy/quick-start/infra/main.bicep @@ -441,7 +441,7 @@ module storage './shared/storage.bicep' = { module configSubIdentity 'shared/identity.bicep' = { name: 'configSubId-${timestamp}' params: { - name: '${abbrs.managedIdentityUserAssignedIdentities}-configSub-${resourceToken}' + name: '${abbrs.managedIdentityUserAssignedIdentities}configSub-${resourceToken}' location: location } scope: rg @@ -451,6 +451,8 @@ module configTopic 'shared/config-system-topic.bicep' = { name: 'configTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}config${resourceToken}' + eventGridName: eventgrid.outputs.name + destinationTopicName: 'config' identityPrincipalId: configSubIdentity.outputs.principalId location: location tags: tags @@ -462,7 +464,7 @@ module configTopic 'shared/config-system-topic.bicep' = { module storageSubIdentity 'shared/identity.bicep' = { name: 'storageSubId-${timestamp}' params: { - name: '${abbrs.managedIdentityUserAssignedIdentities}-storageSub-${resourceToken}' + name: '${abbrs.managedIdentityUserAssignedIdentities}storageSub-${resourceToken}' location: location } scope: rg @@ -472,6 +474,8 @@ module storageTopic 'shared/storage-system-topic.bicep' = { name: 'storageTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}storage${resourceToken}' + eventGridName: eventgrid.outputs.name + destinationTopicName: 'storage' identityPrincipalId: storageSubIdentity.outputs.principalId location: location tags: tags diff --git a/deploy/quick-start/infra/shared/config-system-topic.bicep b/deploy/quick-start/infra/shared/config-system-topic.bicep index 49e3e1eeb9..c4beb2fb23 100644 --- a/deploy/quick-start/infra/shared/config-system-topic.bicep +++ b/deploy/quick-start/infra/shared/config-system-topic.bicep @@ -1,4 +1,6 @@ param name string +param destinationTopicName string +param eventGridName string param identityPrincipalId string param location string = resourceGroup().location param tags object = {} @@ -8,6 +10,25 @@ resource appConfig 'Microsoft.AppConfiguration/configurationStores@2023-08-01-pr name: appConfigAccountName } +resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' existing = { + name: eventGridName +} + +resource destinationTopic 'Microsoft.EventGrid/namespaces/topics@2023-12-15-preview' existing = { + name: destinationTopicName + parent: eventGridNamespace +} + +resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: destinationTopic + name: guid(subscription().id, resourceGroup().id, topic.id, 'sendEventRole') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + principalType: 'ServicePrincipal' + principalId: identityPrincipalId + } +} + resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { name: name location: location diff --git a/deploy/quick-start/infra/shared/storage-system-topic.bicep b/deploy/quick-start/infra/shared/storage-system-topic.bicep index 4617d1fbc5..9700524249 100644 --- a/deploy/quick-start/infra/shared/storage-system-topic.bicep +++ b/deploy/quick-start/infra/shared/storage-system-topic.bicep @@ -1,4 +1,6 @@ param name string +param destinationTopicName string +param eventGridName string param identityPrincipalId string param location string = resourceGroup().location param tags object = {} @@ -8,6 +10,25 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { name: storageAccountName } +resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' existing = { + name: eventGridName +} + +resource destinationTopic 'Microsoft.EventGrid/namespaces/topics@2023-12-15-preview' existing = { + name: destinationTopicName + parent: eventGridNamespace +} + +resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: destinationTopic + name: guid(subscription().id, resourceGroup().id, topic.id, 'sendEventRole') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + principalType: 'ServicePrincipal' + principalId: identityPrincipalId + } +} + resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { name: name location: location diff --git a/deploy/quick-start/infra/shared/system-topic-subscription.bicep b/deploy/quick-start/infra/shared/system-topic-subscription.bicep index 4f0bdabe88..7b354faf88 100644 --- a/deploy/quick-start/infra/shared/system-topic-subscription.bicep +++ b/deploy/quick-start/infra/shared/system-topic-subscription.bicep @@ -24,16 +24,6 @@ resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-p name: identityName } -resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - scope: destinationTopic - name: guid(subscription().id, resourceGroup().id, topic.id, 'sendEventRole') - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') - principalType: 'ServicePrincipal' - principalId: identity.properties.principalId - } -} - resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2023-12-15-preview' = { name: name parent: topic @@ -62,5 +52,4 @@ resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscription eventTimeToLiveInMinutes: 1440 } } - dependsOn: [ eventSendRole ] } From 9a1c7d0aead1318e7aca40393fc2c28161ba829b Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 13:16:01 -0500 Subject: [PATCH 08/11] Refactoring system topic subscriptions to use user assigned MSIs --- deploy/quick-start/infra/main.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy/quick-start/infra/main.bicep b/deploy/quick-start/infra/main.bicep index 57a639e471..f7d6b38018 100644 --- a/deploy/quick-start/infra/main.bicep +++ b/deploy/quick-start/infra/main.bicep @@ -452,13 +452,14 @@ module configTopic 'shared/config-system-topic.bicep' = { params: { name: '${abbrs.eventGridDomainsTopics}config${resourceToken}' eventGridName: eventgrid.outputs.name - destinationTopicName: 'config' + destinationTopicName: 'configuration' identityPrincipalId: configSubIdentity.outputs.principalId location: location tags: tags appConfigAccountName: appConfig.outputs.name } scope: rg + dependsOn: [eventgrid] } module storageSubIdentity 'shared/identity.bicep' = { @@ -482,6 +483,7 @@ module storageTopic 'shared/storage-system-topic.bicep' = { storageAccountName: storage.outputs.name } scope: rg + dependsOn: [eventgrid] } module storageSub 'shared/system-topic-subscription.bicep' = { From f2d3db3d38c97cbb7a54434e912e76ed6bf88cc2 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 13:21:59 -0500 Subject: [PATCH 09/11] Refactoring system topic subscriptions to use user assigned MSIs --- deploy/quick-start/infra/main.bicep | 22 ------------------- .../infra/shared/config-system-topic.bicep | 7 ++---- .../infra/shared/storage-system-topic.bicep | 7 ++---- .../shared/system-topic-subscription.bicep | 8 +------ 4 files changed, 5 insertions(+), 39 deletions(-) diff --git a/deploy/quick-start/infra/main.bicep b/deploy/quick-start/infra/main.bicep index f7d6b38018..0d61968143 100644 --- a/deploy/quick-start/infra/main.bicep +++ b/deploy/quick-start/infra/main.bicep @@ -438,22 +438,12 @@ module storage './shared/storage.bicep' = { dependsOn: [keyVault] } -module configSubIdentity 'shared/identity.bicep' = { - name: 'configSubId-${timestamp}' - params: { - name: '${abbrs.managedIdentityUserAssignedIdentities}configSub-${resourceToken}' - location: location - } - scope: rg -} - module configTopic 'shared/config-system-topic.bicep' = { name: 'configTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}config${resourceToken}' eventGridName: eventgrid.outputs.name destinationTopicName: 'configuration' - identityPrincipalId: configSubIdentity.outputs.principalId location: location tags: tags appConfigAccountName: appConfig.outputs.name @@ -462,22 +452,12 @@ module configTopic 'shared/config-system-topic.bicep' = { dependsOn: [eventgrid] } -module storageSubIdentity 'shared/identity.bicep' = { - name: 'storageSubId-${timestamp}' - params: { - name: '${abbrs.managedIdentityUserAssignedIdentities}storageSub-${resourceToken}' - location: location - } - scope: rg -} - module storageTopic 'shared/storage-system-topic.bicep' = { name: 'storageTopic-${timestamp}' params: { name: '${abbrs.eventGridDomainsTopics}storage${resourceToken}' eventGridName: eventgrid.outputs.name destinationTopicName: 'storage' - identityPrincipalId: storageSubIdentity.outputs.principalId location: location tags: tags storageAccountName: storage.outputs.name @@ -490,7 +470,6 @@ module storageSub 'shared/system-topic-subscription.bicep' = { name: 'storageSub-${timestamp}' params: { name: 'foundationallm-storage' - identityName: storageSubIdentity.outputs.name eventGridName: eventgrid.outputs.name topicName: storageTopic.outputs.name destinationTopicName: 'storage' @@ -519,7 +498,6 @@ module configSub 'shared/system-topic-subscription.bicep' = { name: 'configSub-${timestamp}' params: { name: 'app-config' - identityName: configSubIdentity.outputs.name eventGridName: eventgrid.outputs.name topicName: configTopic.outputs.name destinationTopicName: 'configuration' diff --git a/deploy/quick-start/infra/shared/config-system-topic.bicep b/deploy/quick-start/infra/shared/config-system-topic.bicep index c4beb2fb23..a709ebd450 100644 --- a/deploy/quick-start/infra/shared/config-system-topic.bicep +++ b/deploy/quick-start/infra/shared/config-system-topic.bicep @@ -1,7 +1,6 @@ param name string param destinationTopicName string param eventGridName string -param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param appConfigAccountName string @@ -25,7 +24,7 @@ resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { properties: { roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') principalType: 'ServicePrincipal' - principalId: identityPrincipalId + principalId: topic.identity.principalId } } @@ -34,9 +33,7 @@ resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { location: location tags: tags identity: { - principalId: identityPrincipalId - tenantId: tenant().tenantId - type: 'UserAssigned' + type: 'SystemAssigned' } properties: { source: appConfig.id diff --git a/deploy/quick-start/infra/shared/storage-system-topic.bicep b/deploy/quick-start/infra/shared/storage-system-topic.bicep index 9700524249..a3675c6061 100644 --- a/deploy/quick-start/infra/shared/storage-system-topic.bicep +++ b/deploy/quick-start/infra/shared/storage-system-topic.bicep @@ -1,7 +1,6 @@ param name string param destinationTopicName string param eventGridName string -param identityPrincipalId string param location string = resourceGroup().location param tags object = {} param storageAccountName string @@ -25,7 +24,7 @@ resource eventSendRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { properties: { roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') principalType: 'ServicePrincipal' - principalId: identityPrincipalId + principalId: topic.identity.principalId } } @@ -34,9 +33,7 @@ resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' = { location: location tags: tags identity: { - principalId: identityPrincipalId - tenantId: tenant().tenantId - type: 'UserAssigned' + type: 'SystemAssigned' } properties: { source: storage.id diff --git a/deploy/quick-start/infra/shared/system-topic-subscription.bicep b/deploy/quick-start/infra/shared/system-topic-subscription.bicep index 7b354faf88..7855ea9902 100644 --- a/deploy/quick-start/infra/shared/system-topic-subscription.bicep +++ b/deploy/quick-start/infra/shared/system-topic-subscription.bicep @@ -1,5 +1,4 @@ param name string -param identityName string param topicName string param destinationTopicName string param eventGridName string @@ -20,18 +19,13 @@ resource topic 'Microsoft.EventGrid/systemTopics@2023-12-15-preview' existing = name: topicName } -resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = { - name: identityName -} - resource resourceProviderSub 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2023-12-15-preview' = { name: name parent: topic properties: { deliveryWithResourceIdentity: { identity: { - type: 'UserAssigned' - userAssignedIdentity: identity.id + type: 'SystemAssigned' } destination: { endpointType: 'NamespaceTopic' From 44aac8115a41a381ef45bb31908e63cccadb9298 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 13:43:55 -0500 Subject: [PATCH 10/11] Cleaning up changes --- deploy/quick-start/infra/shared/identity.bicep | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 deploy/quick-start/infra/shared/identity.bicep diff --git a/deploy/quick-start/infra/shared/identity.bicep b/deploy/quick-start/infra/shared/identity.bicep deleted file mode 100644 index 15d1cabc38..0000000000 --- a/deploy/quick-start/infra/shared/identity.bicep +++ /dev/null @@ -1,12 +0,0 @@ -param name string -param location string - -resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { - name: name - location: location -} - -output id string = identity.id -output name string = identity.name -output clientId string = identity.properties.clientId -output principalId string = identity.properties.principalId From 35b9fef78a39f75d1bd4928c37ca5928ace87c1d Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Wed, 26 Jun 2024 13:45:52 -0500 Subject: [PATCH 11/11] Cleaning up changes --- .github/workflows/e2e-daily-testing.yml | 8 ++++---- tests/scripts/Remove-OAuthCallbackUris.ps1 | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/e2e-daily-testing.yml b/.github/workflows/e2e-daily-testing.yml index 7d7cb08861..a5bfefb685 100644 --- a/.github/workflows/e2e-daily-testing.yml +++ b/.github/workflows/e2e-daily-testing.yml @@ -10,12 +10,12 @@ jobs: uses: ./.github/workflows/e2e-testing.yml with: environment: "fllm-e2e-aca-daily-${{ github.run_id }}" - deployOpenAi: false + deployOpenAi: true openAiName: fllm-01 openAiResourceGroup: fllm-shared-01 location: EastUS2 - notificationsEnabled: false - enableTeardown: false + notificationsEnabled: true + enableTeardown: true bypassAndTeardown: false - target: sandbox + target: e2e secrets: inherit diff --git a/tests/scripts/Remove-OAuthCallbackUris.ps1 b/tests/scripts/Remove-OAuthCallbackUris.ps1 index 2204dd2440..ff6fc1dc72 100644 --- a/tests/scripts/Remove-OAuthCallbackUris.ps1 +++ b/tests/scripts/Remove-OAuthCallbackUris.ps1 @@ -68,7 +68,7 @@ $uris = @{ } foreach ($uri in $uris.GetEnumerator()) { - if ($uri -ne $null) + if ($uri.Value.endpoint -ne $null) { $applicationUri = "https://graph.microsoft.com/v1.0/applications/" + $uri.Value.objectId $redirects = @(az rest `