`Microsoft.Network/applicationGateways` resource incorrectly specifies `SystemAssigned` as a valid identity type

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.

MIT License

2.6k stars 5.01k forks source link

`Microsoft.Network/applicationGateways` resource incorrectly specifies `SystemAssigned` as a valid identity type #16632

Open anthony-c-martin opened 2 years ago

anthony-c-martin commented 2 years ago

Created from https://github.com/Azure/azure-resource-manager-schemas/issues/852.

Users report that the service does not accept a SystemAssigned identity, yet the swagger spec declares support for it: https://github.com/Azure/azure-rest-api-specs/blob/ac0ab10f7605f63dfb8854fede1dbf6daa9df825/specification/network/resource-manager/Microsoft.Network/stable/2021-05-01/applicationGateway.json#L2973-L2976

ghost commented 2 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @appgwsuppgithub.

Issue Details

Created from https://github.com/Azure/azure-resource-manager-schemas/issues/852. Users report that the service does not accept a `SystemAssigned` identity, yet the swagger spec declares support for it: https://github.com/Azure/azure-rest-api-specs/blob/ac0ab10f7605f63dfb8854fede1dbf6daa9df825/specification/network/resource-manager/Microsoft.Network/stable/2021-05-01/applicationGateway.json#L2973-L2976

Author:	anthony-c-martin
Assignees:	ruowan
Labels:	`Network - Application Gateway`, `Service Attention`, `needs-triage`
Milestone:	-

JackStromberg commented 2 years ago

Application Gateway supports managed identities for the KeyVault integration which has the same definition format: https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs#how-integration-works

Example usage would look something like:

    "type": "Microsoft.Network/applicationGateways",
    "apiVersion": "2020-11-01",
    "name": "[parameters('applicationGateways_AppGW_Lab_name')]",
    "location": "eastus2",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/711d99a7-XXXX-XXXX-XXXX-ea1afa18442e/resourcegroups/MyRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AppGW-Lab-MI": {
                "principalId": "00d0f39d-XXXX-XXXX-XXXX-04e76d895c86",
                "clientId": "5cf9d0f8-XXXX-XXXX-XXXX-30654a58ae29"
            }
        }
    },
    "properties": {
    }
}

Please let me know if this addresses the concern or not. Jack

anthony-c-martin commented 2 years ago

@JackStromberg - thanks for the sample. This issue actually isn't relating to the UserAssigned identity type - it's about the SystemAssigned identity type. The original issue (https://github.com/Azure/azure-resource-manager-schemas/issues/852) that was raised gives a bit more context.

Essentially the service is declaring support for SystemAssigned through the swagger spec, but it appears that it's not actually supported. The ask is to modify the swagger spec to only declared support for UserAssigned, so that users are shown an error when editing ARM Templates / Bicep if they use the wrong value.

JackStromberg commented 2 years ago

Understood and see the further definition containing both values here (root of the issue): https://github.com/Azure/azure-rest-api-specs/blob/ac0ab10f7605f63dfb8854fede1dbf6daa9df825/specification/network/resource-manager/Microsoft.Network/stable/2021-05-01/network.json#L205-L218

I've logged this internally.

mcdonnell-john commented 2 years ago

@JackStromberg Any update on this issue?

I've just come across it myself, and noticed this issue still open. Are the docs wrong, or is there a bug when validating the ARM template?