I have a list of UMIs that I am creating with the Microsoft.ManagedIdentity/userAssignedIdentities ARM template resource. Let’s say I have ten of these in my list.
For each UMI, I want to create federated credentials to allow tokens from several OIDC providers.
I planned to use resource iteration, but it doesn’t appear I can nest the fed creds child resource when using an iterator.
So my question is: How do I either a) create federated credentials that allow tokens from multiple OIDC providers or b) write an ARM template that can do a nested for loop? i.e. “for each UMI create x fed creds”
Here’s the template I started with
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdNames": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"copy": {
"name": "managedIdentityIterator",
"count": "[length(parameters('managedIdNames'))]"
},
"apiVersion": "2023-01-31",
"name": "[parameters('managedIdNames')[copyIndex()].name]",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"copy": {
"name": "fedCredsIterator",
"count": "[length(parameters('oidcProviders'))]"
},
"apiVersion": "2023-01-31",
"name": "string",
"properties": {
"audiences": [ "api://AzureADTokenExchange" ],
"issuer": "[parameters('oidcProviders')[copyIndex()].url]",
"subject": "system:serviceaccount:[parameters('k8sNamespace')]:[parameters('managedIdNames')[copyIndex()].name]"
}
}
]
}
]
}
Here’s the error that gave me
Code: InvalidSchema
Message: The template is invalid. Error: 'The template resource 'string' at line '22' column '19' is not valid. Copying nested resources is not supported. Please see https://aka.ms/arm-multiple-instances for usage details.'
2023-10-23 14:10:02,593 - MainProcess - ERROR - (azurehelper:upload_all_templates_ts:1677) - Template upload failed - Exception raised in a thread
Here’s the template I am stuck with now
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdNames": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('managedIdNames')[copyIndex()].name]",
"apiVersion": "2023-01-31",
"location": "[resourceGroup().location]",
"copy": {
"name": "managedIdentityIterator",
"count": "[length(parameters('managedIdNames'))]"
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"name": "[format('???/fedCreds{0}', copyIndex())]",
"apiVersion": "2023-01-31",
"properties": {
"audiences": [
"api://AzureADTokenExchange"
],
"issuer": "[parameters('oidcProviders')[copyIndex()].url]",
"subject": "system:serviceaccount:[parameters('k8sNamespace')]:[parameters('managedIdNames')[???].name]"
},
"dependsOn": [
"???"
],
"copy": {
"name": "fedCredsIterator",
"count": "[length(parameters('oidcProviders'))]"
}
}
]
}
It looks like I will have to create something flat to iterate over. I am doing that now. But I am still open to suggestions if someone knows how I could make the above work.
Iterating over a flat map doesn’t help because I now get errors like “The resource Microsoft.ManagedIdentity/userAssignedIdentities/xyz is defined multiple times in a template”. I am now thinking I need to break this into a two-step process: Create the UMIs. Then create the fed creds.