Add Identity node to Function Apps (#4382)

* Skip test to let artifacts publish

* Fix stupid build issue

* UI for managed identity

* Add system identity enablement, still need to do managed wizard

* WIP MI with azureutils package impl

* Use shared package logic to create role definitions

* Minor text edits

* Remove some copy/pasted stuff

* Remove setting

* Remove unused string

* Update to use real npm package

* Feedback

* PR feedback

* Update azure utils package

* Remove child under system assigned (disabled) node

* PR feedback

* Fix package-lock.json

* Use prerelease version

* cliFeed response

* Stringify json

* JSON parse bodyAsString

* Remove serviceconnector

* PR feedback

Author: nturinski

gulpfile.ts

@@ -28,9 +28,8 @@ async function prepareForWebpack(): Promise<void> {
 let downloadLink;
 async function getFuncLink() {
     const client = new msRest.ServiceClient();
-    const cliFeed = (await client.sendRequest({ method: 'GET', url: 'https://aka.ms/V00v5v' })).parsedBody;
-    // const version = cliFeed.tags['v4-prerelease'].release;
-    const version = '4.91.0';
+    const cliFeed = JSON.parse((await client.sendRequest({ method: 'GET', url: 'https://aka.ms/V00v5v' })).bodyAsText as string);
+    const version = cliFeed.tags['v4-prerelease'].release;
     console.log(`Func cli feed version: ${version}`);
     const cliRelease = cliFeed.releases[version].coreTools.find((rel) => {
         return rel.Architecture === 'x64' && (

package-lock.json

@@ -381,6 +381,17 @@
                 "category": "Azure Functions",
                 "icon": "$(notebook-execute)"
             },
+            {
+                "command": "azureFunctions.assignManagedIdentity",
+                "title": "%azureFunctions.assignManagedIdentity%",
+                "category": "Azure Functions",
+                "icon": "$(add)"
+            },
+            {
+                "command": "azureFunctions.enableSystemIdentity",
+                "title": "%azureFunctions.enableSystemIdentity%",
+                "category": "Azure Functions"
+            },
             {
                 "command": "azureFunctions.durableTaskScheduler.copySchedulerConnectionString",
                 "title": "%azureFunctions.durableTaskScheduler.copySchedulerConnectionString%",
@@ -709,6 +720,21 @@
                     "when": "view =~ /(azureResourceGroups|azureFocusView)/ && viewItem =~ /azFunc.*folder/",
                     "group": "1@1"
                 },
+                {
+                    "command": "azureFunctions.enableSystemIdentity",
+                    "when": "view =~ /(azureResourceGroups|azureFocusView)/ && viewItem =~ /systemIdentity.*disabled/i",
+                    "group": "1@1"
+                },
+                {
+                    "command": "azureFunctions.assignManagedIdentity",
+                    "when": "view =~ /(azureResourceGroups|azureFocusView)/ && viewItem =~ /userAssignedIdentities/",
+                    "group": "inline"
+                },
+                {
+                    "command": "azureFunctions.assignManagedIdentity",
+                    "when": "view =~ /(azureResourceGroups|azureFocusView)/ && viewItem =~ /userAssignedIdentities/",
+                    "group": "1@1"
+                },
                 {
                     "command": "azureFunctions.durableTaskScheduler.copySchedulerConnectionString",
                     "when": "view =~ /(azureResourceGroups|azureFocusView)/ && viewItem =~ /azFunc.dts.scheduler/",
@@ -1295,6 +1321,7 @@
         "all": "npm i && npm run lint && npm test"
     },
     "devDependencies": {
+        "@azure/arm-msi": "^2.1.0",
         "@azure/arm-resources": "^5.2.0",
         "@microsoft/eslint-config-azuretools": "^0.2.2",
         "@microsoft/vscode-azext-dev": "^2.0.2",
@@ -1346,7 +1373,7 @@
         "@azure/storage-blob": "^12.5.0",
         "@microsoft/vscode-azext-azureappservice": "^3.3.1",
         "@microsoft/vscode-azext-azureappsettings": "^0.2.2",
-        "@microsoft/vscode-azext-azureutils": "^3.1.5",
+        "@microsoft/vscode-azext-azureutils": "^3.1.6",
         "@microsoft/vscode-azext-utils": "^2.6.3",
         "@microsoft/vscode-azureresources-api": "^2.0.4",
         "cross-fetch": "^4.0.0",

package.json

@@ -9,6 +9,7 @@
     "azureFunctions.appSettings.rename": "Rename Setting...",
     "azureFunctions.appSettings.toggleSlotSetting": "Toggle as Slot Setting",
     "azureFunctions.appSettings.upload": "Upload Local Settings...",
+    "azureFunctions.assignManagedIdentity": "Assign Managed Identity to Function App...",
     "azureFunctions.browseWebsite": "Browse Website",
     "azureFunctions.configureDeploymentSource": "Configure Deployment Source...",
     "azureFunctions.connectToGitHub": "Connect to GitHub Repository...",
@@ -36,6 +37,7 @@
     "azureFunctions.enableJavaRemoteDebugging": "Enable remote debugging for Java Functions Apps running on Windows. (experimental)",
     "azureFunctions.enableOutputTimestamps": "Prepends each line displayed in the output channel with a timestamp.",
     "azureFunctions.enableRemoteDebugging": "Enable remote debugging for Node.js Function Apps running on Linux App Service plans. Consumption plans are not supported. (experimental)",
+    "azureFunctions.enableSystemIdentity": "Enable System Assigned Identity...",
     "azureFunctions.endOfLifeWarning": "Show a warning when creating Function Apps with stacks within 6 months of their end of life.",
     "azureFunctions.executeFunction": "Execute Function Now...",
     "azureFunctions.funcCliPath": "The path to the 'func' executable to use for debug and deploy tasks. For example, set it to 'node_modules/.bin/func' if using the func cli installed as a local npm package.",
@@ -119,7 +121,6 @@
     "azureFunctions.walkthrough.functionsStart.scenarios.description": "Learn how you can use Azure Functions to build event-driven systems.\n\nIf you're just getting started with Azure Functions, you can [learn about the anatomy of an Azure Functions application](https://aka.ms/functions-getstarted-devguide).",
     "azureFunctions.walkthrough.functionsStart.scenarios.title": "Explore common scenarios",
     "azureFunctions.walkthrough.functionsStart.title": "Get Started with Azure Functions",
-
     "azureFunctions.durableTaskScheduler.copySchedulerConnectionString": "Copy Connection String",
     "azureFunctions.durableTaskScheduler.copySchedulerEndpoint": "Copy Endpoint",
     "azureFunctions.durableTaskScheduler.createScheduler": "Create Durable Task Scheduler...",
@@ -128,6 +129,5 @@
     "azureFunctions.durableTaskScheduler.deleteScheduler": "Delete Scheduler...",
     "azureFunctions.durableTaskScheduler.deleteTaskHub": "Delete Task Hub...",
     "azureFunctions.durableTaskScheduler.openTaskHubDashboard": "Open in Dashboard",
-
     "azureFunctions.durableTaskScheduler.enablePreviewFeatures": "Enable Durable Task Scheduler preview features"
 }

package.nls.json

@@ -0,0 +1,47 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { type ManagedServiceIdentityType } from "@azure/arm-appservice";
+import { type Identity } from "@azure/arm-resources";
+import { createWebSiteClient, type ParsedSite } from "@microsoft/vscode-azext-azureappservice";
+import { AzureWizardExecuteStep, nonNullProp } from "@microsoft/vscode-azext-utils";
+import { type Progress } from "vscode";
+import { ext } from "../../extensionVariables";
+import { localize } from "../../localize";
+import { type ManagedIdentityAssignContext } from "./ManagedIdentityAssignContext";
+
+export class EnableSystemIdentityAssignStep extends AzureWizardExecuteStep<ManagedIdentityAssignContext> {
+    public priority: number;
+
+    public async execute(context: ManagedIdentityAssignContext, _progress: Progress<{ message?: string | undefined; increment?: number | undefined; }>): Promise<void> {
+        const site: ParsedSite = nonNullProp(context, 'site');
+        const client = await createWebSiteClient([context, site.subscription]);
+
+        const identity = site.rawSite.identity || {};
+        identity.type = addSystemAssignedType(identity);
+        site.rawSite.identity = identity;
+
+        const enabling: string = localize('enabling', 'Enabling system assigned identity for "{0}"...', site.fullName);
+        const enabled: string = localize('enabled', 'Enabled system assigned identity for "{0}"', site.fullName);
+        ext.outputChannel.appendLog(enabling);
+
+        await client.webApps.update(site.resourceGroup, site.siteName, site.rawSite);
+        ext.outputChannel.appendLog(enabled);
+    }
+
+    public shouldExecute(_context: ManagedIdentityAssignContext): boolean {
+        return true;
+    }
+}
+
+const addSystemAssignedType = (identity: Identity): ManagedServiceIdentityType => {
+    if (!identity.type || identity.type === 'None') {
+        return 'SystemAssigned';
+    } else if (identity.type === ('UserAssigned')) {
+        return 'SystemAssigned, UserAssigned';
+    } else {
+        return nonNullProp(identity, 'type');
+    }
+};

resources/ManagedIdentityUserAssignedIdentities.svg

@@ -0,0 +1,12 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { type ParsedSite } from "@microsoft/vscode-azext-azureappservice";
+import { type IResourceGroupWizardContext } from "@microsoft/vscode-azext-azureutils";
+import { type ExecuteActivityContext } from "@microsoft/vscode-azext-utils";
+
+export interface ManagedIdentityAssignContext extends IResourceGroupWizardContext, ExecuteActivityContext {
+    site?: ParsedSite;
+}

src/commands/identity/EnableSystemIdentityStep.ts

@@ -0,0 +1,61 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { type ManagedServiceIdentity, type ManagedServiceIdentityType } from "@azure/arm-appservice";
+import { createWebSiteClient, type ParsedSite } from "@microsoft/vscode-azext-azureappservice";
+import { AzureWizardExecuteStep, nonNullProp } from "@microsoft/vscode-azext-utils";
+import { type Progress } from "vscode";
+import { ext } from "../../extensionVariables";
+import { localize } from "../../localize";
+import { type ManagedIdentityAssignContext } from "./ManagedIdentityAssignContext";
+
+export class ManagedIdentityAssignStep extends AzureWizardExecuteStep<ManagedIdentityAssignContext> {
+    public priority: number = 500;
+
+    public async execute(context: ManagedIdentityAssignContext, _progress: Progress<{ message?: string | undefined; increment?: number | undefined; }>): Promise<void> {
+        const site: ParsedSite = nonNullProp(context, 'site');
+        const managedIdentity = nonNullProp(context, 'managedIdentity');
+        const id: string = nonNullProp(managedIdentity, 'id');
+        const client = await createWebSiteClient([context, site.subscription]);
+
+        const existingIdentity = site.rawSite.identity || {};
+        const updatedIdentity: ManagedServiceIdentity = {
+            ...existingIdentity,
+            // type property is required and may not exist yet
+            type: addUserAssignedType(existingIdentity.type),
+            userAssignedIdentities: {
+                ...existingIdentity.userAssignedIdentities,
+                [id]: {
+                    principalId: managedIdentity.principalId,
+                    clientId: managedIdentity.clientId,
+                }
+            }
+        };
+
+        const newSite = site.rawSite;
+        newSite.identity = updatedIdentity;
+        const assigning: string = localize('assigning', 'Assigning user assigned identity "{1}" for "{0}"...', site.fullName, managedIdentity.name);
+        const assigned: string = localize('assigned', 'Assigned user assigned identity "{1}" for "{0}".', site.fullName, managedIdentity.name);
+        ext.outputChannel.appendLog(assigning);
+
+        await client.webApps.beginCreateOrUpdateAndWait(site.resourceGroup, site.siteName, newSite);
+        ext.outputChannel.appendLog(assigned);
+    }
+
+    public shouldExecute(_context: ManagedIdentityAssignContext): boolean {
+        return true;
+    }
+
+}
+
+const addUserAssignedType = (type: ManagedServiceIdentityType | undefined): ManagedServiceIdentityType => {
+    if (type?.includes('UserAssigned')) {
+        return type
+    }
+    if (type === 'SystemAssigned') {
+        return 'SystemAssigned, UserAssigned';
+    }
+    return 'UserAssigned';
+};