[Modules] New Child Module Gallery Application (#2465)

* added aadloginforWindows extension * updated VirtualMachines readme.md with extensionAadJoinConfig * changed varSystemAssignedIdentity to systemAssignedIdentityVar * added aadlogonforLinux Ext * added extensionaadjoin to test * ran the set-readme utility * created Gallery-Application * reverting these files to match current main * fixing link * fixed role Assignments * ran update-roleassignmentList * changed endofLife to endOfLifeDate * added test and child resource to gallery module * updated readme and applications test * added application test to common test * updated readme and deleted .applicatons from test Co-authored-by: Shawn Meyer <[email protected]>
Azure · Dec 19, 2022 · 1a02887 · 1a02887
1 parent 117e6f9
commit 1a02887
Show file tree

Hide file tree

Showing 7 changed files with 517 additions and 4 deletions.
diff --git a/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep
@@ -55,5 +55,23 @@ module testDeployment '../../deploy.bicep' = {
         principalType: 'ServicePrincipal'
       }
     ]
+    applications: [
+      {
+        name: '<<namePrefix>>-${serviceShort}-appd-001'
+      }
+      {
+        name: '<<namePrefix>>-appd-002'
+        supportedOSType: 'Windows'
+        roleAssignments: [
+          {
+            roleDefinitionIdOrName: 'Reader'
+            principalIds: [
+              resourceGroupResources.outputs.managedIdentityPrincipalId
+            ]
+            principalType: 'ServicePrincipal'
+          }
+        ]
+      }
+    ]
   }
 }
diff --git a/modules/Microsoft.Compute/galleries/applications/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Compute/galleries/applications/.bicep/nested_roleAssignments.bicep
@@ -0,0 +1,71 @@
+@sys.description('Required. The IDs of the principals to assign the role to.')
+param principalIds array
+
+@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
+param roleDefinitionIdOrName string
+
+@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
+param resourceId string
+
+@sys.description('Optional. The principal type of the assigned principal ID.')
+@allowed([
+  'ServicePrincipal'
+  'Group'
+  'User'
+  'ForeignGroup'
+  'Device'
+  ''
+])
+param principalType string = ''
+
+@sys.description('Optional. The description of the role assignment.')
+param description string = ''
+
+@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
+param condition string = ''
+
+@sys.description('Optional. Version of the condition.')
+@allowed([
+  '2.0'
+])
+param conditionVersion string = '2.0'
+
+@sys.description('Optional. Id of the delegated managed identity resource.')
+param delegatedManagedIdentityResourceId string = ''
+
+var builtInRoleNames = {
+  'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b')
+  Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
+  'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
+  'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')
+}
+
+resource galleryApplication 'Microsoft.Compute/galleries/applications@2022-03-03' existing = {
+  name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}'
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
+  name: guid(galleryApplication.id, principalId, roleDefinitionIdOrName)
+  properties: {
+    description: description
+    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
+    principalId: principalId
+    principalType: !empty(principalType) ? any(principalType) : null
+    condition: !empty(condition) ? condition : null
+    conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
+    delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
+  }
+  scope: galleryApplication
+}]
diff --git a/modules/Microsoft.Compute/galleries/applications/deploy.bicep b/modules/Microsoft.Compute/galleries/applications/deploy.bicep
@@ -0,0 +1,100 @@
+@description('Required. Name of the application definition.')
+param name string
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+@description('Optional. Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Conditional. The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment.')
+@minLength(1)
+param galleryName string
+
+@description('Optional. The description of this gallery Application Definition resource. This property is updatable.')
+param applicationDefinitionDescription string = ''
+
+@description('Optional. The Eula agreement for the gallery Application Definition. Has to be a valid URL.')
+param eula string = ''
+
+@description('Optional. The privacy statement uri. Has to be a valid URL.')
+param privacyStatementUri string = ''
+
+@description('Optional. The release note uri. Has to be a valid URL.')
+param releaseNoteUri string = ''
+
+@description('Optional. This property allows you to specify the supported type of the OS that application is built for.')
+@allowed([
+  'Windows'
+  'Linux'
+])
+param supportedOSType string = 'Windows'
+
+@description('Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z.')
+param endOfLifeDate string = ''
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+param roleAssignments array = []
+
+@description('Optional. Tags for all resources.')
+param tags object = {}
+
+@description('Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application.')
+param customActions object = {}
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource gallery 'Microsoft.Compute/galleries@2022-03-03' existing = {
+  name: galleryName
+}
+
+resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = {
+  name: name
+  parent: gallery
+  location: location
+  tags: tags
+  properties: {
+    customActions: !empty(customActions) ? [ customActions ] : null
+    description: applicationDefinitionDescription
+    endOfLifeDate: endOfLifeDate
+    eula: eula
+    privacyStatementUri: privacyStatementUri
+    releaseNoteUri: releaseNoteUri
+    supportedOSType: supportedOSType
+  }
+}
+
+module galleryApplication_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: '${deployment().name}-Rbac-${index}'
+  params: {
+    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
+    principalIds: roleAssignment.principalIds
+    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
+    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
+    condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
+    delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
+    resourceId: application.id
+  }
+}]
+
+@description('The resource group the image was deployed into.')
+output resourceGroupName string = resourceGroup().name
+
+@description('The resource ID of the image.')
+output resourceId string = application.id
+
+@description('The name of the image.')
+output name string = application.name
+
+@description('The location the resource was deployed into.')
+output location string = application.location