Skip to content

Commit a14c151

Browse files
GreedygreGreedygre
authored
[Containerapp] az containerapp create: Set identity only when --system-assigned or --user-assigned is specified. (#8742)
1 parent 0a3f286 commit a14c151

File tree

130 files changed

+406513
-499787
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

130 files changed

+406513
-499787
lines changed

src/containerapp/HISTORY.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ Release History
55
upcoming
66
++++++
77
* 'az containerapp auth update': Support authenticating blob storage token store using managed identity with `--blob-container-uri` and `--blob-container-identity`.
8+
* 'az containerapp env create': Set identity only when `--mi-system-assigned` or `--mi-user-assigned` is specified.
9+
* 'az containerapp env create': Set identity only when `--system-assigned` or `--user-assigned` is specified.
810

911
1.1.0b4
1012
++++++

src/containerapp/azext_containerapp/containerapp_decorator.py

Lines changed: 29 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -697,6 +697,34 @@ def set_up_registry_identity(self):
697697
if not env_has_managed_identity(self.cmd, managed_env_rg, managed_env_name, identity):
698698
set_managed_identity(self.cmd, self.get_argument_resource_group_name(), self.containerapp_def, user_assigned=[identity])
699699

700+
def set_up_managed_identity(self):
701+
if self.get_argument_user_assigned() or self.get_argument_system_assigned():
702+
identity_def = deepcopy(ManagedServiceIdentityModel)
703+
identity_def["type"] = "None"
704+
705+
assign_system_identity = self.get_argument_system_assigned()
706+
if self.get_argument_user_assigned():
707+
assign_user_identities = [x.lower() for x in self.get_argument_user_assigned()]
708+
else:
709+
assign_user_identities = []
710+
711+
if assign_system_identity and assign_user_identities:
712+
identity_def["type"] = "SystemAssigned, UserAssigned"
713+
elif assign_system_identity:
714+
identity_def["type"] = "SystemAssigned"
715+
elif assign_user_identities:
716+
identity_def["type"] = "UserAssigned"
717+
718+
if assign_user_identities:
719+
identity_def["userAssignedIdentities"] = {}
720+
subscription_id = get_subscription_id(self.cmd.cli_ctx)
721+
722+
for r in assign_user_identities:
723+
r = _ensure_identity_resource_id(subscription_id, self.get_argument_resource_group_name(), r)
724+
identity_def["userAssignedIdentities"][r] = {} # pylint: disable=unsupported-assignment-operation
725+
726+
self.containerapp_def["identity"] = identity_def
727+
700728
# If --registry-server is ACR, use system-assigned managed identity for image pull by default
701729
def set_up_system_assigned_identity_as_default_if_using_acr(self):
702730
registry_server = self.get_argument_registry_server()
@@ -816,29 +844,7 @@ def parent_construct_payload(self):
816844
config_def["dapr"] = dapr_def
817845

818846
# Identity actions
819-
identity_def = deepcopy(ManagedServiceIdentityModel)
820-
identity_def["type"] = "None"
821-
822-
assign_system_identity = self.get_argument_system_assigned()
823-
if self.get_argument_user_assigned():
824-
assign_user_identities = [x.lower() for x in self.get_argument_user_assigned()]
825-
else:
826-
assign_user_identities = []
827-
828-
if assign_system_identity and assign_user_identities:
829-
identity_def["type"] = "SystemAssigned, UserAssigned"
830-
elif assign_system_identity:
831-
identity_def["type"] = "SystemAssigned"
832-
elif assign_user_identities:
833-
identity_def["type"] = "UserAssigned"
834-
835-
if assign_user_identities:
836-
identity_def["userAssignedIdentities"] = {}
837-
subscription_id = get_subscription_id(self.cmd.cli_ctx)
838-
839-
for r in assign_user_identities:
840-
r = _ensure_identity_resource_id(subscription_id, self.get_argument_resource_group_name(), r)
841-
identity_def["userAssignedIdentities"][r] = {} # pylint: disable=unsupported-assignment-operation
847+
self.set_up_managed_identity()
842848

843849
scale_def = self.set_up_scale_rule()
844850

@@ -885,7 +891,6 @@ def parent_construct_payload(self):
885891
template_def["terminationGracePeriodSeconds"] = self.get_argument_termination_grace_period()
886892

887893
self.containerapp_def["location"] = location
888-
self.containerapp_def["identity"] = identity_def
889894
self.containerapp_def["properties"]["environmentId"] = self.get_argument_managed_env()
890895
self.containerapp_def["properties"]["configuration"] = config_def
891896
self.containerapp_def["properties"]["template"] = template_def

src/containerapp/azext_containerapp/containerapp_env_decorator.py

Lines changed: 25 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -83,30 +83,31 @@ def set_up_infrastructure_resource_group(self):
8383
self.managed_env_def["properties"]["infrastructureResourceGroup"] = self.get_argument_infrastructure_resource_group()
8484

8585
def set_up_managed_identity(self):
86-
identity_def = ManagedServiceIdentity
87-
identity_def["type"] = "None"
88-
89-
assign_system_identity = self.get_argument_system_assigned()
90-
if self.get_argument_user_assigned():
91-
assign_user_identities = [x.lower() for x in self.get_argument_user_assigned()]
92-
else:
93-
assign_user_identities = []
94-
95-
if assign_system_identity and assign_user_identities:
96-
identity_def["type"] = "SystemAssigned, UserAssigned"
97-
elif assign_system_identity:
98-
identity_def["type"] = "SystemAssigned"
99-
elif assign_user_identities:
100-
identity_def["type"] = "UserAssigned"
101-
102-
if assign_user_identities:
103-
identity_def["userAssignedIdentities"] = {}
104-
subscription_id = get_subscription_id(self.cmd.cli_ctx)
105-
106-
for r in assign_user_identities:
107-
r = _ensure_identity_resource_id(subscription_id, self.get_argument_resource_group_name(), r)
108-
identity_def["userAssignedIdentities"][r] = {} # pylint: disable=unsupported-assignment-operation
109-
self.managed_env_def["identity"] = identity_def
86+
if self.get_argument_system_assigned() or self.get_argument_user_assigned():
87+
identity_def = ManagedServiceIdentity
88+
identity_def["type"] = "None"
89+
90+
assign_system_identity = self.get_argument_system_assigned()
91+
if self.get_argument_user_assigned():
92+
assign_user_identities = [x.lower() for x in self.get_argument_user_assigned()]
93+
else:
94+
assign_user_identities = []
95+
96+
if assign_system_identity and assign_user_identities:
97+
identity_def["type"] = "SystemAssigned, UserAssigned"
98+
elif assign_system_identity:
99+
identity_def["type"] = "SystemAssigned"
100+
elif assign_user_identities:
101+
identity_def["type"] = "UserAssigned"
102+
103+
if assign_user_identities:
104+
identity_def["userAssignedIdentities"] = {}
105+
subscription_id = get_subscription_id(self.cmd.cli_ctx)
106+
107+
for r in assign_user_identities:
108+
r = _ensure_identity_resource_id(subscription_id, self.get_argument_resource_group_name(), r)
109+
identity_def["userAssignedIdentities"][r] = {} # pylint: disable=unsupported-assignment-operation
110+
self.managed_env_def["identity"] = identity_def
110111

111112
def set_up_workload_profiles(self):
112113
if self.get_argument_enable_workload_profiles():

0 commit comments

Comments
 (0)