[Preview]: Enable system-assigned identity to SQL VM

Azure BuiltIn Policy definition

Alias

Namespace

ResourceType

Path

PathIsDefault

DefaultPath

Modifiable

Microsoft.Compute/virtualMachines/extensions/publisher

Microsoft.Compute

virtualMachines/extensions

properties.publisher

True

False

Microsoft.Compute/virtualMachines/extensions/type

Microsoft.Compute

virtualMachines/extensions

properties.type

True

False

Date/Time (UTC ymd) (i)

Change type

Change detail

2023-10-31 19:02:40

add

7148a409-0d59-4baa-925b-b3aae486a14e

{

displayName: "[Preview]: Enable system-assigned identity to SQL VM",
policyType: "BuiltIn",
mode: "Indexed",
description: "Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected.",
metadata: {3 items
- version: "1.0.0-preview",
- category: "SQL Server",
- preview: true
},
parameters: {1 item
- effect: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Policy Effect",
    - description: "The effect determines what happens when the policy rule is evaluated to match."
    },
  - allowedValues: [2 items
    - "DeployIfNotExists",
    - "Disabled"
    ],
  - defaultValue: "DeployIfNotExists"
  }
},
policyRule: {2 items
- if: {1 item
  - allOf: [4 items
    - {2 items
      - field: "type",
      - equals: "Microsoft.Compute/virtualMachines/extensions"
      },
    - {2 items
      - field: "Microsoft.Compute/virtualMachines/extensions/type",
      - equals: "SqlIaaSAgent"
      },
    - {2 items
      - field: "Microsoft.Compute/virtualMachines/extensions/publisher",
      - equals: "Microsoft.SqlServer.Management"
      },
    - {2 items
      - value: "[requestContext().apiVersion]",
      - greaterOrEquals: "2018-10-01"
      }
    ]
  },
- then: {2 items
  - effect: "[parameters('effect')]",
  - details: {7 items
    - type: "Microsoft.Compute/virtualMachines",
    - name: 🔍"[ first( split( field('fullName'), '/' ) ) ]",
    - evaluationDelay: "AfterProvisioning",
    - deploymentScope: "ResourceGroup",
    - existenceCondition: {2 items
      - field: "identity.type",
      - contains: "SystemAssigned"
      },
    - roleDefinitionIds: [2 items
      - "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor ,
      - "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" User Access Administrator
      ],
    - deployment: {1 item
      - properties: {3 items
        mode: "incremental",
        parameters: {4 items
        location: {1 item
        value: "[field('location')]"
        },
        vmName: {1 item
        value: 🔍"[ first( split( field('fullName'), '/' ) ) ]"
        },
        vmResourceGroup: {1 item
        value: "[resourceGroup().name]"
        },
        resourceId: {1 item
        value: 🔍"[ first( split( field('id'), '/extension' ) ) ]"
        }
        },
        template: {5 items
        $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.1",
        parameters: {4 items
        location: {1 item
        type: "string"
        },
        vmName: {1 item
        type: "string"
        },
        vmResourceGroup: {1 item
        type: "string"
        },
        resourceId: {1 item
        type: "string"
        }
        },
        variables: {2 items
        deployGetResourceProperties: 🔍"[ concat( 'deployGetResourceProperties-', uniqueString( deployment().name ) ) ]",
        deploySystemAssignedName: 🔍"[ concat( 'deploySA-', uniqueString( deployment().name ) ) ]"
        },
        resources: [2 items
        {4 items
        type: "Microsoft.Resources/deployments",
        apiVersion: "2022-09-01",
        name: "[variables('deployGetResourceProperties')]",
        properties: {2 items
        mode: "Incremental",
        template: {4 items
        $schema: "http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        resources: [],
        outputs: {1 item
        resource: {2 items
        type: "object",
        value: 🔍"[ reference( parameters('resourceId'), '2019-07-01', 'Full' ) ]"
        }
        }
        }
        }
        },
        {6 items
        type: "Microsoft.Resources/deployments",
        apiVersion: "2022-09-01",
        name: 🔍"[ concat( variables( 'deploySystemAssignedName' ) ) ]",
        resourceGroup: "[parameters('vmResourceGroup')]",
        dependsOn: [1 item
        "[variables('deployGetResourceProperties')]"
        ],
        properties: {4 items
        mode: "Incremental",
        expressionEvaluationOptions: {1 item
        scope: "inner"
        },
        parameters: {4 items
        location: {1 item
        value: "[parameters('location')]"
        },
        vmName: {1 item
        value: "[parameters('vmName')]"
        },
        identityType: {1 item
        value: 🔍"[ if( contains( reference( variables( 'deployGetResourceProperties' ) ).outputs.resource.value, 'identity' ), reference( variables( 'deployGetResourceProperties' ) ).outputs.resource.value.identity.type, '' ) ]"
        },
        userAssignedIdentities: {1 item
        value: 🔍"[ if( and( contains( reference( variables( 'deployGetResourceProperties' ) ).outputs.resource.value, 'identity' ), contains( reference( variables( 'deployGetResourceProperties' ) ).outputs.resource.value.identity, 'userAssignedIdentities' ) ), reference( variables( 'deployGetResourceProperties' ) ).outputs.resource.value.identity.userAssignedIdentities, createObject() ) ]"
        }
        },
        template: {5 items
        $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        parameters: {4 items
        location: {1 item
        type: "string"
        },
        vmName: {1 item
        type: "string"
        },
        identityType: {1 item
        type: "string"
        },
        userAssignedIdentities: {1 item
        type: "object"
        }
        },
        variables: {3 items
        identityTypeValue: 🔍"[ if( contains( parameters('identityType'), 'UserAssigned' ), 'SystemAssigned, UserAssigned', 'SystemAssigned' ) ]",
        userAssignedIdentitiesValue: 🔍"[ union( parameters('userAssignedIdentities'), createObject() ) ]",
        resourceWithUserAssignedIdentity: 🔍"[ contains( parameters('identityType'), 'UserAssigned' ) ]"
        },
        resources: [2 items
        {6 items
        condition: "[variables('resourceWithUserAssignedIdentity')]",
        apiVersion: "2023-03-01",
        type: "Microsoft.Compute/virtualMachines",
        name: "[parameters('vmName')]",
        location: "[parameters('location')]",
        identity: {2 items
        type: "[variables('identityTypeValue')]",
        userAssignedIdentities: "[variables('userAssignedIdentitiesValue')]"
        }
        },
        {6 items
        condition: 🔍"[ not( variables( 'resourceWithUserAssignedIdentity' ) ) ]",
        apiVersion: "2023-03-01",
        type: "Microsoft.Compute/virtualMachines",
        name: "[parameters('vmName')]",
        location: "[parameters('location')]",
        identity: {1 item
        type: "[variables('identityTypeValue')]"
        }
        }
        ]
        }
        }
        }
        ]
        }
        }
      }
    }
  }
}

}