Allow usage of managed identity for backing storage

sinedied · sinedied · commit 49569a5a33bd · 2024-06-19T17:15:43.000+02:00
diff --git a/templates/common/infra/bicep/core/host/functions.bicep b/templates/common/infra/bicep/core/host/functions.bicep
@@ -7,8 +7,9 @@ param tags object = {}
 param applicationInsightsName string = ''
 param appServicePlanId string
 param keyVaultName string = ''
-param managedIdentity bool = !empty(keyVaultName)
+param managedIdentity bool = !empty(keyVaultName) || storageManagedIdentity
 param storageAccountName string
+param storageManagedIdentity bool = false
 param virtualNetworkSubnetId string = ''
 
 // Runtime Properties
@@ -56,7 +57,8 @@ module functions 'appservice.bicep' = {
     applicationInsightsName: applicationInsightsName
     appServicePlanId: appServicePlanId
     appSettings: union(appSettings, {
-        AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
+        AzureWebJobsStorage__accountName: storageManagedIdentity ? storage.name : null
+        AzureWebJobsStorage: storageManagedIdentity ? null : 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
         FUNCTIONS_EXTENSION_VERSION: extensionVersion
         FUNCTIONS_WORKER_RUNTIME: runtimeName
       })
@@ -79,6 +81,16 @@ module functions 'appservice.bicep' = {
   }
 }
 
+module storageOwnerRole '../../core/security/role.bicep' = if (storageManagedIdentity) {
+  name: 'search-index-contrib-role-api'
+  params: {
+    principalId: functions.outputs.identityPrincipalId
+    // Search Index Data Contributor
+    roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7'
+    principalType: 'ServicePrincipal'
+  }
+}
+
 resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
   name: storageAccountName
 }
