azure-rest-api-specs icon indicating copy to clipboard operation
azure-rest-api-specs copied to clipboard

Published 20 hours ago verified publisher icon Azure

`Microsoft.Network/applicationGateways` resource incorrectly specifies `SystemAssigned` as a valid identity type

Open anthony-c-martin opened this issue 3 years ago • 5 comments

Created from https://github.com/Azure/azure-resource-manager-schemas/issues/852.

Users report that the service does not accept a SystemAssigned identity, yet the swagger spec declares support for it: https://github.com/Azure/azure-rest-api-specs/blob/ac0ab10f7605f63dfb8854fede1dbf6daa9df825/specification/network/resource-manager/Microsoft.Network/stable/2021-05-01/applicationGateway.json#L2973-L2976

anthony-c-martin avatar Nov 02 '21 08:11 anthony-c-martin

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @appgwsuppgithub.

Issue Details

Created from https://github.com/Azure/azure-resource-manager-schemas/issues/852.

Users report that the service does not accept a SystemAssigned identity, yet the swagger spec declares support for it: https://github.com/Azure/azure-rest-api-specs/blob/ac0ab10f7605f63dfb8854fede1dbf6daa9df825/specification/network/resource-manager/Microsoft.Network/stable/2021-05-01/applicationGateway.json#L2973-L2976

Author: anthony-c-martin
Assignees: ruowan
Labels:

Network - Application Gateway, Service Attention, needs-triage
Milestone: -

ghost avatar Nov 03 '21 06:11 ghost

Application Gateway supports managed identities for the KeyVault integration which has the same definition format: https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs#how-integration-works

Example usage would look something like:

    "type": "Microsoft.Network/applicationGateways",
    "apiVersion": "2020-11-01",
    "name": "[parameters('applicationGateways_AppGW_Lab_name')]",
    "location": "eastus2",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/711d99a7-XXXX-XXXX-XXXX-ea1afa18442e/resourcegroups/MyRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AppGW-Lab-MI": {
                "principalId": "00d0f39d-XXXX-XXXX-XXXX-04e76d895c86",
                "clientId": "5cf9d0f8-XXXX-XXXX-XXXX-30654a58ae29"
            }
        }
    },
    "properties": {
    }
}

Please let me know if this addresses the concern or not. Jack

JackStromberg avatar Nov 03 '21 19:11 JackStromberg

@JackStromberg - thanks for the sample. This issue actually isn't relating to the UserAssigned identity type - it's about the SystemAssigned identity type. The original issue (https://github.com/Azure/azure-resource-manager-schemas/issues/852) that was raised gives a bit more context.

Essentially the service is declaring support for SystemAssigned through the swagger spec, but it appears that it's not actually supported. The ask is to modify the swagger spec to only declared support for UserAssigned, so that users are shown an error when editing ARM Templates / Bicep if they use the wrong value.

anthony-c-martin avatar Nov 04 '21 11:11 anthony-c-martin

Understood and see the further definition containing both values here (root of the issue): https://github.com/Azure/azure-rest-api-specs/blob/ac0ab10f7605f63dfb8854fede1dbf6daa9df825/specification/network/resource-manager/Microsoft.Network/stable/2021-05-01/network.json#L205-L218

I've logged this internally.

JackStromberg avatar Nov 04 '21 15:11 JackStromberg

@JackStromberg Any update on this issue?

I've just come across it myself, and noticed this issue still open. Are the docs wrong, or is there a bug when validating the ARM template?

mcdonnell-john avatar Aug 20 '22 15:08 mcdonnell-john