Add managed identities support to RG setup scripts#837
Add managed identities support to RG setup scripts#837eujing wants to merge 3 commits intomicrosoft:mainfrom
Conversation
There was a problem hiding this comment.
Has any of this been developed with an eye towards rectifying an existing setup?
There was a problem hiding this comment.
@bpkroth that is a good point. Unfortunately I have only tested this with setting up from scratch.
However, in theory I think this should work for existing resource groups.
Assuming the existing RG was set up with these scripts, I think all the az cli calls (need to confirm) are idempotent.
For example, using the same ARM template and parameters should give us back the required details of the resources without changing them too much (same naming conventions)
Then the new block of logic for managed identity should then be apply to those existing resources (VMs, storage accounts, RG role)
There was a problem hiding this comment.
I think we might need to add end-to-end tests to validate these finally, though maybe in a separate PR.
| -servicePrincipalName $servicePrincipalName ` | ||
| -certName $certName | ||
|
|
||
| # If setting up with a Managed Identity |
There was a problem hiding this comment.
Can you give more context in the README about this part?
When should one use a Managed Identity? How does one set it up, etc.
| -controlPlaneArmParamsFile $controlPlaneArmParamsFile ` | ||
| -resourceGroupName $resourceGroupName ` | ||
| -resultsDbArmParamsFile $resultsDbArmParamsFile ` | ||
| -managedIdentityname $managedIdentityName |
There was a problem hiding this comment.
| -managedIdentityname $managedIdentityName | |
| -managedIdentityName $managedIdentityName |
consistent camelCasing please
| --controlPlaneArmParamsFile $controlPlaneArmParamsFile \ | ||
| --resourceGroupName $resourceGroupName \ | ||
| --resultsDbArmParamsFile $resultsDbArmParamsFile \ | ||
| --managedIdentityname $managedIdentityName |
There was a problem hiding this comment.
| --managedIdentityname $managedIdentityName | |
| --managedIdentityName $managedIdentityName |
| [string] $resourceGroupName, | ||
| [Parameter(Mandatory=$True)] | ||
| # Managed Identity params | ||
| [Parameter(Mandatory=$True, ParameterSetName="ByMI")] |
There was a problem hiding this comment.
Are using ServicePrincipals and ManagedIdentity mutually exclusive?
Why can't we combine those still?
And if not, can the feedback to the user be improved to note that that's not the case?
2 participants
TODO: