add support for workspace UAMI (Azure#19390)

Author: yanjungao718

src/Synapse/Synapse/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Updated `New-AzSynapseWorkspace` and `Update-AzSynapseWorkspace` to support for user assigned managed identity (UAMI) by `-UserAssignedIdentityAction` and `-UserAssignedIdentityId`
 * Added EnablePublicNetworkAccess parameter to `New-AzureSynapseWorkspace` and `Update-AzSynapseWorkspace`
 
 ## Version 1.6.0

src/Synapse/Synapse/Commands/ManagementCommands/Workspace/NewAzureSynapseWorkspace.cs

@@ -23,6 +23,7 @@
 using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;
+using System.Collections.Generic;
 
 namespace Microsoft.Azure.Commands.Synapse
 {
@@ -98,6 +99,10 @@ public class NewAzureSynapseWorkspace : SynapseManagementCmdletBase
         [ValidateNotNull]
         public bool EnablePublicNetworkAccess { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = HelpMessages.UserAssignedIdentityId)]
+        [ValidateNotNull]
+        public List<string> UserAssignedIdentityId { get; set; }
+
         public override void ExecuteCmdlet()
         {
             try
@@ -132,10 +137,6 @@ public override void ExecuteCmdlet()
             var createParams = new Workspace
             {
                 Tags = TagsConversionHelper.CreateTagDictionary(this.Tag, validate: true),
-                Identity = new ManagedIdentity
-                {
-                    Type = ResourceIdentityType.SystemAssigned
-                },
                 DefaultDataLakeStorage = new DataLakeStorageAccountDetails
                 {
                     AccountUrl = defaultDataLakeStorageAccountUrl,
@@ -159,8 +160,21 @@ public override void ExecuteCmdlet()
                     }
                 } : null,
                 WorkspaceRepositoryConfiguration = this.IsParameterBound(c => c.GitRepository) ? this.GitRepository.ToSdkObject() : null,
-                PublicNetworkAccess = this.IsParameterBound(c => c.EnablePublicNetworkAccess) ? (this.EnablePublicNetworkAccess? PublicNetworkAccess.Enabled : PublicNetworkAccess.Disabled): null
+                PublicNetworkAccess = this.IsParameterBound(c => c.EnablePublicNetworkAccess) ? (this.EnablePublicNetworkAccess? PublicNetworkAccess.Enabled : PublicNetworkAccess.Disabled): null,
+                Identity = this.IsParameterBound(c => c.UserAssignedIdentityId) ? new ManagedIdentity
+                {
+                    Type = ResourceIdentityType.SystemAssignedUserAssigned,
+                    UserAssignedIdentities = new Dictionary<string, UserAssignedManagedIdentity>()
+                } :
+                new ManagedIdentity
+                {
+                    Type = ResourceIdentityType.SystemAssigned
+                }
             };
+            if (this.IsParameterBound(c => c.UserAssignedIdentityId))
+            {
+                UserAssignedIdentityId?.ForEach(identityId => createParams.Identity.UserAssignedIdentities.Add(identityId, new UserAssignedManagedIdentity()));
+            }
 
             if (ShouldProcess(Name, string.Format(Resources.CreatingSynapseWorkspace, this.ResourceGroupName, this.Name)))
             {

src/Synapse/Synapse/Commands/ManagementCommands/Workspace/UpdateAzureSynapseWorkspace.cs

@@ -23,6 +23,8 @@
 using Microsoft.WindowsAzure.Commands.Common;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 using System.Collections;
+using System.Collections.Generic;
+using System.Linq;
 using System.Management.Automation;
 using static Microsoft.Azure.Commands.Synapse.Models.SynapseConstants;
 using SecureString = System.Security.SecureString;
@@ -80,6 +82,13 @@ public class UpdateAzureSynapseWorkspace : SynapseManagementCmdletBase
         [Parameter(Mandatory = false, HelpMessage = HelpMessages.GitRepository)]
         [ValidateNotNull]
         public PSWorkspaceRepositoryConfiguration GitRepository { get; set; }
+        
+        [Parameter(Mandatory = false, HelpMessage = HelpMessages.UserAssignedIdentityAction)]
+        public SynapseConstants.UserAssignedManagedIdentityActionType UserAssignedIdentityAction { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = HelpMessages.UserAssignedIdentityId)]
+        [ValidateNotNull]
+        public List<string> UserAssignedIdentityId { get; set; }
 
         [Parameter(Mandatory = false, HelpMessage = HelpMessages.PublicNetworkAccess)]
         [ValidateNotNull]
@@ -127,7 +136,7 @@ public override void ExecuteCmdlet()
             WorkspacePatchInfo patchInfo = new WorkspacePatchInfo();
             patchInfo.Tags = this.IsParameterBound(c => c.Tag) ? TagsConversionHelper.CreateTagDictionary(this.Tag, validate: true) : TagsConversionHelper.CreateTagDictionary(this.InputObject?.Tags, validate:true);
             patchInfo.SqlAdministratorLoginPassword = this.IsParameterBound(c => c.SqlAdministratorLoginPassword) ? this.SqlAdministratorLoginPassword.ConvertToString() : null;
-            patchInfo.ManagedVirtualNetworkSettings = this.IsParameterBound(c => c.ManagedVirtualNetwork) ? this.ManagedVirtualNetwork?.ToSdkObject() : this.InputObject?.ManagedVirtualNetworkSettings?.ToSdkObject();
+            patchInfo.ManagedVirtualNetworkSettings = this.IsParameterBound(c => c.ManagedVirtualNetwork) ? this.ManagedVirtualNetwork?.ToSdkObject() : this.InputObject?.ManagedVirtualNetworkSettings?.ToSdkObject();           
             string encrptionKeyName = this.IsParameterBound(c => c.EncryptionKeyName) ? this.EncryptionKeyName : this.InputObject?.Encryption?.CustomerManagedKeyDetails?.Key?.Name;
             patchInfo.Encryption = !string.IsNullOrEmpty(encrptionKeyName) ? new EncryptionDetails
             {
@@ -142,6 +151,47 @@ public override void ExecuteCmdlet()
             patchInfo.WorkspaceRepositoryConfiguration = this.IsParameterBound(c => c.GitRepository) ? this.GitRepository.ToSdkObject() : null;
             patchInfo.PublicNetworkAccess = this.IsParameterBound(c => c.EnablePublicNetworkAccess) ? (this.EnablePublicNetworkAccess ? PublicNetworkAccess.Enabled : PublicNetworkAccess.Disabled): existingWorkspace.PublicNetworkAccess;
 
+            if ((!this.IsParameterBound(c => c.UserAssignedIdentityAction) && this.IsParameterBound(c => c.UserAssignedIdentityId))
+               || ((this.IsParameterBound(c => c.UserAssignedIdentityAction) && !this.IsParameterBound(c => c.UserAssignedIdentityId))))
+            {
+                throw new AzPSInvalidOperationException(Resources.FailedToValidateUserAssignedIdentityParameter);
+            }
+
+            if (this.IsParameterBound(c => c.UserAssignedIdentityAction) && this.IsParameterBound(c => c.UserAssignedIdentityId))
+            {
+                patchInfo.Identity = existingWorkspace.Identity;
+                patchInfo.Identity.Type = ResourceIdentityType.SystemAssignedUserAssigned;
+                if (patchInfo.Identity.UserAssignedIdentities == null)
+                {
+                    patchInfo.Identity.UserAssignedIdentities = new Dictionary<string, UserAssignedManagedIdentity>();
+                }
+
+                if (this.UserAssignedIdentityAction == SynapseConstants.UserAssignedManagedIdentityActionType.Add)
+                {
+                    UserAssignedIdentityId.Where(identity => !patchInfo.Identity.UserAssignedIdentities.ContainsKey(identity))?.ForEach(
+                        item => patchInfo.Identity.UserAssignedIdentities.Add(item, new UserAssignedManagedIdentity()));
+                }
+                else if (this.UserAssignedIdentityAction == SynapseConstants.UserAssignedManagedIdentityActionType.Remove)
+                {
+                    UserAssignedIdentityId.Where(identity => patchInfo.Identity.UserAssignedIdentities.ContainsKey(identity))?.ForEach(
+                        item => patchInfo.Identity.UserAssignedIdentities[item] = null);
+                }
+                else if (this.UserAssignedIdentityAction == SynapseConstants.UserAssignedManagedIdentityActionType.Set)
+                {
+                    patchInfo.Identity.UserAssignedIdentities.Where(identity => !UserAssignedIdentityId.Contains(identity.Key))?.ForEach(
+                        item => patchInfo.Identity.UserAssignedIdentities[item.Key] = null);
+
+                    UserAssignedIdentityId.Where(identity => !patchInfo.Identity.UserAssignedIdentities.ContainsKey(identity))?.ForEach(
+                        item => patchInfo.Identity.UserAssignedIdentities.Add(item, new UserAssignedManagedIdentity()));
+                }
+
+                if (patchInfo.Identity.UserAssignedIdentities.All(identity => identity.Value == null))
+                {
+                    patchInfo.Identity.Type = ResourceIdentityType.SystemAssigned;
+                    patchInfo.Identity.UserAssignedIdentities = null;
+                }
+            }
+
             if (ShouldProcess(this.Name, string.Format(Resources.UpdatingSynapseWorkspace, this.Name, this.ResourceGroupName)))
             {
                 var workspace = new PSSynapseWorkspace(SynapseAnalyticsClient.UpdateWorkspace(

src/Synapse/Synapse/Common/HelpMessages.cs

@@ -48,6 +48,16 @@ public static class HelpMessages
 
         public const string PublicNetworkAccess = "Enable or Disable public network access to workspace. Possible values include: 'Enabled', 'Disabled'";
 
+        public const string UserAssignedIdentityAction = 
+@"Action must be specified when you add/remove/set user assigned managed identities for workspace. 
+The supported actions are:
+Add
+Remove
+Set
+Add means to add user assigned managed identities for workspace, Remove means to remove user assigned managed identities from workspace, Set can be used when you want to add and remove user assigned managed identities at the same time, current identities will be coverd by specified ones.";
+
+        public const string UserAssignedIdentityId = "User assigned managed identity Id for workspace.";
+
         public const string RepositoryType = "Select the repository type that you want to use to store your artifacts for this Synapse Analytics workspace, the type include DevOps and GitHub.";
 
         public const string HostName = "GitHub Enterprise host name. For example: https://github.mydomain.com";

src/Synapse/Synapse/Models/SynapseConstants.cs

@@ -307,6 +307,12 @@ public enum PackageActionType
             Add,
             Remove
         }
+        public enum UserAssignedManagedIdentityActionType
+        {
+            Add,
+            Remove,
+            Set
+        }
 
         public class PublicNetworkAccess
         {

src/Synapse/Synapse/Properties/Resources.Designer.cs

@@ -830,4 +830,7 @@ Failed: {2}.</value>
   <data name="SettingSynapseLinkConnection" xml:space="preserve">
     <value>Setting link connection '{0}' in workspace '{1}'.</value>
   </data>
+  <data name="FailedToValidateUserAssignedIdentityParameter" xml:space="preserve">
+    <value>-UserAssignedIdentityAction and -UserAssignedIdentityId must be specified at the same time or neither of them should be.</value>
+  </data>
 </root>

src/Synapse/Synapse/Properties/Resources.resx

@@ -18,8 +18,8 @@ New-AzSynapseWorkspace -ResourceGroupName <String> -Name <String> -Location <Str
  -SqlAdministratorLoginCredential <PSCredential> [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
  [-EncryptionKeyName <String>] [-EncryptionKeyIdentifier <String>] [-AsJob]
  [-ManagedResourceGroupName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -66,6 +66,20 @@ New-AzSynapseWorkspace -ResourceGroupName ContosoResourceGroup -Name ContosoWork
 
 This command creates a Synapse Analytics workspace named ContosoWorkspace that uses the ContosoAdlGenStorage Data Store, in the resource group named ContosoResourceGroup. And the workspace is connected to a Git Repository called ContosoRepo.
 
+### Example 5
+```powershell
+$password = ConvertTo-SecureString "Password123!" -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential ("ContosoUser", $password)
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName ContosoResourceGroup
+$uamilist = New-Object System.Collections.Generic.List[string]
+foreach($uami in $uamis){
+	$uamilist.Add($uami.Id)
+}
+New-AzSynapseWorkspace -ResourceGroupName ContosoResourceGroup -Name ContosoWorkspace -Location northeurope -DefaultDataLakeStorageAccountName ContosoAdlGen2Storage -DefaultDataLakeStorageFilesystem ContosoFileSystem -SqlAdministratorLoginCredential $creds -UserAssignedIdentityId $uamilist
+```
+
+This command creates a Synapse Analytics workspace named ContosoWorkspace that uses the ContosoAdlGenStorage Data Store, in the resource group named ContosoResourceGroup, and add user assigned managed identities that get from ResourceGroup ContosoResourceGroup to workspace.
+
 ## PARAMETERS
 
 ### -AsJob
@@ -293,6 +307,21 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
+### -UserAssignedIdentityId
+User assigned managed identity Id for workspace.
+
+```yaml
+Type: System.Collections.Generic.List`1[System.String]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Confirm
 Prompts you for confirmation before running the cmdlet.
 

src/Synapse/Synapse/help/New-AzSynapseWorkspace.md

@@ -17,26 +17,29 @@ Updates a Synapse Analytics workspace.
 Update-AzSynapseWorkspace [-ResourceGroupName <String>] -Name <String> [-Tag <Hashtable>]
  [-SqlAdministratorLoginPassword <SecureString>] [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
  [-EncryptionKeyName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
- [-Confirm] [<CommonParameters>]
+ [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
+ [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>] [-AsJob]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### SetByInputObjectParameterSet
 ```
 Update-AzSynapseWorkspace -InputObject <PSSynapseWorkspace> [-Tag <Hashtable>]
  [-SqlAdministratorLoginPassword <SecureString>] [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
  [-EncryptionKeyName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
- [-Confirm] [<CommonParameters>]
+ [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
+ [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>] [-AsJob]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### SetByResourceIdParameterSet
 ```
 Update-AzSynapseWorkspace -ResourceId <String> [-Tag <Hashtable>]
  [-SqlAdministratorLoginPassword <SecureString>] [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
  [-EncryptionKeyName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
- [-Confirm] [<CommonParameters>]
+ [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
+ [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>] [-AsJob]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -81,6 +84,45 @@ Update-AzSynapseWorkspace -Name ContosoWorkspace -EnablePublicNetworkAccess $Tru
 
 This commands updates the specififed Azure Synapse Analytics workspace to enable public network access.
 
+### Example 6
+```powershell
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName bigdataqa
+$uamilist = New-Object System.Collections.Generic.List[string]
+foreach($uami in $uamis){
+	$uamilist.Add($uami.Id)
+}
+
+Update-AzSynapseWorkspace -Name ContosoWorkspace -UserAssignedIdentityAction Add -UserAssignedIdentityId $uamilist
+```
+
+This commands updates workspace to add user assigned managed identites in $uamilist.
+
+### Example 7
+```powershell
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName bigdataqa
+$uamilist = New-Object System.Collections.Generic.List[string]
+foreach($uami in $uamis){
+	$uamilist.Add($uami.Id)
+}
+
+Update-AzSynapseWorkspace -Name ContosoWorkspace -UserAssignedIdentityAction Remove -UserAssignedIdentityId $uamilist[0]
+```
+
+This commands removes user assigned managed identites $uamilist[0] from workspace.
+
+### Example 8
+```powershell
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName bigdataqa
+$uamilist = New-Object System.Collections.Generic.List[string]
+foreach($uami in $uamis){
+	$uamilist.Add($uami.Id)
+}
+
+Update-AzSynapseWorkspace -Name ContosoWorkspace -UserAssignedIdentityAction Set -UserAssignedIdentityId $uamilist
+```
+
+This commands updates workspace with user assigned managed identites $uamilist that will cover current identities.
+
 ## PARAMETERS
 
 ### -AsJob
@@ -263,6 +305,42 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UserAssignedIdentityAction
+Action must be specified when you add/remove/set user assigned managed identities for workspace. 
+The supported actions are:
+Add
+Remove
+Set
+Add means to add user assigned managed identities for workspace, Remove means to remove user assigned managed identities from workspace, Set can be used when you want to add and remove user assigned managed identities at the same time.
+
+```yaml
+Type: Microsoft.Azure.Commands.Synapse.Models.SynapseConstants+UserAssignedManagedIdentityActionType
+Parameter Sets: (All)
+Aliases:
+Accepted values: Add, Remove, Set
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAssignedIdentityId
+User assigned managed identity Id for workspace.
+
+```yaml
+Type: System.Collections.Generic.List`1[System.String]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Confirm
 Prompts you for confirmation before running the cmdlet.