Work around error messages from Bicep and ARM TTK, such as updated AP…

…I versions, passing down _artifactsLocation, etc.
microsoft · Feb 22, 2024 · 1c3c4fd · 1c3c4fd
1 parent 3cef834
commit 1c3c4fd
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 33 deletions.
diff --git a/managed-app/src/createUiDefinition.json b/managed-app/src/createUiDefinition.json
@@ -51,8 +51,8 @@
         "toolTip": "Use only allowed characters",
         "constraints": {
           "required": true,
-          "regex": "^[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9]{3, 10}$",
-          "validationMessage": "Only alphanumeric characters are allowed, and the value must be 6-30 characters long."
+          "regex": "^([a-zA-Z][a-zA-Z0-9\\-]*[a-zA-Z0-9]){3, 24}$",
+          "validationMessage": "Only alphanumeric characters are allowed, and the value must be 3-24 characters long."
         },
         "visible": true
       },

diff --git a/managed-app/src/mainTemplate.bicep b/managed-app/src/mainTemplate.bicep
@@ -26,10 +26,13 @@ param dnsLabelPrefix string
 @description('Size of the virtual machine.')
 param vmSize string = 'Standard_D2_v5'
 
-// @description('The system-assigned managed identity of the managed app')
-// param managedIdentity string
+// https://github.com/Azure/azure-quickstart-templates/blob/master/1-CONTRIBUTION-GUIDE/best-practices.md#deployment-artifacts-nested-templates-scripts
+@description('The base URI where artifacts required by this template are located including a trailing \'/\'')
+param _artifactsLocation string = deployment().properties.templateLink.uri
 
-var _artifactsLocation = deployment().properties.templateLink.uri 
+@description('The sasToken required to access _artifactsLocation.  When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured.')
+@secure()
+param _artifactsLocationSasToken string = ''
 
 var meteringConfiguration = loadJsonContent('../meteringConfiguration.json')
 // var customerUsageAttribution = loadJsonContent('../customer_usage_attribution_ID.json')
@@ -41,7 +44,7 @@ module THIS_IS_INVALID_PLEASE_RUN_buildsh './nestedtemplates/emptyFile.bicep' =
   params: {}
 }
 
-resource publisherKeyVaultWithBootstrapSecret 'Microsoft.KeyVault/vaults@2021-10-01' existing = {
+resource publisherKeyVaultWithBootstrapSecret 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: meteringConfiguration.publisherVault.vaultName
   scope: resourceGroup(meteringConfiguration.publisherVault.publisherSubscription, meteringConfiguration.publisherVault.vaultResourceGroupName)
 }
@@ -52,12 +55,13 @@ module setupMeteredBillingConfigurationModule './nestedtemplates/meteredBillingD
   params: {
     location: location
     _artifactsLocation: _artifactsLocation
+    _artifactsLocationSasToken: _artifactsLocationSasToken
     bootstrapSecretValue: publisherKeyVaultWithBootstrapSecret.getSecret(meteringConfiguration.publisherVault.bootstrapSecretName)
     meteringConfiguration: meteringConfiguration
   }
 }
 
-// resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = {
+// resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
 //   name: setupMeteredBillingConfigurationModule.outputs.runtimeKeyVaultName
 //   scope: resourceGroup()
 // }
@@ -67,6 +71,7 @@ module submitInitialMeteringMessage './nestedtemplates/submitCreationMessage.bic
   params: {
     location: location
     _artifactsLocation: _artifactsLocation
+    _artifactsLocationSasToken: _artifactsLocationSasToken
     planConfiguration: loadJsonContent('../plan.json')
     runtimeIdentityId: setupMeteredBillingConfigurationModule.outputs.runtimeIdentityId
     // runtimeIdentityId: setupMeteredBillingConfigurationModule.outputs.setupIdentityId
@@ -83,6 +88,7 @@ module managedAppContents './managedAppContents.bicep' = {
   params: {
     location: location
     _artifactsLocation: _artifactsLocation
+    _artifactsLocationSasToken: _artifactsLocationSasToken
     vmSize: vmSize
     dnsLabelPrefix: dnsLabelPrefix
     sshUsername: sshUsername, authenticationType: authenticationType, sshPassword: sshPassword, sshPublicKey: sshPublicKey

diff --git a/managed-app/src/managedAppContents.bicep b/managed-app/src/managedAppContents.bicep
@@ -13,7 +13,6 @@ param authenticationType string = 'password'
 param sshPassword string = ''
 
 @description('SSH key for the Virtual Machine.')
-@secure()
 param sshPublicKey string = ''
 
 @description('Unique DNS Name for the Public IP used to access the Virtual Machine.')
@@ -39,8 +38,9 @@ param meteringSubmissionSecretName string
 @description('The base URL for artifacts')
 param _artifactsLocation string
 
-@description('The base URL for artifacts')
-param _artifactsLocationSasToken string = ''
+@description('SAS token to access scripts etc.')
+@secure()
+param _artifactsLocationSasToken string
 
 // param currentDateMarker string = utcNow('yyyy-MM-dd--HH-mm-ss')
 
@@ -84,7 +84,7 @@ var sample = {
   }
 }
 
-resource samplePublicIPAddressName 'Microsoft.Network/publicIPAddresses@2020-06-01' = {
+resource samplePublicIPAddressName 'Microsoft.Network/publicIPAddresses@2023-06-01' = {
   name: sample.names.publicIPAddress
   location: location
   properties: {
@@ -95,7 +95,7 @@ resource samplePublicIPAddressName 'Microsoft.Network/publicIPAddresses@2020-06-
   }
 }
 
-resource sampleNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
+resource sampleNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-06-01' = {
   name: sample.names.networkSecurityGroup
   location: location
   properties: {
@@ -117,7 +117,7 @@ resource sampleNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@202
   }
 }
 
-resource sampleVirtualNetwork 'Microsoft.Network/virtualNetworks@2020-06-01' = {
+resource sampleVirtualNetwork 'Microsoft.Network/virtualNetworks@2023-06-01' = {
   name: sample.names.virtualNetwork
   location: location
   properties: {
@@ -140,7 +140,7 @@ resource sampleVirtualNetwork 'Microsoft.Network/virtualNetworks@2020-06-01' = {
   }
 }
 
-resource sampleNic 'Microsoft.Network/networkInterfaces@2020-06-01' = {
+resource sampleNic 'Microsoft.Network/networkInterfaces@2023-06-01' = {
   name: sample.names.nic
   location: location
   properties: {
@@ -164,7 +164,7 @@ resource sampleNic 'Microsoft.Network/networkInterfaces@2020-06-01' = {
   ]
 }
 
-resource sampleVm 'Microsoft.Compute/virtualMachines@2020-06-01' = {
+resource sampleVm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
   name: sample.names.vm
   location: location
   identity: {
@@ -222,7 +222,7 @@ resource customScriptExtension 'Microsoft.Compute/virtualMachines/extensions@202
     autoUpgradeMinorVersion: true
     // enableAutomaticUpgrade: bool
     // forceUpdateTag: 'string'
-    settings: {
+    protectedSettings: {
       fileUris: [ 
         uri(_artifactsLocation, '${customScriptExtensionConfig.directory}/${customScriptExtensionConfig.script}${_artifactsLocationSasToken}')
       ]

diff --git a/managed-app/src/nestedtemplates/meteredBillingDependencies.bicep b/managed-app/src/nestedtemplates/meteredBillingDependencies.bicep
@@ -4,8 +4,9 @@ param location string
 @description('Location for scripts etc.')
 param _artifactsLocation string
 
+@description('SAS token to access scripts etc.')
 @secure()
-param _artifactsLocationSasToken string = ''
+param _artifactsLocationSasToken string
 
 @description('The bootstrap secret to request service principal creation')
 @secure()
@@ -63,27 +64,27 @@ var roles = {
 }
 
 // Will be used by the deploymentScript to do all setup work
-resource setupIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+resource setupIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: names.identity.setup
   location: location
 }
 
 
 // Will be attached to compute resources which submit metering information,
 // and therefore need to be able to retrieve the connection string from KeyVault
-resource runtimeIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+resource runtimeIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: names.identity.runtime
   location: location
 }
 
 // Grant setupIdentity Contributor perms on the managed resource group.
-resource setupIdentityIsContributorOnManagedResourceGroup 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+resource setupIdentityIsContributorOnManagedResourceGroup 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(setupIdentity.id, roles.Contributor, resourceGroup().id)
   scope: resourceGroup()
   properties: {
     description: '${setupIdentity.name} should be Contributor on the managed resource group'
     principalType: 'ServicePrincipal'
-    principalId: reference(setupIdentity.id, '2018-11-30').principalId
+    principalId: reference(setupIdentity.id, '2023-01-31').principalId
     delegatedManagedIdentityResourceId: setupIdentity.id
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roles.Contributor)    
   }
@@ -99,14 +100,14 @@ module setupIdentityIsReaderOnManagedAppObject 'permissionOnManagedAppDeployment
       scope: resourceGroup().managedBy
       description: '${setupIdentity.name} should be Reader on the managed app object'
       principalType: 'ServicePrincipal'
-      principalId: reference(setupIdentity.id, '2018-11-30').principalId
+      principalId: reference(setupIdentity.id, '2023-01-31').principalId
       delegatedManagedIdentityResourceId: setupIdentity.id
       roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roles.Reader)
     }
   }
 }
 
-resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
+resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: names.runtimeKeyVault.name
   location: location
   properties: {
@@ -121,7 +122,12 @@ resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
   }  
 }
 
-resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+/* Is it Microsoft.Resources/deploymentScripts@2020-10-01 or Microsoft.Resources/deploymentScripts@2023-01-31? 
+   Bicep seems not to know Microsoft.Resources/deploymentScripts@2023-01-31, 
+   but https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template#access-private-virtual-network says it exists
+   and ARM TTK complains when using 2020-10-01, because "Api versions must be the latest or under 2 years old (730 days)"
+*/
+resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { 
   name: names.deploymentScript.name
   location: location
   kind: 'AzureCLI'
@@ -133,7 +139,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
     containerSettings: {
       containerGroupName: uniqueString(resourceGroup().id, names.deploymentScript.name)
     }
-    primaryScriptUri: uri(_artifactsLocation, names.deploymentScript.scriptName)
+    primaryScriptUri: uri(_artifactsLocation, '${names.deploymentScript.scriptName}${_artifactsLocationSasToken}')
     environmentVariables: [
       { name: 'SERVICE_PRINCIPAL_CREATION_URL',      value:       meteringConfiguration.servicePrincipalCreationURL  }
       { name: 'BOOTSTRAP_SECRET_VALUE',              secureValue: bootstrapSecretValue                               }
@@ -142,7 +148,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
   }
 }
 
-resource publisherKeyVaultWithBootstrapSecret 'Microsoft.KeyVault/vaults@2021-10-01' existing = {
+resource publisherKeyVaultWithBootstrapSecret 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: meteringConfiguration.publisherVault.vaultName
   scope: resourceGroup(meteringConfiguration.publisherVault.publisherSubscription, meteringConfiguration.publisherVault.vaultResourceGroupName)
 }
@@ -161,7 +167,7 @@ module setServicePrincipalSecret 'setSecret.bicep' = {
   }
 }
 
-resource runtimeIdentityCanReadMeteringSubmissionSecretPrincipalId 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
+resource runtimeIdentityCanReadMeteringSubmissionSecretPrincipalId 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(runtimeIdentity.id, roles.KeyVault.KeyVaultSecretsUser, runtimeKeyVault.id)  
   scope: runtimeKeyVault
   properties: {
@@ -177,6 +183,5 @@ output setupIdentityId string = setupIdentity.id
 output runtimeIdentityId string = runtimeIdentity.id
 output runtimeKeyVaultName string = names.runtimeKeyVault.name
 output meteringSubmissionSecretName string = names.runtimeKeyVault.meteringSubmissionSecretName
-output sas string = _artifactsLocationSasToken
 // Do not expose the service principal secret in an output, otherwise the customer could see it by looking at deployment operations
 // output keyVaultSecret object = reference(deploymentScript.name).outputs.keyVaultSecret
diff --git a/managed-app/src/nestedtemplates/setSecret.bicep b/managed-app/src/nestedtemplates/setSecret.bicep
@@ -25,11 +25,11 @@ var connectionInformation = {
 
 var mergedSecrets = string(union(servicePrincipal, connectionInformation))
 
-resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = {
+resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: vaultName
 }
 
-resource meteringSubmissionSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
+resource meteringSubmissionSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
 	parent: runtimeKeyVault
 	name: secretName
 	properties: {

diff --git a/managed-app/src/nestedtemplates/submitCreationMessage.bicep b/managed-app/src/nestedtemplates/submitCreationMessage.bicep
@@ -4,6 +4,10 @@ param location string
 @description('Location for scripts etc.')
 param _artifactsLocation string
 
+@description('SAS token to access scripts etc.')
+@secure()
+param _artifactsLocationSasToken string
+
 param runtimeIdentityId string
 
 @description('The JSON representation of the app\'s plan')
@@ -23,7 +27,7 @@ var names = {
   }
 }
 
-resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
   name: names.deploymentScript.name
   location: location
   identity: {
@@ -41,7 +45,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
     containerSettings: {
       containerGroupName: uniqueString(resourceGroup().id, names.deploymentScript.name)
     }
-    primaryScriptUri: uri(_artifactsLocation, names.deploymentScript.scriptName)
+    primaryScriptUri: uri(_artifactsLocation, '${names.deploymentScript.scriptName}${_artifactsLocationSasToken}')
     environmentVariables: [
       { name: 'RUNTIME_IDENTITY',                value: runtimeIdentityId }
       { name: 'METERING_PLAN_JSON',              value: string(planConfiguration) }
@@ -55,5 +59,5 @@ output aio object = {
   location: location
   _artifactsLocation: _artifactsLocation
   planConfiguration: planConfiguration
-  script: reference(deploymentScript.id, '2020-10-01', 'Full')
+  script: reference(deploymentScript.id, '2023-08-01', 'Full')
 }