Add support for creating and using user-assigned identities

[captainsafia]

Description

This pull request introduces significant changes to the Azure hosting infrastructure by replacing the AppIdentityResource with the more robust AzureUserAssignedIdentityResource. It also adds new extension methods, updates role assignment logic, and includes comprehensive tests to verify the new functionality.

Replacement of AppIdentityResource with AzureUserAssignedIdentityResource:

• Removed the AppIdentityResource class and replaced it with the new AzureUserAssignedIdentityResource class, which provides improved support for Azure user-assigned managed identities. (src/Aspire.Hosting.Azure/AppIdentityResource.cs removed, src/Aspire.Hosting.Azure/AzureUserAssignedIdentityResource.cs added) [1] [2]
• Updated methods and parameters in AzureResourcePreparer to use AzureUserAssignedIdentityResource instead of AppIdentityResource. [1] [2] [3] [4]

Enhancements to Role Assignment Logic:

• Introduced the IsResourceValidForRoleAssignments method to streamline the validation of resources eligible for role assignments.
• Modified logic to ensure that identity resources are added to the resource collection when necessary.

New Extension Methods:

• Added the AzureUserAssignedIdentityExtensions class to provide a convenient method for adding Azure user-assigned identities to the application model. This includes support for configuring infrastructure and handling execution contexts. (src/Aspire.Hosting.Azure/AzureUserAssignedIdentityExtensions.cs)

Comprehensive Testing:

• Added new unit tests in AzureUserAssignedIdentityTests to verify the behavior of the AzureUserAssignedIdentityResource and its integration with role assignments and other resources. (tests/Aspire.Hosting.Azure.Tests/AzureUserAssignedIdentityTests.cs)
• Included snapshot tests to validate the generated Bicep templates for various scenarios, such as adding identities, publishing as existing, and role assignments. (tests/Aspire.Hosting.Azure.Tests/Snapshots) [1] [2] [3] [4]

Contributes towards #8441.

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • [New article]: Document APIs for creating user-assigned identities docs-aspire#3325
  • No

[Copilot]

Pull Request Overview

This PR replaces the AppIdentityResource with a new AzureUserAssignedIdentityResource to improve support for Azure user-assigned managed identities, while also enhancing role assignment logic and adding extension methods and tests.

• Replaces AppIdentityResource with AzureUserAssignedIdentityResource
• Adds new extension methods for simplified identity resource integration
• Enhances role assignment logic and introduces comprehensive tests

Reviewed Changes

Copilot reviewed 5 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tests/Aspire.Hosting.Azure.Tests/AzureUserAssignedIdentityTests.cs	New unit tests and snapshot tests verifying identity resources and role assignments.
src/Aspire.Hosting.Azure/AzureUserAssignedIdentityResource.cs	Introduces the new identity resource with updated provisioning outputs.
src/Aspire.Hosting.Azure/AzureUserAssignedIdentityExtensions.cs	Adds extension methods for integrating Azure user-assigned identities into the application model.
src/Aspire.Hosting.Azure/AzureResourcePreparer.cs	Updates role assignment validation logic and resource addition to support the new identity resource.
src/Aspire.Hosting.Azure/AppIdentityResource.cs	Removed to replace with the new AzureUserAssignedIdentityResource.

Files not reviewed (5)

• tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.AddAzureUserAssignedIdentity_GeneratesExpectedResourcesAndBicep.verified.bicep: Language not supported
• tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.AddAzureUserAssignedIdentity_PublishAsExisting_Works.verified.bicep: Language not supported
• tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.AddAzureUserAssignedIdentity_WithRoleAssignments_Works#00.verified.bicep: Language not supported
• tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.AddAzureUserAssignedIdentity_WithRoleAssignments_Works#01.verified.bicep: Language not supported
• tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureUserAssignedIdentityTests.AddAzureUserAssignedIdentity_WithRoleAssignments_Works#02.verified.bicep: Language not supported

[eerhardt]

Does PrincipalName always work? Is that always the same as Name? Oh, we assign "Name" to the "principalName" output.

[eerhardt]

LGTM

[RussKie]

I don't think this is something we should be doing; auto-accepting changes in the tests undermines the value of the tests - we won't be alerted when the snapshot changes, and thus, may inadvertently let a regression slip through.

For local dev there are tools to accept all the pending snapshots, which is useful when the snapshots first created --> https://github.com/VerifyTests/Verify/blob/main/readme.md#snapshot-management (I've been using DiffEngineTray).

[davidfowl]

Yes @captainsafia mentioned that she forgot to revert it

[RussKie]

Yes, I noticed a branch in the trunk :)

To add - there's an optional parameter to autoaccept locally, but fail on a CI (https://github.com/VerifyTests/DiffEngine/blob/main/src/DiffEngine/BuildServerDetector.cs), but I don't think we should consider that either - some things we assert may contain random/generated information (like guid, port numbers, etc.). And auto-acceptance may hide those until after the changes are pushed.

[captainsafia]

Yes, AutoVerify and I have a long history of getting in trouble in the ASP.NET Core repo. 😅

One thing we were able to do in the manual snapshot strategy we used for RDG is use a boolean that would regenerate the files but fail the test (see https://github.com/dotnet/aspnetcore/blob/754e56eea0d88f36653af0da1f9c00186d93cec8/src/Http/Http.Extensions/test/RequestDelegateGenerator/RequestDelegateCreationTestBase.cs#L363). This makes it easy to bootstrap or iterate on new snapshots without getting into trouble with accidentally merging. It seems like the BuildServerDetector helps with that.

but I don't think we should consider that either - some things we assert may contain random/generated information (like guid, port numbers, etc.).

I think for the most part, the GUIDs/port numbers we rely on might be consistent across tests, like a GUID associated with a role identity. For everything else, we probably want to use scrubbers.

Revert PR is #9134.

[RussKie]

One thing we were able to do in the manual snapshot strategy we used for RDG is use a boolean that would regenerate the files but fail the test (see dotnet/aspnetcore@754e56e/src/Http/Http.Extensions/test/RequestDelegateGenerator/RequestDelegateCreationTestBase.cs#L363). This makes it easy to bootstrap or iterate on new snapshots without getting into trouble with accidentally merging. It seems like the BuildServerDetector helps with that.

DiffEngineTray can accept all pending snapshots in one go 😉

And yes for scrubbers.