PS Changes for User Managed Identity (#25632)

* PS Changes for User Managed Identity

* update changeLog.md

* update changeLog.md

* Update ChangeLog.md

* updating New-AzNetworkWatcherFlowLog.md file

---------

Co-authored-by: Yabo Hu <[email protected]>

Author: jmegha123

src/Network/Network.Test/ScenarioTests/NetworkWatcherAPITests.cs

@@ -162,6 +162,30 @@ public void TestCRUDVnetFlowLog()
             TestRunner.RunTestScript("Test-CRUDVnetFlowLog");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.LiveOnly)]
+        [Trait(Category.Owner, NrpTeamAlias.netanalyticsdev)]
+        public void TestCRUDVnetFlowLogWithManagedIdentity()
+        {
+            TestRunner.RunTestScript("Test-CRUDVnetFlowLogWithManagedIdentity");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.LiveOnly)]
+        [Trait(Category.Owner, NrpTeamAlias.netanalyticsdev)]
+        public void TestCRUDVnetFlowLogWithNoneManagedIdentity()
+        {
+            TestRunner.RunTestScript("Test-CRUDVnetFlowLogWithNoneManagedIdentity");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.LiveOnly)]
+        [Trait(Category.Owner, NrpTeamAlias.netanalyticsdev)]
+        public void TestSetVnetFlowLogWithManagedIdentityFromNoMIInput()
+        {
+            TestRunner.RunTestScript("Test-SetVnetFlowLogWithManagedIdentity");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.LiveOnly)]
         [Trait(Category.Owner, NrpTeamAlias.netanalyticsdev)]

src/Network/Network.Test/ScenarioTests/NetworkWatcherAPITests.ps1

@@ -1036,6 +1036,255 @@ function Test-CRUDVnetFlowLog
     }
 }
 
+<#
+.SYNOPSIS
+Test Flow log CRUD API With Managed Identity.
+#>
+function Test-CRUDVnetFlowLogWithManagedIdentity
+{
+    # Setup
+    $resourceGroupName = Get-NrpResourceGroupName
+    $nwName = Get-NrpResourceName
+    $nwRgName = Get-NrpResourceGroupName
+    $flowLogName = Get-NrpResourceName
+    $domainNameLabel = Get-NrpResourceName
+    $vnetName = Get-NrpResourceName
+    $stoname =  Get-NrpResourceName
+    $location = Get-ProviderLocation "Microsoft.Network/networkWatchers" "Central US EUAP"
+    $identityName = Get-NrpResourceName
+
+    try 
+    {
+        # Create Resource group
+        New-AzResourceGroup -Name $resourceGroupName -Location "$location"
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name "FlowLogSubnet" -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+        $vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName
+        
+        # Create Resource group for Network Watcher
+        New-AzResourceGroup -Name $nwRgName -Location "$location"
+        
+        # Get Network Watcher
+        $nw = Get-CreateTestNetworkWatcher -location $location -nwName $nwName -nwRgName $nwRgName
+ 
+        # Create storage
+        $stoname = 'sto' + $stoname
+        $stotype = 'Standard_GRS'
+
+        New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $stoname -Location $location -Type $stotype;
+        $sto = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $stoname;
+
+        # Create Managed Identity
+		$identity = New-AzUserAssignedIdentity -Name $identityName -Location $location -ResourceGroup $resourceGroupName
+
+        # Create flow log
+        $config = New-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName -TargetResourceId $vnet.Id -StorageId $sto.Id -Enabled $true -UserAssignedIdentity $identity.Id
+
+        # Validation set operation
+        Assert-AreEqual $config.TargetResourceId $vnet.Id
+        Assert-AreEqual $config.StorageId $sto.Id
+        Assert-AreEqual $config.Enabled $true
+        Assert-AreEqual $config.Format.Version 2
+
+        # Get flow log
+        $flowLog = Get-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+
+        # Get flow log Identity
+        $identity01 = $flowLog.Identity
+
+        # Validation get operation
+        Assert-AreEqual $flowLog.TargetResourceId $vnet.Id
+        Assert-AreEqual $flowLog.StorageId $sto.Id
+        Assert-AreEqual $flowLog.Enabled $true
+        Assert-AreEqual $identity01.UserAssignedIdentities.Count 1
+		Assert-NotNull $identity01.UserAssignedIdentities.Values[0].PrincipalId
+		Assert-NotNull $identity01.UserAssignedIdentities.Values[0].ClientId
+
+        # Delete flow log
+        Remove-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $resourceGroupName
+        Clean-ResourceGroup $nwRgName
+    }
+}
+
+<#
+.SYNOPSIS
+Test Flow log CRUD API With Managed Identity.
+#>
+function Test-CRUDVnetFlowLogWithNoneManagedIdentity
+{
+    # Setup
+    $resourceGroupName = Get-NrpResourceGroupName
+    $nwName = Get-NrpResourceName
+    $nwRgName = Get-NrpResourceGroupName
+    $flowLogName = Get-NrpResourceName
+    $domainNameLabel = Get-NrpResourceName
+    $vnetName = Get-NrpResourceName
+    $stoname =  Get-NrpResourceName
+    $location = Get-ProviderLocation "Microsoft.Network/networkWatchers" "Central US EUAP"
+    $identityName = Get-NrpResourceName
+
+    try 
+    {
+        # Create Resource group
+        New-AzResourceGroup -Name $resourceGroupName -Location "$location"
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name "FlowLogSubnet" -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+        $vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName
+        
+        # Create Resource group for Network Watcher
+        New-AzResourceGroup -Name $nwRgName -Location "$location"
+        
+        # Get Network Watcher
+        $nw = Get-CreateTestNetworkWatcher -location $location -nwName $nwName -nwRgName $nwRgName
+ 
+        # Create storage
+        $stoname = 'sto' + $stoname
+        $stotype = 'Standard_GRS'
+
+        New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $stoname -Location $location -Type $stotype;
+        $sto = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $stoname;
+
+        # Create Managed Identity
+		$identity = New-AzUserAssignedIdentity -Name $identityName -Location $location -ResourceGroup $resourceGroupName
+
+        # Create flow log
+        $config = New-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName -TargetResourceId $vnet.Id -StorageId $sto.Id -Enabled $true -UserAssignedIdentity $identity.Id
+
+        # Validation set operation
+        Assert-AreEqual $config.TargetResourceId $vnet.Id
+        Assert-AreEqual $config.StorageId $sto.Id
+        Assert-AreEqual $config.Enabled $true
+        Assert-AreEqual $config.Format.Version 2
+
+        # Get flow log
+        $flowLog = Get-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+
+        # Get flow log Identity
+        $identity01 = $flowLog.Identity
+
+        # Validation get operation
+        Assert-AreEqual $flowLog.TargetResourceId $vnet.Id
+        Assert-AreEqual $flowLog.StorageId $sto.Id
+        Assert-AreEqual $flowLog.Enabled $true
+        Assert-AreEqual $identity01.UserAssignedIdentities.Count 1
+		Assert-NotNull $identity01.UserAssignedIdentities.Values[0].PrincipalId
+		Assert-NotNull $identity01.UserAssignedIdentities.Values[0].ClientId
+
+        Set-AzNetworkWatcherFlowLog -InputObject $flowLog -UserAssignedIdentity "None" -Force
+
+         # Get flow log
+        $updatedFlowLog = Get-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+
+        # Get flow log Identity
+        $identity01 = $updatedFlowLog.Identity
+
+        Assert-AreEqual $identity01.UserAssignedIdentities.Count 0
+        Assert-Null $identity01.UserAssignedIdentities.Values[0].PrincipalId
+        Assert-Null $identity01.UserAssignedIdentities.Values[0].ClientId
+
+        # Delete flow log
+        Remove-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $resourceGroupName
+        Clean-ResourceGroup $nwRgName
+    }
+}
+
+<#
+.SYNOPSIS
+Test Flow log CRUD API With Managed Identity.
+#>
+function Test-SetVnetFlowLogWithManagedIdentity
+{
+    # Setup
+    $resourceGroupName = Get-NrpResourceGroupName
+    $nwName = Get-NrpResourceName
+    $nwRgName = Get-NrpResourceGroupName
+    $flowLogName = Get-NrpResourceName
+    $domainNameLabel = Get-NrpResourceName
+    $vnetName = Get-NrpResourceName
+    $stoname =  Get-NrpResourceName
+    $location = Get-ProviderLocation "Microsoft.Network/networkWatchers" "Central US EUAP"
+    $identityName = Get-NrpResourceName
+
+    try 
+    {
+        # Create Resource group
+        New-AzResourceGroup -Name $resourceGroupName -Location "$location"
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name "FlowLogSubnet" -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+        $vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName
+        
+        # Create Resource group for Network Watcher
+        New-AzResourceGroup -Name $nwRgName -Location "$location"
+        
+        # Get Network Watcher
+        $nw = Get-CreateTestNetworkWatcher -location $location -nwName $nwName -nwRgName $nwRgName
+ 
+        # Create storage
+        $stoname = 'sto' + $stoname
+        $stotype = 'Standard_GRS'
+
+        New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $stoname -Location $location -Type $stotype;
+        $sto = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $stoname;
+
+        # Create flow log
+        $config = New-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName -TargetResourceId $vnet.Id -StorageId $sto.Id -Enabled $true
+
+        # Validation set operation
+        Assert-AreEqual $config.TargetResourceId $vnet.Id
+        Assert-AreEqual $config.StorageId $sto.Id
+        Assert-AreEqual $config.Enabled $true
+        Assert-AreEqual $config.Format.Version 2
+
+        # Get flow log
+        $flowLog = Get-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+
+        # Create Managed Identity
+		$identity = New-AzUserAssignedIdentity -Name $identityName -Location $location -ResourceGroup $resourceGroupName
+
+        # Set flow log with Managed Identity
+        Set-AzNetworkWatcherFlowLog -InputObject $flowLog -UserAssignedIdentity $identity.id -Force
+        
+        # Get updated flowLog
+        $updatedFlowLog = Get-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+        
+        # Get updated flow log Identity
+        $identity01 = $updatedFlowLog.Identity
+
+        # Validation get operation
+        Assert-AreEqual $updatedFlowLog.TargetResourceId $vnet.Id
+        Assert-AreEqual $updatedFlowLog.StorageId $sto.Id
+        Assert-AreEqual $updatedFlowLog.Enabled $true
+        Assert-AreEqual $identity01.UserAssignedIdentities.Count 1
+		Assert-NotNull $identity01.UserAssignedIdentities.Values[0].PrincipalId
+		Assert-NotNull $identity01.UserAssignedIdentities.Values[0].ClientId
+
+        # Delete flow log
+        Remove-AzNetworkWatcherFlowLog -NetworkWatcher $nw -Name $flowLogName
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $resourceGroupName
+        Clean-ResourceGroup $nwRgName
+    }
+}
+
 <#
 .SYNOPSIS
 Test Flow log CRUD API.

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.NetworkWatcherAPITests/TestCRUDVnetFlowLogWithManagedIdentity.json

@@ -19,6 +19,7 @@
 --->
 
 ## Upcoming Release
+* Added support of `UserAssignedIdentityId` Property in `New-AzNetworkWatcherFlowLog` and `Set-AzNetworkWatcherFlowLog` commands
 
 ## Version 7.8.0
 * Added new cmdlets to support Save & Commit (AzureFirewallPolicy draft)

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.NetworkWatcherAPITests/TestCRUDVnetFlowLogWithNoneManagedIdentity.json

@@ -34,6 +34,9 @@ public class PSFlowLogResource : PSTopLevelResource
         [Ps1Xml(Target = ViewControl.Table)]
         public bool? Enabled { get; set; }
 
+        [Ps1Xml(Target = ViewControl.Table)]
+        public PSManagedServiceIdentity Identity { get; set; }
+
         public PSRetentionPolicyParameters RetentionPolicy { get; set; }
 
         public PSFlowLogFormatParameters Format { get; set; }
@@ -52,6 +55,12 @@ public string FormatText
             get { return JsonConvert.SerializeObject(this.Format, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
         }
 
+        [JsonIgnore]
+        public string IdentityText
+        {
+            get { return JsonConvert.SerializeObject(Identity, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
+        }
+
         [JsonIgnore]
         public string FlowAnalyticsConfigurationText
         {

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.NetworkWatcherAPITests/TestSetVnetFlowLogWithManagedIdentityFromNoMIInput.json

@@ -49,7 +49,7 @@ public bool IsFlowLogPresent(string resourceGroupName, string name, string flowL
 
         public bool IsValidResourceId(ResourceIdentifier id, string expectedResourceType, bool validateParent = false, string expectedParentType = null)
         {
-            if (id == null || string.IsNullOrEmpty(id.ResourceName) || string.IsNullOrEmpty(id.ResourceGroupName) || string.IsNullOrEmpty(id.Subscription) 
+            if (id == null || string.IsNullOrEmpty(id.ResourceName) || string.IsNullOrEmpty(id.ResourceGroupName) || string.IsNullOrEmpty(id.Subscription)
                 || !string.Equals(id.ResourceType, expectedResourceType, StringComparison.OrdinalIgnoreCase))
             {
                 return false;
@@ -73,7 +73,7 @@ public bool IsValidResourceId(ResourceIdentifier id, string expectedResourceType
         }
 
         public void ValidateFlowLogParameters(string targetResourceId, string storageId, int? formatVersion, string formatType,
-            bool enableTrafficAnalytics, string trafficAnalyticsWorkspaceId, int? trafficAnalyticsInterval, int? retentionPolicyDays)
+            bool enableTrafficAnalytics, string trafficAnalyticsWorkspaceId, int? trafficAnalyticsInterval, int? retentionPolicyDays, string userAssignedIdentityId)
         {
             ResourceIdentifier targetResourceInfo = new ResourceIdentifier(targetResourceId);
             if (!this.IsValidResourceId(targetResourceInfo, "Microsoft.Network/networkSecurityGroups") &&
@@ -95,7 +95,7 @@ public void ValidateFlowLogParameters(string targetResourceId, string storageId,
                 throw new PSArgumentException(Properties.Resources.InvalidFlowLogFormatVersion);
             }
 
-            if (!string.IsNullOrEmpty(formatType) && !string.Equals(formatType, "JSON", StringComparison.OrdinalIgnoreCase))
+            if (!string.IsNullOrEmpty(formatType) && (!string.Equals(formatType, "JSON", StringComparison.OrdinalIgnoreCase) && !string.Equals(formatType, "FlowLogJSON", StringComparison.OrdinalIgnoreCase)))
             {
                 throw new PSArgumentException(Properties.Resources.InvalidFlowLogFormatVersion);
             }
@@ -123,6 +123,15 @@ public void ValidateFlowLogParameters(string targetResourceId, string storageId,
             {
                 throw new PSArgumentException(Properties.Resources.InvalidTrafficAnalyticsInterval);
             }
+
+            if (userAssignedIdentityId != null && !string.Equals(userAssignedIdentityId, "none", StringComparison.OrdinalIgnoreCase))
+            {
+                ResourceIdentifier userAssignedIdentityInfo = new ResourceIdentifier(userAssignedIdentityId);
+                if (!this.IsValidResourceId(userAssignedIdentityInfo, "Microsoft.ManagedIdentity/userAssignedIdentities"))
+                {
+                    throw new PSArgumentException(Properties.Resources.InvalidUserAssignedManagedIdentity);
+                }
+            }
         }
     }
 }