NLB-7299: docs - add system-assigned managed identity requirement to … #1659
Conversation
…deployment documentation System-assigned MI now required for new deployments Updates all deployment documentation to reflect systemMI requirement: - Portal: Automatically creates systemMI - CLI/Terraform/ARM/SDK: Must set identity.type="SystemAssigned" - SystemMI cannot be removed once created - Legacy deployments continue to work Updated deployment guides, client tools docs, managed identity docs, monitoring prerequisites, and SSL/TLS prerequisites with requirement notes and backward compatibility information.
github-actions
bot
added
documentation
amudukutore
left a comment
amudukutore
left a comment
There was a problem hiding this comment.
Looking through the changes here, the call out to add a system assigned MI is repeated across multiple sections which seems a bit excessive. Can we only add it in the section on enabling logs and metrics?
| F5 NGINXaaS for Azure (NGINXaaS) leverages managed identities for its integrations with Azure services. | ||
|
|
||
| - Azure Key Vault (AKV): fetch SSL/TLS certificates from AKV to your NGINXaaS deployment, so that they can be referenced by your NGINX configuration. | ||
| {{< call-out "important" >}}**System-Assigned Managed Identity Required**: All NGINXaaS deployments require a system-assigned managed identity for Geneva logging and monitoring features. The Azure Portal automatically creates this identity during deployment, and it cannot be removed once created.{{< /call-out >}} |
There was a problem hiding this comment.
Geneva is an internal azure name that is meaningless/not useful to reveal to customers. can we just say
A system-assigned managed identity is required for all NGINXaaS deployments to support the logging and monitoring features. The Azure Portal automatically creates this identity during deployment creation.
| - Azure Storage: export logs from your NGINX deployment to Azure Blob Storage Container. | ||
| - **System-assigned managed identity** (required): Used for Geneva logging and monitoring features. | ||
|
|
||
| - **User-assigned managed identity** (optional): Used for additional integrations such as: |
There was a problem hiding this comment.
This is not correct. either the systemMI or the user MI can be used to access AKV.
UserMI is not required for Azure Monitor and Azure Storage, only a systemMI is needed.
There was a problem hiding this comment.
I have updated this part.
content/nginxaas-azure/getting-started/managed-identity-portal.md
Outdated
Show resolved
Hide resolved
| ## Legacy deployments without system assigned managed identity | ||
|
|
||
| 1. Select **Identity** in the left menu, then select the **System assigned** tab. | ||
| {{< call-out "note" >}}**Legacy Deployments**: Deployments created before the system-assigned managed identity requirement will continue to function without one. However, these deployments may have limited monitoring and logging capabilities. It is recommended to keep the existing configuration unchanged or contact Azure support for migration guidance.{{< /call-out >}} |
There was a problem hiding this comment.
contact Azure support for migration guidance.
why? The user can just add a systemMI to their deployment
| 3. Confirm the operation by selecting **Yes** on the confirmation prompt. | ||
| - The deployment will continue to operate normally | ||
| - Updates to deployment properties and configuration will continue to work | ||
| - Adding a system-assigned managed identity to these deployments should be done with caution |
There was a problem hiding this comment.
should be done with caution
this is a vague statement. can you remind me again why this caution is needed?
There was a problem hiding this comment.
I have updated this.
| Reverse proxy your upstreams using NGINXaaS. Since the virtual networks are peered, both deployments would be able to access the upstreams. | ||
| {{< call-out "important" >}}**System-Assigned Managed Identity Required**: Ensure your Terraform configuration includes the required system-assigned managed identity by setting `identity.type = "SystemAssigned"` or `"SystemAssigned, UserAssigned"` for each deployment.{{< /call-out >}} |
There was a problem hiding this comment.
this section is specific to disaster recovery so I don't this there is a need to add this callout. Can we instead move this to the page for creating nginxaas deployments using terraform.
There was a problem hiding this comment.
Moved this to terraform part
rnandwal-f5
force-pushed
the
NLB-7299-Make-SystemMI-Required
branch
from
b5ae1ff to
b3cf533
Compare
…ions Removed duplicate references to system-assigned managed identity being required, as this is already clearly stated in the overview section and nginxaas-azure-snippets docs.Streamlined content to avoid repetition while maintaining clarity.
rnandwal-f5
force-pushed
the
NLB-7299-Make-SystemMI-Required
branch
from
b3cf533 to
94fdd4f
Compare
|
waiting for the suggestions and questions from @arpith-f5 to be addressed before my review |
- Remove systemMI requirement from disaster-recovery and add it to terraform. - fix docs and remove duplcate callout in mananged-identity-portal.md
4 participants
Summary
Updates documentation to reflect that system-assigned managed identity (systemMI) is now required for Geneva logging and monitoring in NGINXaaS for Azure.
Changes
Deployment Guides
--identity type="SystemAssigned"requirement to all examplesKey Points
identity.type="SystemAssigned"Note: Existing deployments are not affected by this change.
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩