[Spike]: API for role assignments

playground/AzureContainerApps/AzureContainerApps.AppHost/AzureContainerApps.AppHost.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.5.002.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AzureContainerApps.AppHost", "AzureContainerApps.AppHost.csproj", "{55003C7C-F6C0-469F-BA6A-C5EC13AB0763}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{55003C7C-F6C0-469F-BA6A-C5EC13AB0763}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{55003C7C-F6C0-469F-BA6A-C5EC13AB0763}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{55003C7C-F6C0-469F-BA6A-C5EC13AB0763}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{55003C7C-F6C0-469F-BA6A-C5EC13AB0763}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {CE4F7DF9-62F5-454C-AE1B-D442D49897CA}
+	EndGlobalSection
+EndGlobal

playground/AzureContainerApps/AzureContainerApps.AppHost/Program.cs

@@ -3,6 +3,8 @@
 
 #pragma warning disable ASPIREACADOMAINS001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
 
+using Azure.Provisioning.Storage;
+
 var builder = DistributedApplication.CreateBuilder(args);
 
 var customDomain = builder.AddParameter("customDomain");
@@ -23,6 +25,7 @@
 
 // Testing a connection string
 var blobs = builder.AddAzureStorage("storage")
+                   .RemoveDefaultRoleAssignments()
                    .RunAsEmulator(c => c.WithLifetime(ContainerLifetime.Persistent))
                    .AddBlobs("blobs");
 
@@ -34,6 +37,7 @@
 builder.AddProject<Projects.AzureContainerApps_ApiService>("api")
        .WithExternalHttpEndpoints()
        .WithReference(blobs)
+       .WithRoleAssignments(blobs, StorageBuiltInRole.StorageBlobDataContributor)
        .WithReference(redis)
        .WithReference(cosmosDb)
        .WithEnvironment("VALUE", param)

playground/AzureContainerApps/AzureContainerApps.AppHost/api-roles.module.bicep

@@ -0,0 +1,27 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+param storage_outputs_name string
+
+resource api_identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: take('api_identity-${uniqueString(resourceGroup().id)}', 128)
+  location: location
+}
+
+resource storage 'Microsoft.Storage/storageAccounts@2024-01-01' existing = {
+  name: storage_outputs_name
+}
+
+resource storage_StorageBlobDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(storage.id, api_identity.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'))
+  properties: {
+    principalId: api_identity.properties.principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+    principalType: 'ServicePrincipal'
+  }
+  scope: storage
+}
+
+output id string = api_identity.id
+
+output clientId string = api_identity.properties.clientId

playground/AzureContainerApps/AzureContainerApps.AppHost/api.module.bicep

@@ -1,6 +1,10 @@
 @description('The location for the resource(s) to be deployed.')
 param location string = resourceGroup().location
 
+param api_roles_outputs_id string
+
+param api_roles_outputs_clientid string
+
 param api_containerport string
 
 param storage_outputs_blobendpoint string
@@ -12,17 +16,15 @@ param outputs_azure_container_registry_managed_identity_id string
 @secure()
 param secretparam_value string
 
-param outputs_managed_identity_client_id string
-
 param outputs_azure_container_apps_environment_id string
 
 param outputs_azure_container_registry_endpoint string
 
 param api_containerimage string
 
-param certificateName string
+param certificatename_value string
 
-param customDomain string
+param customdomain_value string
 
 resource account_secretoutputs_kv 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: account_secretoutputs
@@ -56,9 +58,9 @@ resource api 'Microsoft.App/containerApps@2024-03-01' = {
         transport: 'http'
         customDomains: [
           {
-            name: customDomain
-            bindingType: (certificateName != '') ? 'SniEnabled' : 'Disabled'
-            certificateId: (certificateName != '') ? '${outputs_azure_container_apps_environment_id}/managedCertificates/${certificateName}' : null
+            name: customdomain_value
+            bindingType: (certificatename_value != '') ? 'SniEnabled' : 'Disabled'
+            certificateId: (certificatename_value != '') ? '${outputs_azure_container_apps_environment_id}/managedCertificates/${certificatename_value}' : null
           }
         ]
       }
@@ -114,7 +116,7 @@ resource api 'Microsoft.App/containerApps@2024-03-01' = {
             }
             {
               name: 'AZURE_CLIENT_ID'
-              value: outputs_managed_identity_client_id
+              value: api_roles_outputs_clientid
             }
           ]
         }
@@ -127,6 +129,7 @@ resource api 'Microsoft.App/containerApps@2024-03-01' = {
   identity: {
     type: 'UserAssigned'
     userAssignedIdentities: {
+      '${api_roles_outputs_id}': { }
       '${outputs_azure_container_registry_managed_identity_id}': { }
     }
   }

playground/AzureContainerApps/AzureContainerApps.AppHost/aspire-manifest.json

@@ -39,7 +39,6 @@
         "params": {
           "cache_volumes_0_storage": "{cache.volumes.0.storage}",
           "outputs_azure_container_registry_managed_identity_id": "{.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID}",
-          "outputs_managed_identity_client_id": "{.outputs.MANAGED_IDENTITY_CLIENT_ID}",
           "outputs_azure_container_apps_environment_id": "{.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_ID}"
         }
       },
@@ -74,11 +73,7 @@
     },
     "storage": {
       "type": "azure.bicep.v0",
-      "path": "storage.module.bicep",
-      "params": {
-        "principalId": "",
-        "principalType": ""
-      }
+      "path": "storage.module.bicep"
     },
     "blobs": {
       "type": "value.v0",
@@ -95,7 +90,6 @@
         "path": "pythonapp.module.bicep",
         "params": {
           "outputs_azure_container_registry_managed_identity_id": "{.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID}",
-          "outputs_managed_identity_client_id": "{.outputs.MANAGED_IDENTITY_CLIENT_ID}",
           "outputs_azure_container_apps_environment_id": "{.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_ID}",
           "outputs_azure_container_registry_endpoint": "{.outputs.AZURE_CONTAINER_REGISTRY_ENDPOINT}",
           "pythonapp_containerimage": "{pythonapp.containerImage}"
@@ -109,17 +103,18 @@
         "type": "azure.bicep.v0",
         "path": "api.module.bicep",
         "params": {
+          "api_roles_outputs_id": "{api-roles.outputs.id}",
+          "api_roles_outputs_clientid": "{api-roles.outputs.clientId}",
           "api_containerport": "{api.containerPort}",
           "storage_outputs_blobendpoint": "{storage.outputs.blobEndpoint}",
           "account_secretoutputs": "{account.secretOutputs}",
           "outputs_azure_container_registry_managed_identity_id": "{.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID}",
           "secretparam_value": "{secretparam.value}",
-          "outputs_managed_identity_client_id": "{.outputs.MANAGED_IDENTITY_CLIENT_ID}",
           "outputs_azure_container_apps_environment_id": "{.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_ID}",
           "outputs_azure_container_registry_endpoint": "{.outputs.AZURE_CONTAINER_REGISTRY_ENDPOINT}",
           "api_containerimage": "{api.containerImage}",
-          "certificateName": "{certificateName.value}",
-          "customDomain": "{customDomain.value}"
+          "certificatename_value": "{certificateName.value}",
+          "customdomain_value": "{customDomain.value}"
         }
       },
       "env": {
@@ -147,6 +142,13 @@
           "external": true
         }
       }
+    },
+    "api-roles": {
+      "type": "azure.bicep.v0",
+      "path": "api-roles.module.bicep",
+      "params": {
+        "storage_outputs_name": "{storage.outputs.name}"
+      }
     }
   }
 }

playground/AzureContainerApps/AzureContainerApps.AppHost/cache.module.bicep

@@ -5,8 +5,6 @@ param cache_volumes_0_storage string
 
 param outputs_azure_container_registry_managed_identity_id string
 
-param outputs_managed_identity_client_id string
-
 param outputs_azure_container_apps_environment_id string
 
 resource cache 'Microsoft.App/containerApps@2024-03-01' = {
@@ -32,12 +30,6 @@ resource cache 'Microsoft.App/containerApps@2024-03-01' = {
             '60'
             '1'
           ]
-          env: [
-            {
-              name: 'AZURE_CLIENT_ID'
-              value: outputs_managed_identity_client_id
-            }
-          ]
           volumeMounts: [
             {
               volumeName: 'v0'

playground/AzureContainerApps/AzureContainerApps.AppHost/pythonapp.module.bicep

@@ -3,8 +3,6 @@ param location string = resourceGroup().location
 
 param outputs_azure_container_registry_managed_identity_id string
 
-param outputs_managed_identity_client_id string
-
 param outputs_azure_container_apps_environment_id string
 
 param outputs_azure_container_registry_endpoint string
@@ -30,12 +28,6 @@ resource pythonapp 'Microsoft.App/containerApps@2024-03-01' = {
         {
           image: pythonapp_containerimage
           name: 'pythonapp'
-          env: [
-            {
-              name: 'AZURE_CLIENT_ID'
-              value: outputs_managed_identity_client_id
-            }
-          ]
         }
       ]
       scale: {

playground/AzureContainerApps/AzureContainerApps.AppHost/storage.module.bicep

@@ -1,10 +1,6 @@
 @description('The location for the resource(s) to be deployed.')
 param location string = resourceGroup().location
 
-param principalId string
-
-param principalType string
-
 resource storage 'Microsoft.Storage/storageAccounts@2024-01-01' = {
   name: take('storage${uniqueString(resourceGroup().id)}', 24)
   kind: 'StorageV2'
@@ -30,38 +26,10 @@ resource blobs 'Microsoft.Storage/storageAccounts/blobServices@2024-01-01' = {
   parent: storage
 }
 
-resource storage_StorageBlobDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(storage.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'))
-  properties: {
-    principalId: principalId
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
-    principalType: principalType
-  }
-  scope: storage
-}
-
-resource storage_StorageTableDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(storage.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))
-  properties: {
-    principalId: principalId
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
-    principalType: principalType
-  }
-  scope: storage
-}
-
-resource storage_StorageQueueDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(storage.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))
-  properties: {
-    principalId: principalId
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')
-    principalType: principalType
-  }
-  scope: storage
-}
-
 output blobEndpoint string = storage.properties.primaryEndpoints.blob
 
 output queueEndpoint string = storage.properties.primaryEndpoints.queue
 
-output tableEndpoint string = storage.properties.primaryEndpoints.table
+output tableEndpoint string = storage.properties.primaryEndpoints.table
+
+output name string = storage.name