"[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" currently expects the UAMI's resource group name and name as parameters with the UAMI in the same subscription and could receive an UMA from another subscription.
ISSUE DESCRIPTION (this template):
The "[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" (https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Managed%20Identity/VM_UAI_DINE.json) built-in policy definition that creates and assigns a built-in user-assigned managed identity or assigns a pre-created user-assigned managed identity at scale to virtual machines currently provides the user-assigned managed identity name and resource group name as parameters expecting that it is on the same subscription as the virtual machine resource. However, in a scenario where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource it does not apply.
Therefore, the referred built-in policy definition could be modified having the user assigned managed identity resource URI (which contains the subscription ID) as a parameter for instance; e.g.: please find the code snippet below:
"[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" currently expects the UAMI's resource group name and name as parameters with the UAMI in the same subscription and could receive an UMA from another subscription.
The "[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" (https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Managed%20Identity/VM_UAI_DINE.json) built-in policy definition that creates and assigns a built-in user-assigned managed identity or assigns a pre-created user-assigned managed identity at scale to virtual machines currently provides the user-assigned managed identity name and resource group name as parameters expecting that it is on the same subscription as the virtual machine resource. However, in a scenario where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource it does not apply.
Therefore, the referred built-in policy definition could be modified having the user assigned managed identity resource URI (which contains the subscription ID) as a parameter for instance; e.g.: please find the code snippet below:
{ "mode": "Indexed", "parameters": { "userAssignedIdentityResourceId": { "type": "String", "metadata": { "displayName": "User-Assigned Managed Identity resource ID", "description": "The resource ID of the pre-created user-assigned managed identity." } }, "effect": { "type": "String", "metadata": { "displayName": "Policy Effect", "description": "The effect determines what happens when the policy rule is evaluated to match." }, "allowedValues": [ "AuditIfNotExists", "DeployIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Compute/virtualMachines", "name": "[field('name')]", "evaluationDelay": "AfterProvisioning", "deploymentScope": "subscription", "existenceCondition": { "anyOf": [ { "allOf": [ { "field": "identity.type", "contains": "UserAssigned" }, { "field": "identity.userAssignedIdentities", "containsKey": "[parameters('userAssignedIdentityResourceId')]" } ] }, { "allOf": [ { "field": "identity.type", "equals": "UserAssigned" }, { "value": "[string(length(field('identity.userAssignedIdentities')))]", "equals": "1" } ] } ] }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" ], "deployment": { "location": "eastus", "properties": { "mode": "incremental", "parameters": { "location": { "value": "[field('location')]" }, "userAssignedIdentityResourceId": { "value": "[parameters('userAssignedIdentityResourceId')]" }, "vmName": { "value": "[field('name')]" }, "vmResourceGroup": { "value": "[resourceGroup().name]" }, "resourceId": { "value": "[field('id')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.1", "parameters": { "location": { "type": "string" }, "userAssignedIdentityResourceId": { "type": "string" }, "vmName": { "type": "string" }, "vmResourceGroup": { "type": "string" }, "resourceId": { "type": "string" } }, "variables": { "userAssignedIdentityResourceId": "[parameters('userAssignedIdentityResourceId')]", "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", "deployUserAssignedIdentity": "[concat('deployUserAssignedIdentity-', uniqueString(deployment().name))]" }, "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "name": "[variables('deployGetResourceProperties')]", "location": "eastus", "properties": { "mode": "Incremental", "template": { "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [], "outputs": { "resource": { "type": "object", "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" } } } } }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "name": "[concat(variables('deployUserAssignedIdentity'))]", "resourceGroup": "[parameters('vmResourceGroup')]", "properties": { "mode": "Incremental", "expressionEvaluationOptions": { "scope": "inner" }, "parameters": { "userAssignedIdentityResourceId": { "value": "[parameters('userAssignedIdentityResourceId')]" }, "vmName": { "value": "[parameters('vmName')]" }, "location": { "value": "[parameters('location')]" }, "identityType": { "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" }, "userAssignedIdentities": { "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "userAssignedIdentityResourceId": { "type": "string" }, "vmName": { "type": "string" }, "location": { "type": "string" }, "identityType": { "type": "string" }, "userAssignedIdentities": { "type": "object" } }, "variables": { "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('userAssignedIdentityResourceId'), createObject()))]", "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" }, "resources": [ { "condition": "[not(variables('resourceWithSingleUAI'))]", "apiVersion": "2019-07-01", "type": "Microsoft.Compute/virtualMachines", "name": "[parameters('vmName')]", "location": "[parameters('location')]", "identity": { "type": "[variables('identityTypeValue')]", "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" } } ] } } } ] } } } } } } }