Rework lower-level bicep files to support new storage account type and parameter

Author: abatallas

bicep/ccw.bicep

@@ -112,8 +112,18 @@ module ccwBastion './bastion.bicep' = if (deploy_bastion) {
   }
 }
 
-param cyclecloudBaseImage string = 'azurecyclecloud:azure-cyclecloud:cyclecloud8-gen2:8.7.220250630'
+var vmMiName = 'ccwCycleCloudVirtualMachineManagedIdentity'
+module ccwVirtualMachineManagedIdentity './vmManagedIdentity.bicep' = if (!infrastructureOnly && storageAccount.type == 'new') {
+  name: vmMiName
+  params: {
+    name: vmMiName
+    location: location
+    tags: getTags('Microsoft.ManagedIdentity/userAssignedIdentities', tags)
+  }
+}
 
+param cyclecloudBaseImage string = 'azurecyclecloud:azure-cyclecloud:cyclecloud8-gen2:8.7.220250630'
+var ccwVirtualMachineManagedIdentityId = !infrastructureOnly ? ( storageAccount.type == 'new' ? ccwVirtualMachineManagedIdentity!.outputs.managedIdentityId : storageAccount.vmManagedIdentityId) : ''
 module ccwVM './vm.bicep' = if (!infrastructureOnly) {
   name: 'ccwVM-cyclecloud'
   params: {
@@ -151,49 +161,60 @@ module ccwVM './vm.bicep' = if (!infrastructureOnly) {
         createOption: split(cyclecloudBaseImage, ':')[0] == 'azurecyclecloud' ? 'FromImage' : 'Empty'
       }
     ]
+    managedIdentityId: ccwVirtualMachineManagedIdentityId
   }
   dependsOn: [
     ccwNetwork
   ]
 }
 
-var miName = 'ccwLockerManagedIdentity'
-module ccwManagedIdentity 'mi.bicep' = if (!infrastructureOnly) {
-  name: miName
+module ccwNewStorageAccount './storage-new.bicep' = if (storageAccount.type == 'new') {
+  name: 'ccwNewStorageAccount'
   params: {
-    name: miName
     location: location
-    storageAccountName: ccwStorage.outputs.storageAccountName
-    tags: getTags('Microsoft.ManagedIdentity/userAssignedIdentities', tags)
+    tags: getTags('Microsoft.Storage/storageAccounts', tags)
   }
 }
+var storageAccountName  = storageAccount.type == 'existing' ? split(storageAccount.storageAccountId, '/')[8] : ccwNewStorageAccount!.outputs.storageAccountName
 
-module ccwRoleAssignments './vmRoleAssignments.bicep' = if (!infrastructureOnly) {
-  name: 'ccwRoleFor-${ccVMName}-${location}'
-  scope: subscription()
+module ccwStorageNetworking './storage-networking.bicep' = {
+  name: 'ccwStorageAccountNetworking'
   params: {
-    roles: [
-      'Contributor'
-      'Storage Account Contributor'
-      'Storage Blob Data Contributor'
-    ]
-    principalId: ccwVM.outputs.principalId
+    location: location
+    saName: storageAccountName
+    tags: getTags('Microsoft.Storage/storageAccounts', tags)
+    subnetId: subnets.cyclecloud.id
+    storagePrivateDnsZone: storagePrivateDnsZone
   }
-  dependsOn: [
-    ccwVM
-  ]
 }
 
-module ccwStorage './storage.bicep' = {
-  name: 'ccwStorage'
+var vmssMiName = 'ccwLockerManagedIdentity'
+module ccwVMSSManagedIdentity 'vmssManagedIdentity.bicep' = if (!infrastructureOnly && storageAccount.type == 'new') {
+  name: vmssMiName
   params: {
+    name: vmssMiName
     location: location
-    tags: getTags('Microsoft.Storage/storageAccounts', tags)
-    saName: 'ccwstorage${uniqueString(az.resourceGroup().id)}'
-    subnetId: subnets.cyclecloud.id 
-    storagePrivateDnsZone: storagePrivateDnsZone
+    storageAccountName: storageAccountName
+    tags: getTags('Microsoft.ManagedIdentity/userAssignedIdentities', tags)
   }
 }
+var vmssManagedIdentityId = !infrastructureOnly ? ( storageAccount.type == 'new' ? ccwVMSSManagedIdentity!.outputs.managedIdentityId : storageAccount.vmssManagedIdentityId) : ''
+
+// module ccwRoleAssignments './vmRoleAssignments.bicep' = if (!infrastructureOnly) {
+//   name: 'ccwRoleFor-${ccVMName}-${location}'
+//   scope: subscription()
+//   params: {
+//     roles: [
+//       'Contributor'
+//       'Storage Account Contributor'
+//       'Storage Blob Data Contributor'
+//     ]
+//     principalId: ccwVM.outputs.principalId
+//   }
+//   dependsOn: [
+//     ccwVM
+//   ]
+// }
 
 var create_database = contains(slurmSettings, 'databaseAdminPassword')
 var db_name = 'ccw-mysqldb-${uniqueString(az.resourceGroup().id)}'
@@ -313,9 +334,10 @@ output filerInfoFinal types.filerInfo_t = {
   }
 }
 
-output cyclecloudPrincipalId string = infrastructureOnly ? '' : ccwVM.outputs.principalId
+output cyclecloudPrincipalId string = infrastructureOnly ? '' : ccwVM!.outputs.principalId
 
-output managedIdentityId string = infrastructureOnly ? '' : ccwManagedIdentity.outputs.managedIdentityId
+// MI for VMSS
+output managedIdentityId string = vmssManagedIdentityId
 
 // Automatically inject the ccw and pyxis cluster init specs
 
@@ -369,7 +391,7 @@ var clusterNameCleaned = join(clusterNameArrCleaned,'')
 
 output resourceGroup string = resourceGroup
 output location string = location
-output storageAccountName string = ccwStorage.outputs.storageAccountName
+output storageAccountName string = storageAccountName
 output clusterName string = clusterNameCleaned
 output publicKey string = publicKey
 output adminUsername string = adminUsername

bicep/storage.bicep bicep/storage-networking.bicepbicep/storage.bicep renamed to bicep/storage-networking.bicep

@@ -12,24 +12,8 @@ var privateDnsZoneResourceGroup = split(privateDnsZoneId, '/')[4]
 var createVnetLink = storagePrivateDnsZone.type == 'existing' ? storagePrivateDnsZone.vnetLink : storagePrivateDnsZone.type == 'new'
 var vnetLinkScope = contains(storagePrivateDnsZone,'id') ? split(privateDnsZoneId, '/')[4] : az.resourceGroup().name
 
-resource storageAccount 'Microsoft.Storage/storageAccounts@2024-01-01' = {
+resource storageAccount 'Microsoft.Storage/storageAccounts@2024-01-01' existing = {
   name: saName
-  location: location
-  tags: tags
-  sku: {
-    name: 'Standard_LRS'
-  }
-  kind: 'StorageV2'
-  properties:{
-    accessTier: 'Hot'
-    minimumTlsVersion: 'TLS1_2'
-    allowSharedKeyAccess: false
-    publicNetworkAccess: 'Disabled'
-    allowBlobPublicAccess: false
-    networkAcls: {
-      defaultAction: 'Deny'
-      }      
-  }
 }
 
 var storageBlobPrivateEndpointName = 'ccwstorage-blob-pe'

bicep/vm.bicep

@@ -18,6 +18,7 @@ param adminSshPublicKey string
 param vmSize string
 param dataDisks array
 param osDiskSize int = 0 //TODO: add to UI
+param managedIdentityId string
 
 resource nic 'Microsoft.Network/networkInterfaces@2023-11-01' = {
   name: '${name}-nic'
@@ -39,7 +40,11 @@ resource nic 'Microsoft.Network/networkInterfaces@2023-11-01' = {
   }
 }
 
-resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = {
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: split(managedIdentityId, '/')[8]
+}
+
+resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-11-01' = {
   name: name
   location: location
   tags: tags
@@ -49,7 +54,10 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = {
     name: split(image.plan,':')[2]
   } : null
   identity: {
-    type: 'SystemAssigned'
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityId}': {}
+    }
   }
   properties: {
     hardwareProfile: {
@@ -132,6 +140,6 @@ resource cse 'Microsoft.Compute/virtualMachines/extensions@2024-03-01' = {
 output fqdn string = '' //contains(vm, 'pip') && vm.pip ? publicIp.properties.dnsSettings.fqdn : ''
 output publicIp string = '' //contains(vm, 'pip') && vm.pip ? publicIp.properties.ipAddress : ''
 output privateIp string = nic.properties.ipConfigurations[0].properties.privateIPAddress
-output principalId string = virtualMachine.identity.principalId
+output principalId string = managedIdentity.properties.principalId
 //output privateIps array = [ for i in range(0, count): nic[i].properties.ipConfigurations[0].properties.privateIPAddress ]
 //output principalIds array = [ for i in range(0, count): virtualMachine[i].identity.principalId ]

bicep/vmManagedIdentity.bicep

@@ -1,7 +1,7 @@
 targetScope = 'resourceGroup'
 import {tags_t} from './types.bicep'
 
-param name string
+param name string = 'ccwCycleCloudVirtualMachineManagedIdentity'
 param location string
 param applyRoleAssignments bool = true
 param tags tags_t = {}
@@ -25,3 +25,5 @@ module ccwCycleCloudVirtualMachineRoleAssignments './vmManagedIdentityRoleAssign
     principalId: managedIdentity.properties.principalId
   }
 }
+
+output managedIdentityId string = managedIdentity.id

util/ccw_prerequisites.sh

@@ -85,7 +85,6 @@ fi
 az deployment group create \
     --resource-group "$RESOURCE_GROUP" \
     --template-file $(pwd)/bicep/vmManagedIdentity.bicep \
-    --parameters name="ccwCycleCloudVirtualMachineManagedIdentity" \
     --parameters location="$LOCATION" \
     --parameters applyRoleAssignments="$APPLY_ROLE_ASSIGNMENTS" \
     --name "ccw-vm-mi-deployment-${RESOURCE_GROUP}-${LOCATION}"