Scope function: Azure Client ID

Azure / bicep

Bicep is a declarative language for describing and deploying Azure resources

MIT License

3.23k stars 748 forks source link

Scope function: Azure Client ID #4959

Open philwelz opened 3 years ago

philwelz commented 3 years ago

Is your feature request related to a problem? Please describe.

This feature request will enable us to tag all resources with the Azure Client ID (Application Object ID) of who created the resources. We have this as common use case with our customers when they work with several subscriptions.

Describe the solution you'd like

I would like to have a scope function similar to the subscription or tenant function :

@description('Common tags for all resources')
param tags object = {
  env: stage
  managedBy: client().id
  project: prefix
}

alex-frankel commented 3 years ago

Related to #645.

FWIW, ARM automatically adds the systemData object to all resources which includes the principal that created the resource and the lastUpdated time.

alex-frankel commented 2 years ago

Adding this internal work-item tracking this same issue for context: https://msazure.visualstudio.com/One/_workitems/edit/7512394?src=WorkItemMention&src-action=artifact_link

J0F3 commented 2 years ago

@alex-frankel

FWIW, ARM automatically adds the systemData object to all resources which includes the principal that created the resource and the lastUpdated time.

That is very interesting. But how to get the systemData object/properties? It seems that only some of the resource providers actually return the systemData object during a GET operation. Or is there a generic way to get it for any resource?

alex-frankel commented 2 years ago

Unfortunately, if systemData is not returned in the GET response, it means the RP has not implemented the capability. @jennyhunter-msft -- do you happen to know what the expectations are for when all RPs should have this implemented by?

jennyhunter-msft commented 2 years ago

Unfortunately, if systemData is not returned in the GET response, it means the RP has not implemented the capability. @jennyhunter-msft -- do you happen to know what the expectations are for when all RPs should have this implemented by?

Unfortunately, since systemData inserts new properties, it requires a new api-version. We are actively blocking RPs from releasing new APIs until they have implemented systemData. However, there's no clear timeline for when it will be available across all resource types.

J0F3 commented 2 years ago

Thanks @alex-frankel & @jennyhunter-msft for the explanation. That is perfectly fine. I have no urged need to have it immediately for all PR now. I just thought I missed something here. 😊