Managed Identity for policyAssignments

Author: pilor

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Commands.Resources.Rest.csproj

@@ -100,7 +100,9 @@
     <Compile Include="Entities\ResourceGroup\ExportTemplateParameters.cs" />
     <Compile Include="Entities\ResourceGroup\ResourceBatchMoveParameters.cs" />
     <Compile Include="Entities\Resources\Resource.cs" />
+    <Compile Include="Entities\Resources\ResourceIdentityType.cs" />
     <Compile Include="Entities\Resources\ResourcePlan.cs" />
+    <Compile Include="Entities\Resources\ResourceIdentity.cs" />
     <Compile Include="Entities\Resources\ResourceSku.cs" />
     <Compile Include="Entities\Resources\TerminalProvisioningStates.cs" />
     <Compile Include="Extensions\AsyncExtensions.cs" />

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Components/Constants.cs

@@ -77,17 +77,17 @@ public static class Constants
         /// <summary>
         /// The default policy definition API version.
         /// </summary>
-        public static readonly string PolicyDefinitionApiVersion = "2018-03-01";
+        public static readonly string PolicyDefinitionApiVersion = "2018-05-01";
 
         /// <summary>
         /// The default policy set definition API version.
         /// </summary>
-        public static readonly string PolicySetDefintionApiVersion = "2018-03-01";
+        public static readonly string PolicySetDefintionApiVersion = "2018-05-01";
 
         /// <summary>
         /// The default policy assignment API version.
         /// </summary>
-        public static readonly string PolicyAssignmentApiVersion = "2018-03-01";
+        public static readonly string PolicyAssignmentApiVersion = "2018-05-01";
 
         /// <summary>
         /// The default providers API version.

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Entities/Policy/PolicyAssignment.cs

@@ -14,6 +14,7 @@
 
 namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy
 {
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources;
     using Newtonsoft.Json;
 
     /// <summary>
@@ -38,5 +39,17 @@ public class PolicyAssignment
         /// </summary>
         [JsonProperty(Required = Required.Always)]
         public PolicySku Sku { get; set; }
+
+        /// <summary>
+        /// The resource identity assigned to the policy assignment.
+        /// </summary>
+        [JsonProperty(Required = Required.Default)]
+        public ResourceIdentity Identity { get; set; }
+
+        /// <summary>
+        /// The policy assignment's location.
+        /// </summary>
+        [JsonProperty(Required = Required.Default)]
+        public string Location { get; set; }
     }
 }

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Entities/Resources/Resource.cs

@@ -53,7 +53,6 @@ public class Resource<TProperties>
         [JsonProperty(Required = Required.Default)]
         public ResourceSku Sku { get; set; }
 
-
         /// <summary>
         /// Gets or sets the kind of the resource definition.
         /// </summary>
@@ -95,5 +94,11 @@ public class Resource<TProperties>
         /// </summary>
         [JsonProperty(Required = Required.Default)]
         public InsensitiveDictionary<string> Tags { get; set; }
+
+        /// <summary>
+        /// The identity assigned to the resource.
+        /// </summary>
+        [JsonProperty(Required = Required.Default)]
+        public ResourceIdentity Identity { get; set; }
     }
 }

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Entities/Resources/ResourceIdentity.cs

@@ -0,0 +1,43 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Newtonsoft.Json;
+
+namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources
+{
+    /// <summary>
+    /// The resource identity object that represents the resource's Managed Service Identity.
+    /// </summary>
+    public class ResourceIdentity
+    {
+        /// <summary>
+        /// Gets or sets the type of identity assigned to the resource.
+        /// </summary>
+        [JsonProperty(Required = Required.Default)]
+        public string Type { get; set; }
+
+        /// <summary>
+        /// Gets or sets the principal ID of the assigned identity.
+        /// </summary>
+        [JsonProperty(Required = Required.Default)]
+        public string PrincipalId { get; set; }
+
+        /// <summary>
+        /// Gets or sets the Azure Active Directory tenant ID that contains the assigned identity.
+        /// </summary>
+        [JsonProperty(Required = Required.Default)]
+        public string TenantId { get; set; }
+    }
+}
+

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Entities/Resources/ResourceIdentityType.cs

@@ -0,0 +1,33 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources
+{
+    /// <summary>
+    /// The type of resource identity that is assigned to a resource.
+    /// </summary>
+    public class ResourceIdentityType
+    {
+        /// <summary>
+        /// The name of the resource identity type that will automatically create an identity for the resource.
+        /// </summary>
+        public const string SystemAssigned = "SystemAssigned";
+
+        /// <summary>
+        /// The name of the resource identity type that indicates the resource should have no identity assigned.
+        /// </summary>
+        public const string None = "None";
+    }
+}
+

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Extensions/ResourceExtensions.cs

@@ -59,7 +59,8 @@ internal static PSObject ToPsObject(this Resource<JToken> resource)
                 { "CreatedTime", resource.CreatedTime },
                 { "ChangedTime", resource.ChangedTime },
                 { "ETag", resource.ETag },
-                { "Sku", resource.Sku.ToJToken().ToPsObject() }
+                { "Sku", resource.Sku.ToJToken().ToPsObject() },
+                { "Identity", resource.Identity?.ToJToken().ToPsObject() }
             };
 
             var resourceTypeName = resourceType == null && extensionResourceType == null

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Implementation/Policy/GetAzurePolicyAssignment.cs

@@ -118,6 +118,7 @@ private async Task<ResponseWithContinuation<JObject[]>> GetResources()
                         cancellationToken: this.CancellationToken.Value,
                         odataQuery: null)
                     .ConfigureAwait(continueOnCapturedContext: false);
+
                 ResponseWithContinuation<JObject[]> retVal;
                 return resource.TryConvertTo(out retVal) && retVal.Value != null
                     ? retVal

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Implementation/Policy/NewAzurePolicyAssignment.cs

@@ -27,6 +27,8 @@ namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation
     using System.Collections;
     using System.Linq;
     using System.Management.Automation;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources;
+    using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 
     /// <summary>
     /// Creates a policy assignment.
@@ -120,6 +122,19 @@ public class NewAzurePolicyAssignmentCmdlet : PolicyCmdletBase, IDynamicParamete
         [CmdletParameterBreakingChange("Sku", ChangeDescription = "The -Sku parameter is deprecated and ignored")]
         public Hashtable Sku { get; set; }
 
+        /// <summary>
+        /// Gets or sets a flag indicating whether a system assigned identity should be added to the policy assignment.
+        /// </summary>
+        [Parameter(Mandatory = false, HelpMessage = PolicyHelpStrings.PolicyAssignmentAssignIdentityHelp)]
+        public SwitchParameter AssignIdentity { get; set; }
+
+        /// <summary>
+        /// Gets or sets the location of the policy assignment. Only required when assigning a resource identity to the assignment.
+        /// </summary>
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, HelpMessage = PolicyHelpStrings.PolicyAssignmentLocationHelp)]
+        [LocationCompleter("Microsoft.ManagedIdentity/userAssignedIdentities")]
+        public string Location { get; set; }
+
         /// <summary>
         /// Executes the cmdlet.
         /// </summary>
@@ -184,6 +199,8 @@ private JToken GetResource()
             {
                 Name = this.Name,
                 Sku = Sku?.ToDictionary(addValueLayer: false).ToJson().FromJson<PolicySku>(),  // only store Sku if it was provided by user
+                Identity = this.AssignIdentity.IsPresent ? new ResourceIdentity { Type = ResourceIdentityType.SystemAssigned } : null,
+                Location = this.Location,
                 Properties = new PolicyAssignmentProperties
                 {
                     DisplayName = this.DisplayName ?? null,
@@ -223,28 +240,33 @@ object IDynamicParameters.GetDynamicParameters()
             {
                 foreach (var param in parameters.Properties)
                 {
-                    var type = (param.Value as PSObject).Properties["type"];
-                    var typeString = type != null ? type.Value.ToString() : string.Empty;
-                    var description = (param.Value as PSObject).GetPSObjectProperty("metadata.description");
-                    var helpString = description != null ? description.ToString() : string.Format("The {0} policy parameter.", param.Name);
-                    var dp = new RuntimeDefinedParameter
+                    if (param.Value is PSObject paramValue)
                     {
-                        Name = param.Name,
-                        ParameterType = typeString.Equals("array", StringComparison.OrdinalIgnoreCase) ? typeof(string[]) : typeof(string)
-                    };
-                    dp.Attributes.Add(new ParameterAttribute
-                    {
-                        ParameterSetName = PolicyCmdletBase.DefaultParameterSet,
-                        Mandatory = true,
-                        ValueFromPipelineByPropertyName = false,
-                        HelpMessage = helpString
-                    });
-                    this.dynamicParameters.Add(param.Name, dp);
+                        var type = paramValue.Properties["type"];
+                        var typeString = type != null ? type.Value.ToString() : string.Empty;
+                        var description = paramValue.GetPSObjectProperty("metadata.description");
+                        var helpString = description != null ? description.ToString() : string.Format("The {0} policy parameter.", param.Name);
+                        var dp = new RuntimeDefinedParameter
+                        {
+                            Name = param.Name,
+                            ParameterType = typeString.Equals("array", StringComparison.OrdinalIgnoreCase) ? typeof(string[]) : typeof(string)
+                        };
+                        
+                        // Dynamic parameter should not be mandatory if it has a default value
+                        dp.Attributes.Add(new ParameterAttribute
+                        {
+                            ParameterSetName = PolicyCmdletBase.DefaultParameterSet,
+                            Mandatory = paramValue.Properties["defaultValue"] == null,
+                            ValueFromPipelineByPropertyName = false,
+                            HelpMessage = helpString
+                        });
+
+                        this.dynamicParameters.Add(param.Name, dp);
+                    }
                 }
             }
 
-            RegisterDynamicParameters(dynamicParameters);
-
+            this.RegisterDynamicParameters(this.dynamicParameters);
             return this.dynamicParameters;
         }
 

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Implementation/Policy/PolicyHelpStrings.cs

@@ -47,6 +47,8 @@ public static class PolicyHelpStrings
         public const string SetPolicyAssignmentDescriptionHelp = "The description of the updated policy assignment";
         public const string SetPolicyAssignmentMetadataHelp = "The updated metadata for the policy assignment. This can either be a path to a file name containing the metadata, or the metadata as a string.";
         public const string SetPolicyAssignmentSkuHelp = "A hash table which specifies sku properties. This parameter is deprecated and ignored.";
+        public const string PolicyAssignmentAssignIdentityHelp = "Generate and assign an Azure Active Directory Identity for this policy assignment. The identity will be used when executing deployments for 'deployIfNotExists' policies.";
+        public const string PolicyAssignmentLocationHelp = "The location of the policy assignment. This is only required when the policy assignment has a resource identity.";
 
         /// <summary>
         /// Policy definition cmdlet parameter help strings

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Implementation/Policy/SetAzurePolicyAssignment.cs

@@ -22,9 +22,10 @@ namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation
     using Microsoft.WindowsAzure.Commands.Common;
     using Newtonsoft.Json.Linq;
     using Policy;
-    using System;
     using System.Collections;
     using System.Management.Automation;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources;
+    using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 
     /// <summary>
     /// Sets the policy assignment.
@@ -91,6 +92,19 @@ public class SetAzurePolicyAssignmentCmdlet : PolicyCmdletBase
         [CmdletParameterBreakingChange("Sku", ChangeDescription = "The -Sku parameter is deprecated and ignored")]
         public Hashtable Sku { get; set; }
 
+        /// <summary>
+        /// Gets or sets a flag indicating whether a system assigned identity should be added to the policy assignment.
+        /// </summary>
+        [Parameter(Mandatory = false, HelpMessage = PolicyHelpStrings.PolicyAssignmentAssignIdentityHelp)]
+        public SwitchParameter AssignIdentity { get; set; }
+
+        /// <summary>
+        /// Gets or sets the location of the policy assignment. Only required when assigning a resource identity to the assignment.
+        /// </summary>
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, HelpMessage = PolicyHelpStrings.PolicyAssignmentLocationHelp)]
+        [LocationCompleter("Microsoft.ManagedIdentity/userAssignedIdentities")]
+        public string Location { get; set; }
+
         /// <summary>
         /// Executes the cmdlet.
         /// </summary>
@@ -135,6 +149,8 @@ private JToken GetResource(string resourceId, string apiVersion)
             {
                 Name = this.Name ?? resource.Name,
                 Sku = Sku?.ToDictionary(addValueLayer: false).ToJson().FromJson<PolicySku>(),  // only store Sku if it was provided by user
+                Identity = this.AssignIdentity.IsPresent ? new ResourceIdentity { Type = ResourceIdentityType.SystemAssigned } : null,
+                Location = this.Location ?? resource.Location,
                 Properties = new PolicyAssignmentProperties
                 {
                     DisplayName = this.DisplayName ?? resource.Properties["displayName"]?.ToString(),

src/ResourceManager/Resources/Commands.Resources.Test/SamplePolicyDefinitionParameters.json

@@ -1,10 +1,19 @@
 {
-    "listOfAllowedLocations": {
-        "type": "array",
-      "metadata": {
-        "description": "An array of permitted locations for resources.",
-        "strongType": "location",
-        "displayName": "List of locations"
-      }
+  "listOfAllowedLocations": {
+    "type": "array",
+    "metadata": {
+      "description": "An array of permitted locations for resources.",
+      "strongType": "location",
+      "displayName": "List of locations"
     }
+  },
+  "effectParam": {
+    "type": "string",
+    "defaultValue": "Deny",
+    "allowedValues": [ "Deny", "Disabled" ], 
+    "metadata": {
+      "description": "The effect of the policy",
+      "displayName": "Policy Effect"
+    } 
+  } 
 }

src/ResourceManager/Resources/Commands.Resources.Test/SamplePolicyDefinitionWithParameters.json

@@ -6,6 +6,6 @@
     }
   },
   "then": {
-    "effect": "deny"
+    "effect": "[parameters('effectParam')]"
   }
 }

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/PolicyTests.cs

@@ -59,6 +59,13 @@ public void TestPolicyAssignmentCRUD()
             ResourcesController.NewInstance.RunPsTest(_logger, "Test-PolicyAssignmentCRUD");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestPolicyAssignmentIdentity()
+        {
+            ResourcesController.NewInstance.RunPsTest(_logger, "Test-PolicyAssignmentIdentity");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestPolicyDefinitionWithParameters()