Validate identity type on user-assigned identities

Validate the identity type is 'UserAssigned' when using user-assigned
identities.

Signed-off-by: Bryan Cox <[email protected]>

Author: bryan-cox

api/v1beta1/azuremachine_default_test.go

@@ -596,6 +596,13 @@ func createMachineWithUserAssignedIdentities(identitiesList []UserAssignedIdenti
 	return machine
 }
 
+func createMachineWithUserAssignedIdentitiesWithBadIdentity(identitiesList []UserAssignedIdentity) *AzureMachine {
+	machine := hardcodedAzureMachineWithSSHKey(generateSSHPublicKey(true))
+	machine.Spec.Identity = VMIdentitySystemAssigned
+	machine.Spec.UserAssignedIdentities = identitiesList
+	return machine
+}
+
 func hardcodedAzureMachineWithSSHKey(sshPublicKey string) *AzureMachine {
 	return &AzureMachine{
 		ObjectMeta: metav1.ObjectMeta{

api/v1beta1/azuremachine_validation.go

@@ -138,6 +138,10 @@ func ValidateSystemAssignedIdentity(identityType VMIdentity, oldIdentity, newIde
 func ValidateUserAssignedIdentity(identityType VMIdentity, userAssignedIdentities []UserAssignedIdentity, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
+	if len(userAssignedIdentities) > 0 && identityType != VMIdentityUserAssigned {
+		allErrs = append(allErrs, field.Invalid(fldPath, identityType, "must be set to 'UserAssigned' when assigning any user identity to the machine"))
+	}
+
 	if identityType == VMIdentityUserAssigned {
 		if len(userAssignedIdentities) == 0 {
 			allErrs = append(allErrs, field.Required(fldPath, "must be specified for the 'UserAssigned' identity type"))
@@ -160,7 +164,7 @@ func ValidateSystemAssignedIdentityRole(identityType VMIdentity, roleAssignmentN
 	if roleAssignmentName != "" && role != nil && role.Name != "" {
 		allErrs = append(allErrs, field.Invalid(fldPath, role.Name, "cannot set both roleAssignmentName and systemAssignedIdentityRole.name"))
 	}
-	if identityType == VMIdentitySystemAssigned {
+	if identityType == VMIdentitySystemAssigned && role != nil {
 		if role.DefinitionID == "" {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "systemAssignedIdentityRole", "definitionID"), role.DefinitionID, "the definitionID field cannot be empty"))
 		}

api/v1beta1/azuremachine_webhook_test.go

@@ -95,6 +95,14 @@ func TestAzureMachine_ValidateCreate(t *testing.T) {
 			}),
 			wantErr: false,
 		},
+		{
+			name: "azuremachine with list of user-assigned identities with wrong identity type",
+			machine: createMachineWithUserAssignedIdentitiesWithBadIdentity([]UserAssignedIdentity{
+				{ProviderID: "azure:///subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/default-12345-control-plane-9d5x5"},
+				{ProviderID: "azure:///subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/default-12345-control-plane-a1b2c"},
+			}),
+			wantErr: true,
+		},
 		{
 			name:    "azuremachine with empty list of user-assigned identities",
 			machine: createMachineWithUserAssignedIdentities([]UserAssignedIdentity{}),