Synchronize repo from Repoman

azure-sdk · azure-sdk · commit 3abf55e922e9 · 2024-05-20T20:10:21.000Z
diff --git a/.azdo/pipelines/terraform/java/azure-dev.yml b/.azdo/pipelines/terraform/java/azure-dev.yml
diff --git a/infra/core/host/aks.bicep b/infra/core/host/aks.bicep
@@ -96,6 +96,10 @@ param agentPoolConfig object = {}
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
 
+@description('The type of principal to assign application roles')
+@allowed(['Device','ForeignGroup','Group','ServicePrincipal','User'])
+param principalType string = 'User'
+
 @description('Kubernetes Version')
 param kubernetesVersion string = '1.27.7'
 
@@ -204,11 +208,12 @@ module containerRegistryAccess '../security/registry-access.bicep' = {
 }
 
 // Give AKS cluster access to the specified principal
-module clusterAccess '../security/aks-managed-cluster-access.bicep' = if (enableAzureRbac || disableLocalAccounts) {
+module clusterAccess '../security/aks-managed-cluster-access.bicep' = if (!empty(principalId) && (enableAzureRbac || disableLocalAccounts)) {
   name: 'cluster-access'
   params: {
     clusterName: managedCluster.outputs.clusterName
     principalId: principalId
+    principalType: principalType
   }
 }
 
diff --git a/infra/core/security/aks-managed-cluster-access.bicep b/infra/core/security/aks-managed-cluster-access.bicep
@@ -1,15 +1,23 @@
 metadata description = 'Assigns RBAC role to the specified AKS cluster and principal.'
+
+@description('The AKS cluster name used as the target of the role assignments.')
 param clusterName string
+
+@description('The principal ID to assign the role to.')
 param principalId string
 
+@description('The principal type to assign the role to.')
+@allowed(['Device','ForeignGroup','Group','ServicePrincipal','User'])
+param principalType string = 'User'
+
 var aksClusterAdminRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
 
 resource aksRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   scope: aksCluster // Use when specifying a scope that is different than the deployment scope
   name: guid(subscription().id, resourceGroup().id, principalId, aksClusterAdminRole)
   properties: {
     roleDefinitionId: aksClusterAdminRole
-    principalType: 'User'
+    principalType: principalType
     principalId: principalId
   }
 }
