azurerm_ai_foundry_project: add support for primary_user_assigned_identity (hashicorp#29197)

wuxu92 · teowa · commit 8eb91729e11d · 2025-05-08T09:23:02.000Z
* add primary_user_assigned_identity to ai foundry project

* primary user identity should be in identity block

* update acc test format

* code/doc clean

* terrafmt
diff --git a/internal/services/machinelearning/ai_foundry_project_resource.go b/internal/services/machinelearning/ai_foundry_project_resource.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/lang/response"
+	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/identity"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/location"
@@ -26,15 +27,16 @@ import (
 type AIFoundryProject struct{}
 
 type AIFoundryProjectModel struct {
-	Name                      string                                     `tfschema:"name"`
-	Location                  string                                     `tfschema:"location"`
-	AIServicesHubId           string                                     `tfschema:"ai_services_hub_id"`
-	Identity                  []identity.ModelSystemAssignedUserAssigned `tfschema:"identity"`
-	HighBusinessImpactEnabled bool                                       `tfschema:"high_business_impact_enabled"`
-	Description               string                                     `tfschema:"description"`
-	FriendlyName              string                                     `tfschema:"friendly_name"`
-	ProjectId                 string                                     `tfschema:"project_id"`
-	Tags                      map[string]interface{}                     `tfschema:"tags"`
+	Name                        string                                     `tfschema:"name"`
+	Location                    string                                     `tfschema:"location"`
+	AIServicesHubId             string                                     `tfschema:"ai_services_hub_id"`
+	Identity                    []identity.ModelSystemAssignedUserAssigned `tfschema:"identity"`
+	HighBusinessImpactEnabled   bool                                       `tfschema:"high_business_impact_enabled"`
+	Description                 string                                     `tfschema:"description"`
+	PrimaryUserAssignedIdentity string                                     `tfschema:"primary_user_assigned_identity"`
+	FriendlyName                string                                     `tfschema:"friendly_name"`
+	ProjectId                   string                                     `tfschema:"project_id"`
+	Tags                        map[string]interface{}                     `tfschema:"tags"`
 }
 
 func (r AIFoundryProject) ModelObject() interface{} {
@@ -105,6 +107,13 @@ func (r AIFoundryProject) Arguments() map[string]*pluginsdk.Schema {
 			ForceNew: true,
 		},
 
+		"primary_user_assigned_identity": {
+			Type:         pluginsdk.TypeString,
+			Optional:     true,
+			ValidateFunc: commonids.ValidateUserAssignedIdentityID,
+			RequiredWith: []string{"identity"},
+		},
+
 		"description": {
 			Type:         pluginsdk.TypeString,
 			Optional:     true,
@@ -177,6 +186,14 @@ func (r AIFoundryProject) Create() sdk.ResourceFunc {
 				payload.Identity = expandedIdentity
 			}
 
+			if model.PrimaryUserAssignedIdentity != "" {
+				userAssignedId, err := commonids.ParseUserAssignedIdentityID(model.PrimaryUserAssignedIdentity)
+				if err != nil {
+					return err
+				}
+				payload.Properties.PrimaryUserAssignedIdentity = pointer.To(userAssignedId.ID())
+			}
+
 			if model.Description != "" {
 				payload.Properties.Description = pointer.To(model.Description)
 			}
@@ -242,6 +259,14 @@ func (r AIFoundryProject) Update() sdk.ResourceFunc {
 				payload.Properties.Description = pointer.To(state.Description)
 			}
 
+			if metadata.ResourceData.HasChange("primary_user_assigned_identity") {
+				userAssignedId, err := commonids.ParseUserAssignedIdentityID(state.PrimaryUserAssignedIdentity)
+				if err != nil {
+					return err
+				}
+				payload.Properties.PrimaryUserAssignedIdentity = pointer.To(userAssignedId.ID())
+			}
+
 			if metadata.ResourceData.HasChange("friendly_name") {
 				payload.Properties.FriendlyName = pointer.To(state.FriendlyName)
 			}
@@ -313,6 +338,7 @@ func (r AIFoundryProject) Read() sdk.ResourceFunc {
 					hub.FriendlyName = pointer.From(props.FriendlyName)
 					hub.HighBusinessImpactEnabled = pointer.From(props.HbiWorkspace)
 					hub.ProjectId = pointer.From(props.WorkspaceId)
+					hub.PrimaryUserAssignedIdentity = pointer.From(props.PrimaryUserAssignedIdentity)
 				}
 			}
 
diff --git a/internal/services/machinelearning/ai_foundry_project_resource_test.go b/internal/services/machinelearning/ai_foundry_project_resource_test.go
@@ -33,6 +33,28 @@ func TestAccAIFoundryProject_basic(t *testing.T) {
 	})
 }
 
+func TestAccAIFoundryProject_userIdentity(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_ai_foundry_project", "test")
+	r := AIFoundryProject{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.userIdentity(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.userIdentityUpdate(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccAIFoundryProject_requiresImport(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_ai_foundry_project", "test")
 	r := AIFoundryProject{}
@@ -115,6 +137,98 @@ resource "azurerm_ai_foundry_project" "test" {
 `, AIFoundry{}.basic(data), data.RandomInteger)
 }
 
+func (r AIFoundryProject) userIdentityTemplate(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_user_assigned_identity" "test" {
+  location            = azurerm_resource_group.test.location
+  name                = "acctestuai-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_role_assignment" "test" {
+  scope                = azurerm_resource_group.test.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_user_assigned_identity.test.principal_id
+}
+
+resource "azurerm_key_vault_access_policy" "test2" {
+  key_vault_id = azurerm_key_vault.test.id
+  tenant_id    = azurerm_user_assigned_identity.test.tenant_id
+  object_id    = azurerm_user_assigned_identity.test.client_id
+
+  key_permissions = [
+    "Create",
+    "Get",
+  ]
+}
+`, AIFoundry{}.basic(data), data.RandomInteger)
+}
+
+func (r AIFoundryProject) userIdentity(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_ai_foundry_project" "test" {
+  name                           = "acctestaip-%[2]d"
+  location                       = azurerm_ai_foundry.test.location
+  ai_services_hub_id             = azurerm_ai_foundry.test.id
+  primary_user_assigned_identity = azurerm_user_assigned_identity.test.id
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.test.id]
+  }
+
+  depends_on = [azurerm_key_vault_access_policy.test2, azurerm_role_assignment.test]
+}
+`, r.userIdentityTemplate(data), data.RandomInteger)
+}
+
+func (r AIFoundryProject) userIdentityUpdate(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_user_assigned_identity" "test2" {
+  location            = azurerm_resource_group.test.location
+  name                = "acctestuai2-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_role_assignment" "test2" {
+  scope                = azurerm_resource_group.test.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_user_assigned_identity.test2.principal_id
+}
+
+resource "azurerm_key_vault_access_policy" "test3" {
+  key_vault_id = azurerm_key_vault.test.id
+  tenant_id    = azurerm_user_assigned_identity.test2.tenant_id
+  object_id    = azurerm_user_assigned_identity.test2.client_id
+
+  key_permissions = [
+    "Create",
+    "Get",
+  ]
+}
+
+resource "azurerm_ai_foundry_project" "test" {
+  name                           = "acctestaip-%[2]d"
+  location                       = azurerm_ai_foundry.test.location
+  ai_services_hub_id             = azurerm_ai_foundry.test.id
+  primary_user_assigned_identity = azurerm_user_assigned_identity.test2.id
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.test.id, azurerm_user_assigned_identity.test2.id]
+  }
+
+  depends_on = [azurerm_key_vault_access_policy.test2, azurerm_role_assignment.test2]
+}
+`, r.userIdentityTemplate(data), data.RandomInteger)
+}
+
 func (r AIFoundryProject) complete(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
diff --git a/website/docs/r/ai_foundry_project.html.markdown b/website/docs/r/ai_foundry_project.html.markdown
@@ -30,7 +30,7 @@ resource "azurerm_key_vault" "example" {
   purge_protection_enabled = true
 }
 
-resource "azurerm_key_vault_access_policy" "test" {
+resource "azurerm_key_vault_access_policy" "example" {
   key_vault_id = azurerm_key_vault.example.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = data.azurerm_client_config.current.object_id
@@ -92,6 +92,8 @@ The following arguments are supported:
 
 * `description` - (Optional) The description of this AI Foundry Project.
 
+* `primary_user_assigned_identity` - (Optional) The user assigned identity ID that represents the AI Foundry Hub identity. This must be set when enabling encryption with a user assigned identity.
+
 * `friendly_name` - (Optional) The display name of this AI Foundry Project.
 
 * `high_business_impact_enabled` - (Optional) Whether High Business Impact (HBI) should be enabled or not. Enabling this setting will reduce diagnostic data collected by the service. Changing this forces a new AI Foundry Project to be created. Defaults to `false`.
