fixup! Move to Resource Module

Sheyla Trudo · Sheyla Trudo · commit e8bab97c4926 · 2024-10-23T16:40:09.000-07:00
diff --git a/.pipelines/templates/artifact-storage.steps.yaml b/.pipelines/templates/artifact-storage.steps.yaml
@@ -236,8 +236,8 @@ steps:
     updateCondition: False
     inputs:
       storageAccountName: '$(ACNCI_SA_PREFIX)$(LOCAL_ACNCI_UNIQUE_ID)'
+      storageAccountLocation: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_LOCATION)
       resourceGroupName: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP)
-      resourceGroupLocation: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_LOCATION)
       managedIdentityResourceId: $(managedidentity.ACNCI_MANAGEDIDENTITY_ID) 
       buildTagDefinitionIdKey: $(ACNCI_BUILDTAG_DEFINITIONID)
       buildTagCreatedByAppIdKey: $(ACNCI_BUILDTAG_CREATEDBYAPPID)
@@ -291,28 +291,6 @@ steps:
     SA_LIST_LENGTH: $(OUT_RESULT_LENGTH)
     SA_SERVICE_CONN: $(ACN_TEST_SERVICE_CONNECTION)
 
-- task: AzureCLI@2
-  displayName: "[Provision] Container Access Permissions"
-  continueOnError: true
-  inputs:
-    azureSubscription: $(ACN_TEST_SERVICE_CONNECTION)
-    scriptType: bash
-    scriptLocation: inlineScript
-    addSpnToEnvironment: true
-    inlineScript: |
-      set -e
-      [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
-
-      az role assignment create \
-        --role "Storage Blob Data Contributor" \
-        --assignee "$ACNCI_MANAGEDIDENTITY_OBJECTID" \
-        --assignee-principal-type "ServicePrincipal" \
-        --scope "$ACNCI_STORAGEACCOUNT_ID"
-  env:
-    ACNCI_BUILD_RESOURCEGROUP_ID: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_ID)
-    ACNCI_MANAGEDIDENTITY_OBJECTID: $(managedidentity.ACNCI_MANAGEDIDENTITY_OBJECTID)
-    ACNCI_STORAGEACCOUNT_ID: $(storageaccounts.ACNCI_STORAGEACCOUNT_ID)
-
 - task: AzureCLI@2
   name: artifact_container
   displayName: "[Output] Ensure Storage Container"
@@ -325,14 +303,12 @@ steps:
       set -e
       [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
 
-      az login --identity "$ACNCI_MANAGEDIDENTITY_ID"
       az storage account show -n "$SA_NAME" --query networkRuleSet
       az storage container create \
         --account-name "$SA_NAME" \
         --resource-group "$RG_NAME" \
         --name "$CONTAINER_NAME" \
         --auth-mode login
-        #--public-access off 
 
       echo >&2 "##vso[task.setvariable variable=ACNCI_STORAGEACCOUNT_ARTIFACT_CONTAINER;isoutput=true]$CONTAINER_NAME"
   env:
@@ -341,6 +317,28 @@ steps:
     SA_NAME: $(artifact_storage.ACNCI_STORAGEACCOUNT_NAME)
     ACNCI_MANAGEDIDENTITY_ID: $(managedidentity.ACNCI_MANAGEDIDENTITY_ID)
 
+- task: AzureCLI@2
+  displayName: "[Provision] Container Access Permissions"
+  continueOnError: true
+  inputs:
+    azureSubscription: $(ACN_TEST_SERVICE_CONNECTION)
+    scriptType: bash
+    scriptLocation: inlineScript
+    addSpnToEnvironment: true
+    inlineScript: |
+      set -e
+      [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
+
+      az role assignment create \
+        --role "Storage Blob Data Contributor" \
+        --assignee "$ACNCI_MANAGEDIDENTITY_OBJECTID" \
+        --assignee-principal-type "ServicePrincipal" \
+        --scope "$ACNCI_STORAGEACCOUNT_ID"
+  env:
+    ACNCI_BUILD_RESOURCEGROUP_ID: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_ID)
+    ACNCI_MANAGEDIDENTITY_OBJECTID: $(managedidentity.ACNCI_MANAGEDIDENTITY_OBJECTID)
+    ACNCI_STORAGEACCOUNT_ID: $(storageaccounts.ACNCI_STORAGEACCOUNT_ID)
+
 - task: AzureCLI@2
   name: artifact_blob
   displayName: "[Output] Get Blob Path"
diff --git a/.pipelines/templates/create-or-update-resource.steps.yaml b/.pipelines/templates/create-or-update-resource.steps.yaml
@@ -54,7 +54,7 @@ steps:
       ${{ elseif eq(parameters.resourceType, 'storageaccounts') }}:
         MANAGEDIDENTITY_ARMID: ${{ parameters.inputs.managedIdentityResourceId }}
         RESOURCEGROUP_NAME: ${{ parameters.inputs.resourceGroupName }}
-        RESOURCEGROUP_LOCATION: ${{ parameters.inputs.resourceGroupLocation }}
+        STORAGEACCOUNT_LOCATION: ${{ parameters.inputs.storageAccountLocation }}
         STORAGEACCOUNT_NAME: ${{ parameters.inputs.storageAccountName }}
 
       ${{ elseif eq(parameters.resourceType, 'roledefinition') }}:
@@ -100,31 +100,15 @@ steps:
           #[[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
           az upgrade -y
 
-          echo "az storage account create "
-          echo "--name "$STORAGEACCOUNT_NAME" "
-          echo "--location "$RESOURCEGROUP_LOCATION" "
-          echo "--resource-group "$RESOURCEGROUP_NAME" "
-          echo "--user-identity-id "$MANAGEDIDENTITY_ARMID" "
-          echo "--user-identity-type UserAssigned "
-          echo "--allow-blob-public-access false "
-          echo "--allow-shared-key-access false "
-          echo "--tags "$BUILDTAG_DEFINITIONID"="$SYSTEM_DEFINITIONID" "
-          echo ""$BUILDTAG_CREATEDBYBUILDID"="$BUILD_BUILDID" "
-          echo ""$BUILDTAG_CREATEDBYAPPID"="$servicePrincipalId""
           az storage account create \
             --name "$STORAGEACCOUNT_NAME" \
-            --location "$RESOURCEGROUP_LOCATION" \
+            --location "$STORAGEACCOUNT_LOCATION" \
             --resource-group "$RESOURCEGROUP_NAME" \ 
-            --user-identity-id "$MANAGEDIDENTITY_ARMID" \
-            --user-identity-type UserAssigned \
             --allow-blob-public-access false \
             --allow-shared-key-access false \
             --tags "$BUILDTAG_DEFINITIONID"="$SYSTEM_DEFINITIONID" \
                    "$BUILDTAG_CREATEDBYBUILDID"="$BUILD_BUILDID" \
                    "$BUILDTAG_CREATEDBYAPPID"="$servicePrincipalId"
-            #--enable-files-aad-integration true
-            #--assign-identity "$ACNCI_MANAGEDIDENTITY_OBJECTID" 
-            #--default-action Deny 
     
       ${{ elseif eq(parameters.resourceType, 'roledefinition') }}:
         inlineScript: |
